Digital transformation is the fuel that powers the modern organization. Cloud, AI, IoT, mobile and big data platforms are making companies more agile, productive and responsive to their customers. There’s just one problem: in many cases, cybersecurity is not treated with the importance it deserves.

Fail with security and you can kiss goodbye to digital transformation: fail with digital transformation and the organization itself may go under. In fact, most business leaders think they only have a couple of years to succeed before they fall behind more digitally savvy rivals. One of Iron Maidens song's has the Title "Be Quick or be Dead" - capturing also the truth of our digital age.

Unfortunately, our new Risk:Value Report reveals that too many firms are prepared to sit back and let cyber threats come to them rather than invest in proactive security to protect new digital platforms.

Paying the price

It should be well understood by now that if you fail to invest properly in cybersecurity it could hit the bottom line much harder further down the line. Ransomware is one of those threats that has the potential to do untold damage to brand reputation, service delivery and productivity. The impact of NotPetya last year on some global organizations ran into the hundreds of millions. TNT Express ($300m), Maersk ($300m) and Merck ($300m+) were just some of the brands that should have known better.

According to our Global Threat Intelligence Report, ransomware was the leading form of malware in EMEA last year, accounting for 29% of all attacks. Yet astonishingly, one third of global decision makers responding to our RiskValue report said they would try to cut costs by paying a hacker’s ransom rather than invest in information security. In fact, just half claimed they would rather prefer to invest up front in IT security. It’s a worryingly myopic approach to cyber risk, which fails to account for the huge damage an attack could inflict on digital transformation plans.

Failing to prepare

That’s not all: the report also reveals little progress has been made on implementing incident response (49%) and cybersecurity policy (57%). In both cases, just 1% more organizations had put such plans in place compared to last year and just 1% more said they were working on it versus 2017.

This is especially concerning in the context of two new EU laws that have recently come into force. The NIS Directive may apply only to providers of “essential services” but the General Data Protection Regulation (GDPR) is virtually ubiquitous and has strict rules around applying best practice security and incident response. With 72-hour breach notifications mandatory and maximum fines of €20m or 4% of global annual turnover, there’s no place to hide.

But even beyond the regulatory imperative, decision makers should see security as an opportunity, to drive digital transformation and profits. So why the lack of action? Possibly because no-one is grasping the initiative and taking responsibility for cybersecurity. Among those surveyed, 22% said the CIO was ultimately responsible for security, versus 20% for the CEO, 19% for the CISO and 15% the IT director.

There needs to be more clarity and decisiveness from the board on this. On the plus side, the new report reveals that 81% of respondents agree preventing a security attack should be a regular boardroom agenda item, up from last year’s 73%.

So we are moving in the right direction. But firms will have to do a lot more to protect their digital investments. By going back-to-basics and focusing on the things that matter, enterprises can build the kind of agile, proactive security they need to thrive in the digital world.