How Financial Services IT Leaders Can Build a Secure, Compliant Software Factory

Development Experience Reduces Risk and Increases Innovation

Over the past two decades, software development has evolved from customized builds to standardized structures and shared frameworks. In financial services — where regulatory scrutiny, auditability and resiliency are nonnegotiable — this standardization is essential.

“The factory is the machinery you build that allows you to create sophisticated things in a repeatable way,” says Christopher Yates, principal chief architect at Red Hat.

Instead of relying on individual developer expertise or inconsistent processes, software factories establish guardrails and best practices that guide behavior automatically. That consistency reduces operational risk — a key priority for financial IT leaders managing sensitive data, payment systems and trading platforms.

RELATED: Learn more about platform engineering and the CDW solutions that can help.

In effect, a software factory ensures every application is developed under the same standards for security, compliance and performance — much like a financial institution enforces standardized controls across its branches.

“It’s a consistent experience. People know what they’re going to get, and it’s cost-effective,” Reitzig says.

Automation Is Essential for Security and Regulatory Compliance

Of the three components, process automation often presents the biggest challenge — and the biggest opportunity.

Many financial institutions implement continuous integration but stop short of fully automating infrastructure configuration and security testing. That gap introduces risk.

“If configuration and testing are still done manually, you’re creating a system for moving defects into production faster,” Reitzig says.

In financial services, that could mean:

• Exposure of sensitive customer financial data
• Compliance failures under regulations such as The Sarbanes-Oxley Act, the Payment Card Industry Data Security Standard or Federal Financial Institutions Examination Council guidance
• Costly remediation and reputational damage

Automation addresses these risks by embedding security directly into the development lifecycle.

READ MORE: Should financial institutions be worried about artificial intelligence-powered fraud?

Security automation practices may include:

• Static and dynamic application security testing
• Interactive application security testing
• Infrastructure as Code scanning to detect cloud configuration risks
• Software composition analysis to evaluate third-party dependencies

Coupled with code quality scanning and automated unit testing, these capabilities help identify vulnerabilities before applications reach production — significantly reducing downstream remediation costs.

“Automation shortens timelines and improves quality,” Reitzig says. “Every time a product needs to be retrofitted, it takes time and money to fix it. Software is no different.”

For financial institutions, this proactive model strengthens both risk resilience and audit readiness.

Different Lines of Business May Require Different Software Factories

While standardization is critical, software factories are not one-size-fits-all.

“You need different factories to segregate domains, regulations, geographic regions and the culture of what’s acceptable where,” Yates says.

In financial services, this may mean separate software factories for:

• Retail banking and digital customer applications
• Capital markets or trading systems
• Insurance underwriting platforms
• Internal HR or risk management systems

Each domain carries distinct regulatory requirements, security classifications and performance expectations.

However, managing multiple factories requires governance. Financial IT leaders should periodically evaluate redundancies and retire processes that fail to deliver consistency or measurable outcomes.

Starting small can also reduce risk.

“If you’re spending $20 billion on a program, there’s more demand to see success sooner,” Yates says. “If you start smaller, you can snowball to success.”

DIG DEEPER: Break the biggest myths on platform engineering.

Platform Engineering Changes How Teams Work

Software factories don’t just transform technology, they reshape culture.

By constraining tool choices and automating infrastructure management, platform engineering allows developers to focus on building customer-facing innovation rather than configuring environments.

“If you have unlimited options, it can be hard to come to a conclusion,” Yates says. “Constraint allows acceleration of innovation.”

For financial services organizations competing with fintech startups, this acceleration can mean the difference between leading the market and falling behind.

At the same time, leadership must manage change thoughtfully. Long-tenured IT professionals may feel threatened by automation, particularly when it affects traditional QA or infrastructure roles.

“You have to respect and focus on the people,” Reitzig says. “If you’re asking people to do their day jobs and then also try to do something new, they’ll come up with creative ways to throw sand in the gears.”

The best approach is phased adoption:

1. Assess maturity across lean practices, infrastructure and automation
2. Develop a roadmap aligned with business priorities
3. Invest in training and change management
4. Measure outcomes in speed, security and cost optimization

“You have to manage the migration to a software factory very purposefully,” Reitzig says.