As a large financial services organisation, Royal London managed sensitive financial data and high-risk transaction flows. Despite ongoing investments, cyber controls were fragmented across legacy applications, identity models varied between business units, and audit findings highlighted gaps in access governance, endpoint protection and incident response readiness. Executives were concerned about regulatory exposure, reputational risk and the potential financial impact of an incident.

Lead a security uplift programme that improved technical controls, tightened governance, and built confidence with auditors and regulators. The goal was not just tooling — but cultural change: giving the organisation a clear, consistent security posture, measurable KPIs, and confidence that risk was owned and managed, not delegated.

• Brought together CIO, CRO, CISO, Audit, Operations and platform leaders to agree a single security roadmap, prioritised by business risk, customer impact and regulatory deadlines.

• Standardised identity and access management using unified RBAC, MFA, conditional access and automated entitlement reviews across thousands of users.

• Deployed endpoint hardening and security telemetry at scale, integrating signals into a central SIEM with real-time alerting and automated isolation.

• Introduced security-as-code into CI/CD pipelines to enforce container scanning, SAST/DAST, dependency checks and policy gates before production deployment.

• Ran executive tabletop exercises and red-team scenarios with Operations and Risk committees to test incident response readiness and communication playbooks.

• Published monthly security KPIs (patching, vulnerabilities, access exceptions, audit actions, incident root causes) to give executives clear visibility of progress and residual risk.

• Worked collaboratively — not defensively — with auditors and regulators to demonstrate control maturity and evidence continuous improvement.

• Improved audit readiness by 70%, closing multiple high-risk findings and avoiding regulatory escalation.

• Reduced critical vulnerabilities by 50% through automated scanning and standardised patch workflows.

• Shortened incident response and containment time by 40%, due to real-time telemetry and automated isolation.

• Unified identity and access controls across multiple business units, reducing privileged access exceptions and increasing governance transparency.

• Strengthened Board confidence: cyber moved from a recurring risk concern to a controlled and measurable capability with monthly KPI reporting.

• Digital Enablement
• Organisational Agility & Effectiveness

• Financial Services