If you still think that security can be something that you “get to as soon as…”, then you may already be in trouble. Too many companies pay little attention to the risk potential until it is too late, and the bad guys are well aware of it. Security is something that must be baked into your IT recipe from day one, not added on like pepper when you are ready to release to the public.
Take a look at these statistics:
http://www.darkreading.com/operations/identity-fraud-hits-all-time-high-in-2017——-/d/d-id/1330979