Do you recognize this? Our society seems to adopt new technologies quickly and without restrictions, and often only considers the security side once things threaten to get out of hand. Regulators then try to fix security gaps, for instance through NIS2, long after systems have been built.

This raises a key question: Is cybersecurity a core topic in your digital transformation, or just a side issue? In this newsletter, Dirk Jan van den Heuvel, Managing Director at Secura, explores the high cost of this type of reactive security and gives his view on how to solve this.

Transformation struggles

"The only constant is change." This was true 2500 years ago, and still holds today. Our world is changing, and from where I'm standing, we often struggle to smartly deal with transformation. Whether it’s the energy transition, the rise of electric vehicles, or the adoption of AI, the general pattern seems to be: we act late and reactively. First, we embrace new technologies without boundaries. Then, when risks grow too large, we scramble to impose controls.

We're always playing catch-up

I see the same pattern in digitalization. First, we stored all sensitive data in databases—only to later realize the privacy risks and introduce regulations like GDPR. Then we moved data to the cloud, only to question who actually controls it. Now, governments are waking up to the fact that critical infrastructure depends heavily on connected IT systems, while cybersecurity is often an afterthought. This delayed response is exactly why NIS2 is now being enforced.

Some might say, "NIS2 arrived just in time; fortunately, no major cyber incidents have hit the Western world yet." But in the meantime, countless legacy systems and organizations have been built without security in mind. Even with NIS2 controls, they won't be as secure as if cybersecurity was part of their foundation from the start.

The real challenge is deciding whether cybersecurity should be a core element of digital transformation or merely a cover for vulnerabilities that already exist.

We need to break the cycle of reactive cybersecurity

We need to break this cycle. Waiting until risks become crises is not sustainable—especially with the rise of IoT, AI, and further digital transformations. Cybersecurity is not a problem that can be solved with quick fixes. Yet this is how we approach it—like a layer of paint to cover cracks in the foundation.

A call for proactive security

At Secura / Bureau Veritas Group , we advocate for a proactive, integrated approach to cybersecurity. This means embedding security at every level—human, technical, and organizational—starting at the design phase.

Key principles we follow include:

• Defense in depth: Multiple layers of protection.
• Least privilege: Limiting access to only what’s necessary.
• Separation of duties: Avoiding single points of failure.
• Security by design: Building systems with security as a core principle.
• Simplicity: Reducing complexity to minimize vulnerabilities.

These principles are not just best practices—they are essential to avoid the costly mistakes of reactive security. Making cybersecurity a core function rather than a cover for inadequate systems will define the future of digital resilience.

The time to act is now

The cybersecurity community must shift its mindset from reaction to prevention. This requires not only developers and users of connected technology to change, but also suppliers of cybersecurity solutions.

At Secura/Bureau Veritas, we’re ready to help you embed security into your digital transformations from day one. Let’s work together to move beyond reaction—and start building resilience.