Fix the foundations: build for tomorrow, not just today

Businesses frequently avoid addressing legacy system dependencies due to the perceived complexity and risk. It can be a deeply invasive, enterprise-wide intervention, affecting the core of an organisation. It also demands significant resources.

But over time, the numerous workarounds and extensions that have been built on and around core systems have added complexity and made future interventions even harder. Often, tackling the issue only becomes urgent when a critical failure occurs or an operational risk materialises.

New forms of AI present a further dilemma as organisations may be tempted to delay foundational modernisation, hoping that future AI solutions will bypass or resolve legacy issues. However, our position is clear: AI can accelerate existing processes, but it cannot fix flawed architecture or inefficient processes. Overlaying advanced tools on a potentially weak foundation may offer short-term benefits but it leaves core problems unresolved. While AI’s true potential to fundamentally reshape how we deal with these challenges is still evolving, for now, relying on it to avoid modernisation could be a misstep.

This reluctance to address legacy issues is compounded by the fact that the true cost of inaction – the long-term expense of maintaining and delivering change around these increasingly complex legacy systems versus the benefits of transformation – is rarely quantified. Even when the financial case for change is clear, risk aversion and avoidance perpetuates technical debt.

We believe that despite the cost and associated risk, addressing legacy system issues should be seen as a growth opportunity. In our research, 85% of Innovation Leaders – those organisations adopting bold, innovative and proactive approaches to unlock more value – identified reducing technical debt as a critical contributor to their digital transformation success.

Cyber security must underpin your tech transformation

Security concerns emerged as the second biggest barrier to achieving digital ambitions (49%). This encompasses IT security, trust, data privacy, compliance and ethics.

Despite clear recognition of cyber’s importance, our research indicates that the proportion of organisations making investment in foundational security capabilities over the last 12 months is relatively limited. This includes federated security (16%), zero trust security (24%) and identity and access management (29%).

The proportion of organisations investing in emerging technologies like Generative AI (54%) and broader AI (44%), suggests a prioritisation of the ‘shiny’ potential of new tech, underestimating the importance of the core security measures needed to support them. When a cyber attack occurs, it can bring everything to a standstill.

Ultimately, without strong security foundations, and the willingness to address concerns before an incident happens, the value of any transformation is at risk.

Taking a proactive approach to security and resilience has never been more crucial. Recent Deloitte research reveals that 88% of boards are addressing cyber-related issues quarterly, if not more often.

Externally, risks continue to escalate. The technologies that drive innovation are also enabling new threats. Attackers are leveraging advanced AI tools, while organisations face growing risks from shadow AI deployments, training data breaches and model manipulation.

The internal threat is also increasing. In affected organisations, between 2023 and 2024, the proportion of cyber security breaches attributed to the unintended actions of well-meaning employees increased from 4% to 13%.

Security extends beyond defence; it is a fundamental enabler of safe transformation. In an environment where, more frequently, tech investment decisions are being led outside of the tech function, robust guardrails, clear principles and effective architecture are essential to maintain resilience.

Next steps to unlock value