A major US health insurer modernizes its security operations

Summary

Sector: Healthcare / Health Insurance

The challenge: Security review processes were slow, inconsistent, and overwhelmed with reviews taking months, bottlenecks growing, and 70%+ of items overdue. The organization needed structure, speed, and sustainable governance across Security Architecture and Application Security .

The solution: Wavestone embedded with Security Architecture and AppSec teams to rebuild workflows, standardize documentation, and implement governance rhythms. Automated dashboards, reminders, and bi‑weekly cadences improved visibility and predictability. Over 3.5 years, the partnership expanded to include Tensor Virtual Machine (TVM) workflows, Secure Software Development Life Cycle (SSDLC) modernization, risk acceptance processes, Data Loss Prevention strategy, Pen testing program support, and a full AppSec Center of Excellence.

Key results:

70% reduction in overdue reviews
Average review timelines improved from ~75 days to 25 days, reducing further bottlenecks
Security Architecture overdue work improved from 71% overdue in 2022 to 24% overdue in 2024
AppSec improved from 71% overdue in 2023 to 48% overdue in 2024, with average duration improving from 75 days to 58 days

185+ assurance reviews completed & validated
1100+ applications with auto‑security gating implemented
1400+ developers trained on Application Security Requirements

The challenge

Overwhelmed security reviews spark a call for change

A Fortune 500 U.S. health insurer and leading multi-state managed care organization, serving more than 2 million members through government-sponsored insurance programs including Medicaid, Medicare, and ACA Marketplace plans, came to Wavestone facing a challenge that’s all too common across the industry: security review processes that were slow, inconsistent, and overwhelmed.

Reviews dragged on for months, bottlenecks piled up, and more than 70% of support tickets were overdue. Operating across states and managing millions of member interactions, the organization needed more than additional support, it needed a partner that could bring structure, speed, and long‑term sustainability to a critical security function.

The solution

Building structure where it didn’t exist

Wavestone embedded directly into the Security Architecture and AppSec teams, reshaping how work moved from intake to completion. The team redesigned workflows, formalized documentation, introduced governance cadences, and established the day‑to‑day process discipline the function had been missing.

Power BI dashboards, trackers, iServe upkeep, bi‑weekly governance touchpoints, and proactive reminder mechanisms created visibility and accountability across every stakeholder group. For the first time, architects, business owners, and PMO teams had a shared, transparent view of progress.

The results

Scalable operating procedures to reduce bottlenecks

Within months, the transformation delivered tangible and sustainable results. Operational bottlenecks were significantly reduced, and a more predictable, scalable delivery model was established across the organization.

Overdue reviews dropped by approximately 70%. At the same time, review cycles were accelerated, with average timelines reduced from 75 to 25 days. This translated into a sharp improvement in performance metrics across key security domains: overdue Security Architecture reviews decreased from 71% in 2022 to 24% in 2024, while AppSec overdue work was reduced to 48% over the same period.

Beyond these improvements, the transformation fundamentally reshaped how technology risks are managed and governed at scale. More than 185 assurance reviews were completed, over 1,100 applications were equipped with automated security gating, and more than 1,400 developers were trained on application security requirements.

Building on these strong foundations, the collaboration of the client with Wavestone expanded significantly. Over the following years, the insurer entrusted Wavestone with a broader role across its security organization, contributing to major transformation initiatives, including the reinforcement of vulnerability management processes, the modernization of SSDLC and DevSecOps practices, and the deployment of structured data protection and risk management frameworks.

This extended scope also led to the creation of a dedicated AppSec Center of Excellence, the implementation of formal risk acceptance processes, and the strengthening of penetration testing and reporting capabilities, further improving visibility, governance, and decision‑making. Today, the organization is equipped with a more resilient, efficient, and scalable security model, while continuing to embed best practices and build long‑term autonomy.