Dr. Aditya V Kashyap, AI and Innovation Leader, driving enterprise transformations through trusted strategy, governance and bold leadership.
The financial system has crossed a threshold most technology leaders have not fully internalized: The firms they run no longer operate on infrastructure they control. For decades, “the bank’s systems” meant servers in a building, software the firm licensed and networks it could see and defend. That picture is now fiction.
Modern finance runs on cloud platforms, third-party software vendors and messaging networks that sit outside the organization’s walls and, increasingly, outside its direct authority. The strategic question for any technology leader in financial services is no longer how well the firm builds, but how much of what it depends on that it actually owns.
Start with a distinction that scale obscures. Infrastructure is never merely something that exists; it is something other things depend on. A firm can run a vast, sophisticated technology organization and still be operationally fragile, because participation is not control and headcount is not resilience. The dependencies that matter most are the ones leaders rarely map: the handful of cloud providers, the security vendors with privileged access to every endpoint, the settlement and messaging rails that route the firm’s transactions.
Europe’s regulators have made this concentration explicit. The Digital Operational Resilience Act, in application since January 17, 2025, rests on a recognition that financial firms’ reliance on a limited number of technology providers creates systemic and concentration risk, and it now places designated critical providers under direct EU oversight. For technology leaders, DORA is not an abstract policy. It is a mandate landing on their desks, requiring them to inventory, test and govern third-party dependencies they may never have cataloged.
Dependency creates concentration; concentration creates vulnerability. In July 2024, a CrowdStrike software update affected an estimated 8.5 million Windows devices worldwide. Parametrix estimated that Fortune 500 banking companies alone incurred roughly $1.15 billion in direct losses. The cause was not a cyberattack but a flawed software update, and that is precisely the point. A routine error inside a trusted vendor cascaded through global finance because modern digital infrastructure often inherits the resilience limits of its most critical dependencies.
For a CISO or CTO, the lesson is uncomfortable: A firm’s continuity now depends on the engineering discipline of organizations it does not manage. Operational resilience can no longer be read only through a firm’s own controls; it must be read through the failure modes of everyone the firm relies on.
Here, the argument turns from risk to power. Vulnerability, seen from the other side, is leverage. If a firm can be harmed by losing access to a piece of infrastructure, whoever controls that infrastructure holds a lever over the firm. The clearest illustration came at the sovereign level, but its logic applies directly to enterprise procurement.
In early 2022, the EU ordered several Russian banks removed from the SWIFT financial messaging network, with the disconnection taking effect on March 12. SWIFT does not move money; it transmits the standardized instructions that enable banks around the world to exchange financial information and execute transactions. Exclusion from the network did not make international payments impossible, but it significantly disrupted those banks’ ability to operate across borders.
The enterprise lesson is straightforward: Every critical vendor relationship is a dependency whose terms, availability and economics are ultimately controlled by someone else. Vendor lock-in is not merely a procurement concern; it is a strategic risk that belongs on the technology leader’s risk register.
This brings the argument to its center. If infrastructure confers leverage, the deepest question a technology organization faces is not how well it manages its vendors, but where it should own rather than rent. To depend on private infrastructure is to operate a system someone else designed, runs and could, in principle, change beneath you. To build it is to hold the design, the roadmap and the off switch.
India’s Unified Payments Interface, launched in 2016 and recognized by the IMF as “the largest real-time payment system in the world by volume,” matters here less as national policy than as an architectural decision: a foundational rail built and governed deliberately rather than rented from a platform whose incentives might diverge.
The enterprise version of that decision plays out constantly, in choices about whether core capabilities live on a single hyperscaler, whether identity and security run through one vendor and whether the firm retains the ability to migrate. Build-versus-rent is no longer a cost question. It is a resilience question.
The implication is hard to soften. A technology organization built on infrastructure it neither controls nor can defend is a position of weakness wearing the costume of strength. Scale flatters; resilience protects. A firm can run impressive systems and still be fragile, employ brilliant engineers and still be exposed or post strong margins and still be, in the final accounting, borrowed. Technological strength in this decade is shifting from how much a firm builds toward how much it controls, how well it can defend and how independent it remains.
For technology leaders, this reframes the job itself. The instinct is to measure the organization by what it ships and how fast. The more consequential measure is quieter: When a critical vendor fails, changes its terms or suffers a breach, does the firm have anywhere to stand?
The most important infrastructure in a modern financial firm is increasingly the infrastructure its own leaders never see, and the firm’s standing may rest less on the size of what it has built than on whether it can keep the systems it relies on running when something it does not control goes wrong. That, not the next deployment, is the resilience question that now defines technology leadership in finance.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
