SIEM Platform Migration Project Manager Simulation — Goldman Sachs

The scenario

Goldman Sachs — one of the world's leading investment banking, securities, and investment management firms with $2.9 trillion in assets under supervision — has been directed by the Office of the Comptroller of the Currency to remediate critical deficiencies in its Security Information and Event Management infrastructure within 12 months. The OCC's annual cybersecurity examination identified that Goldman's aging ArcSight SIEM platform — deployed on-premises 9 years ago — has significant gaps in log source coverage, correlation rule effectiveness, and incident detection timelines that fall below regulatory expectations for a Global Systemically Important Bank. The remediation plan, approved by Goldman's Board Risk Committee, calls for a full migration from ArcSight to Splunk Cloud at a total programme cost of $14.5M. The business case is not optional — the OCC finding carries a Matters Requiring Attention classification, one step below a formal enforcement action. Failure to remediate within the prescribed timeline risks escalation to a Consent Order, which would be publicly disclosed and trigger additional regulatory scrutiny from the SEC, FINRA, and the Federal Reserve. The project appears well-defined: migrate 800 documented log sources to Splunk Cloud, rebuild SOC dashboards and alert workflows, and establish regulatory compliance reporting that meets OCC examination standards. Accenture Security has been engaged as the systems integrator, with Splunk Professional Services providing cloud architecture and onboarding support. But beneath the documented surface lies 9 years of organic SOC growth — undocumented correlation rules built by individual analysts, trading surveillance log feeds that bypass the official SIEM infrastructure, custom parsers for proprietary trading systems, and a tangled web of integrations with CrowdStrike, Palo Alto, ServiceNow, and Goldman's proprietary security tooling that no single person fully understands.

What you'll do as the project manager

• →Migrate all documented log sources (800+) from ArcSight to Splunk Cloud within the OCC-mandated 12-month remediation timeline, achieving full log ingestion parity
• →Rebuild SOC operational capabilities in Splunk Enterprise Security — including correlation rules, alert triage workflows, investigation dashboards, and incident response playbooks — with zero degradation in mean time to detect (MTTD) or mean time to respond (MTTR)
• →Establish regulatory compliance reporting in Splunk that satisfies OCC cybersecurity examination standards, SEC Rule 10 cybersecurity incident disclosure requirements, and FINRA trade surveillance obligations
• →Integrate Splunk Cloud with Goldman's security ecosystem — CrowdStrike Falcon, Palo Alto firewalls, ServiceNow SecOps, Tanium, Akamai WAF, and Zscaler cloud security — maintaining automated threat detection and response workflows
• →Complete SOC analyst training and operational cutover with measured competency, ensuring the 24/7 SOC can operate exclusively on Splunk within 30 days of go-live

Project management skills you'll build

The challenges you'll navigate

• •Log source coverage gap: The OCC finding specifically cited inadequate log coverage. If the migration reveals that actual log sources exceed the documented 800 — particularly in trading surveillance and proprietary systems — the migration scope, timeline, and budget will expand significantly
• •SOC operational disruption: The 24/7 SOC is Goldman's front line against cyber threats. Any degradation in detection or response during migration creates both security risk and regulatory exposure. Dual-platform operation adds complexity and analyst fatigue
• •Regulatory timeline pressure: The 12-month OCC remediation deadline is non-negotiable. Unlike a discretionary technology project, this deadline cannot be extended through internal governance — only the OCC can grant an extension, and requesting one signals weakness
• •Trading surveillance complexity: Goldman's trading surveillance infrastructure feeds both the SIEM and FINRA's trade monitoring requirements. Migrating these log sources touches regulatory obligations that exist independently of the SIEM project
• •Vendor dependency on undocumented complexity: Accenture's SOW was scoped against the documented environment. Custom correlation rules, proprietary parsers, and undocumented integrations are explicitly out of scope — creating a commercial gap that will surface during execution

Technology & stakeholders

You'll manage 6 stakeholders, including Rajesh Nair (Managing Director, Chief Information Security Officer), Katherine Aldridge (VP, Technology Risk & Governance), David Park (VP, Security Engineering), and more.

What you'll walk away with

A verified, shareable record of a completed enterprise project — plus the PMO deliverables you produced along the way (charter, project plan, SteerCo deck, closure document). It's real, demonstrable project management experience you can put on your resume and speak to in interviews.

Frequently asked questions

Related simulations