← Back to Work
Enterprise · Security LeadershipStrategyInfluence

Bank of America Omni-SIEM (Anvilogic + Splunk)

Re-establishing governance and delivery predictability for a stalled Anvilogic + Splunk migration

Bank of America Omni-SIEM (Anvilogic + Splunk) case study cover
$60K/mo
coordination overhead addressed
2
platforms sequenced (Splunk + Anvilogic)
1
shared migration roadmap across stakeholders
Deliverables: Program Governance ModelDecision Rights FrameworkMilestoned Migration PlanDetection Onboarding Workflow Standard

TL;DR

3 teams, 1 stalled SIEM migration, 0 shared roadmap. Decision rights were undefined, outcomes were capability lists. $60K/month was burning in coordination overhead. I defined ownership, set the migration sequence and delivered the first plan security ops, engineering and compliance could all execute against.

The Challenge

The Omni-SIEM modernization (Anvilogic + Splunk) was stalled. Security operations, engineering and compliance were all active but operating with different assumptions, no shared migration sequence and no defined outcomes. They weren’t stuck on execution. They were stuck because there was no product strategy: no roadmap anyone trusted, no outcome definitions, no decision rights. Building that foundation is what unblocked the program.

Key Decisions

Governance before roadmap. Teams were renegotiating priorities at every escalation because decision rights were undefined. I held the line on roadmap commitments until ownership boundaries were in place. It was unpopular but it was the only call that would produce a plan anyone could actually execute against.

Name the output-vs-outcome gap. The program’s “outcomes” were a list of capabilities to build with no MTTD baseline and no MTTR target. I surfaced this in writing and made it a standing agenda item. Without outcome definitions, every prioritization conversation becomes feature-list politics.

Separate research from committed milestones. Detection research and production delivery were planned with the same certainty. I split them structurally: research tracked separately, production commitments held to a different bar. The forecasting problem was definitional, not executorial.

What I Delivered

Decision rights framework. Ownership and escalation paths across security ops, engineering and compliance, closing an estimated $60K/month in coordination overhead.

46-epic, outcome-rooted investment map. A full 12-month roadmap with RAG-status visibility across the program. The first artifact senior leadership had to align PI planning to business outcomes, not just capability delivery.

Milestoned migration roadmap. Unified Anvilogic + Splunk sequencing with discovery-phase work separated from production commitments.

Detection onboarding standard. Repeatable activation workflows that reduced handoff errors and rework cycles.

Outcomes

Contract engagement; program still in flight at conclusion. The governance structure, decision rights framework and epic mapping I built did not exist when I arrived. Senior stakeholders were referencing those artifacts for PI-to-business-case alignment. The $60K/month coordination overhead I identified came from gaps that the governance model demonstrably closed. At $720K annualized, the overhead wasn’t just a cost problem; it was the reason the program couldn’t produce PI commitments anyone trusted. Closing those decision rights gaps was what allowed the program to move from escalation-driven planning to milestone-driven delivery.

Enterprise security migrations fail at governance, not technology. The platforms are good enough. The operating models aren’t.

← Back to All Work