In highly regulated industries, resilient infrastructure is not just a nice-to-have; it’s a business imperative. As Andrew Blooman, Platform Security Team Lead at IG Group, says, “Regulations such as DORA (Digital Operations Resilience Act) are not optional guidance; they are mandatory regulations.”

At HashiDays 2025, Blooman shared how his team tackled one of his industry’s toughest challenges when it comes to building resilient infrastructure: securing secrets and sensitive data across complex, cloud-based systems.

Here are seven lessons from IG Group’s experience that every organization can learn from.

»1. Regulatory compliance is non-negotiable

This was a driving factor for IG Group in addressing gaps in secrets management. Blooman explained:

“DORA requires us to implement secure coding practices throughout the entire software development lifecycle, adopt the principle of least privilege for all of our systems, maintain strict separation between development and production environments, and establish frameworks to identify, detect, and respond to and recover from security incidents.”
— Andrew Blooman, Platform Security Team Lead, IG Group

To stay in business, these requirements can’t be side-stepped in the engineering process. But instead of treating them as merely challenges to be overcome, IG Group used these requirements as a catalyst to modernize and standardize their security architecture. And they had help from best-practice frameworks like ISO 27001 and the NIST Cybersecurity Framework.

»2. Secret sprawl is a business and regulatory risk

Some quick stats HashiCorp has found regarding the importance of securing secrets (API keys, passwords, SSH keys, certificates, tokens, etc):

• GitHub found 39 million secrets were leaked in 2024 alone.
• IBM calculates that the average cost of a breach is about $4.44 million per incident, according to IBM's Cost of a Data Breach Report.
• The cost of secret sprawl ebook breaks down these costs, showing that manual secrets management can cost the equivalent of 1-2 developer salaries a year, and false positives in secret detection can cost around $500K in analyst time.

Blooman says, “In financial services, these numbers aren't just statistics; they represent existential threats to our business.”

IG Group discovered that secrets like passwords and tokens were scattered across their code base, potentially leading to multimillion-dollar breaches, reputational damage, and regulatory violations if exposed. Blooman says, “Secrets in code was the fundamental challenge we were facing. And it wasn't just a technical problem; it was a business risk.”

Treating secrets management as a core business risk helped IG Group secure leadership buy-in and align efforts across departments.

»3. Security culture must be addressed head-on

IG Group found that security gaps often started with people, not systems. Developers lacked clear training and guidance on how to handle secrets, detection tools were missing, and there were no controls to prevent risky code commits.

“Clear training and guidance to developers on how best to store secrets just wasn’t in place, and this was causing secret sprawl.”
— Andrew Blooman, Platform Security Team Lead, IG Group

By creating an engineering code of practice and clear developer guidelines, IG Group began to replace a culture of insecurity with one of shared responsibility.

»4. Standardize secrets management with a core platform

After evaluating multiple tools, IG Group chose HashiCorp Vault as their centralized secrets management solution. Vault provided a single source of truth, strong audit capabilities, and many benefits as a managed service that reduced technical debt. This allowed the security team to maintain visibility and consistency across all applications while improving scalability and governance.

“How does Vault make our infrastructure more resilient? First of all, there are no secrets to leak. If somebody does access our codebase and download it, there are no secrets in there anymore if they've all been replaced with variables. So there's nothing to steal. If the time comes when secrets are compromised, the secrets can be rotated in the originating system and then updated in Vault centrally. No code changes are needed. We just redeploy the app.”
— Andrew Blooman, Platform Security Team Lead, IG Group

»5. Make security easy for developers

One of IG Group’s biggest insights was that adoption improves when security feels intuitive. They focused on simple onboarding, minimal code changes, and clear documentation. They even gamified the experience, creating dashboards that encouraged friendly competition among teams to improve their security posture.

“The self-service question is always a challenge: How do you balance security with developer flexibility? We found that self-service becomes a problem when there isn’t a predefined solution like Vault. Developers will find a method to deliver their workstream, even if it is suboptimal. And that’s the beginning of secret sprawl.”
— Andrew Blooman, Platform Security Team Lead, IG Group

»6. Automate secrets management setup

By using infrastructure as code tools like Terraform, IG Group automated the deployment and management of their Vault environment. This approach eliminated manual configuration tasks for Vault, which resulted in faster setup for new Vault clusters and fewer errors during deployment. What once took hours of setup time could now be achieved with a single line of Terraform code:

“We optimized our deployment of cloud operations by leveraging Terraform. For all of the control-plane aspects, we use Terraform to manage it. There is zero ClickOps. This means that we can administer Vault using GitHub’s methodology, all built into GitLab. This allows us version control, change control, audit logs, and it's really easy to onboard new teams. In fact, I've got it down to just one line of code to onboard a new team — Namespace, secrets engine, roles, policies, everything.”
— Andrew Blooman, Platform Security Team Lead, IG Group

»7. Build toward dynamic and just-in-time access

Static credentials will always be a weak link. IG Group is moving toward a model where secrets are generated and expired automatically. With just-in-time access, even if a credential is exposed, it quickly becomes useless. And in some cases, you can go secretless and use workload identities and use Vault as an OIDC provider. This progressive strategy dramatically reduces risk and brings them closer to a zero trust architecture, one where no entity is trusted by default and all access is verified dynamically.

»Key takeaways

IG Group’s journey shows that when organizations combine automation and a security-first culture, they can meet regulatory requirements and save money doing it.

Blooman says the key takeaways from IG Group’s adoption of Vault and secrets management are:

1. Strengthened security and governance: IG Group implemented centralized visibility, automated policy enforcement, and secure access methods that directly address the DORA requirements.
2. Accelerated delivery and innovation: By eliminating barriers and providing self-service capabilities through GitLab and the integration with OIDC, IG Group increased development velocity and improved security. And this demonstrates that security and speed of delivery are not mutually exclusive.
3. Optimized cloud operations and ROI: Infrastructure resilience improvements combined with operational efficiency gains and measurable risk reduction deliver a really compelling ROI.

The bottom line? True resilience comes from creating systems and mindsets that expect change, anticipate risk, and continuously evolve.

“We had a culture of insecurity driven by the absence of an existing secrets management solution. We had to overcome the regulatory controls, we had to have massive concern about the risk, and we lacked proper secrets detection tooling. This was unsustainable, and especially challenging in the financial services sector. We solved the problem with HashiCorp Vault.”
Andrew Blooman, Platform Security Team Lead, IG Group

Want to see similar ROI gains by improving your organization’s security posture and reducing manual security toil? Read our guide: Optimize cloud operations and ROI with The Infrastructure Cloud. It can help you plan your strategy for meeting regulatory requirements, reducing the cost of secret sprawl, and improving security visibility.

Watch Andrew Blooman explain more about IG Group’s experience building resilient infrastructure in a highly regulated environment.