Skip to content

Financial-sector cybersecurity & GRC

Shehan Shanuka

A banker who codes — cybersecurity and governance, risk & compliance for financial institutions.

Two and a half years inside a retail bank, now formalizing the security side in Riga — heading toward cyber due diligence and security advisory for banks, fintechs, funds, and M&A.

About

A banker who codes

Security in financial services fails at the seams — between the framework and the branch floor, between the control and the person applying it at 4:55 pm on a month-end Friday. I've stood on both sides of that seam.

For two and a half years at Sampath Bank in Sri Lanka, I worked teller, head teller, pawning, and branch IT support roles — cash controls, customer verification, dual authorization, and the systems a branch depends on. That's the business, risk, and regulatory reality most security professionals only ever read about.

I also build software — full-stack web applications in TypeScript, from interface to database. Now I'm formalizing the security side: a Professional Bachelor in Computer Science at EKA University of Applied Sciences in Riga, Latvia, focused on cybersecurity and governance, risk & compliance.

The combination — banking operations, working code, and security frameworks — is rare, and it's exactly what cyber due diligence and security advisory for banks, fintechs, funds, and M&A demand: the judgment to see risk the way the business runs it, and the technical depth to verify what's actually there.

Focus Areas

Where I add value

Governance, Risk & Compliance

Building and assessing security programs against ISO 27001, NIST CSF, and SOC 2 — mapped to how the business actually operates, not just how the framework reads.

  • ISO 27001
  • NIST CSF
  • SOC 2

Financial-Sector Security & Regulation

DORA, NIS2, and PCI DSS — read from the perspective of someone who has worked under bank compliance rather than only audited against it.

  • DORA
  • NIS2
  • PCI DSS

Third-Party & Vendor Risk

Assessing the vendors financial institutions depend on — access, concentration, and resilience risk across the supply chain.

  • TPRM
  • Vendor assessment

Cyber Due Diligence (M&A)

Security posture assessment for acquisitions and investments — what a target's real cyber risk looks like beneath the data room.

  • M&A
  • Due diligence

Selected Work

Work in progress

Core GRC deliverables I'm currently building, anchored to a single model financial entity. Each is published here as it's completed.

Enterprise Risk Register

In progress

Threat-driven risk register for a model retail bank — scored, owned, and mapped to ISO 27001 Annex A controls.

  • Risk assessment
  • ISO 27001

ISO 27001 Statement of Applicability

In progress

Full SoA for a model financial institution — control selection with business-grounded justifications.

  • ISO 27001
  • SoA

NIST CSF Profile

In progress

Current-state and target profile with a prioritized, budget-aware improvement roadmap.

  • NIST CSF
  • Roadmap

Vendor / Third-Party Risk Assessment

In progress

Assessment framework plus a completed evaluation of a critical banking vendor — access, data, and exit risk.

  • TPRM
  • Due diligence

DORA Gap Analysis

In progress

Article-by-article gap analysis of a model bank against DORA's ICT risk-management requirements.

  • DORA
  • EU regulation

Credentials

Certifications & education

  • Google Cybersecurity Certificate

    Google

    In progress · 2026

  • CompTIA Security+ (SY0-701)

    CompTIA

    Planned · 2026

  • Professional Bachelor in Computer Science

    EKA University of Applied Sciences, Riga, Latvia

    Commencing September 2026

A staged certification path, pursued alongside full-time banking work — updated as each stage completes.

Skills

Capabilities

Security & GRC

  • ISO 27001
  • NIST CSF
  • SOC 2
  • DORA
  • Risk assessment
  • IAM

Technical

  • Next.js
  • React
  • TypeScript
  • Astro
  • Supabase
  • Linux
  • Networking basics

Domain

  • Retail banking operations
  • Financial risk
  • Regulatory awareness

Contact

Get in touch

For roles, projects, or conversations at the intersection of banking and security — email is the fastest way to reach me.

Location: Sri Lanka → Riga, Latvia (Sept 2026)