Summary
The CISO got his scary presentation and the budget increase he wanted but in the long term it's unlikely the exercise dramatically increased the security posture of the organization. You can prioritize security, you can throw gobs of money at it, but the bottom line is that you still have to be able to do business. If you need people to come into your buildings and do work on a regular basis, there needs to be a fluid way to allow this to happen that also considers the security implications. In this instance, that failed.
The takeaway here is that the obvious systems to attack are not necessarily the right ones. As noted above, as pen testers we could probably subvert the payment systems themselves but it would be hard to go from there to physically removing money from the bank (as impressive a demo as that would be). In this instance, we chose to hit the change control systems because they were more vulnerable and would allow an attacker much more flexibility in controlling...