Research shows that information systems security operates between two main distinct functioning modes, either prevention before a security incident occurs, or response which follows from an incident, usually external to the organisation. In this paper, we argue that this shift between prevention and response modes also happens due to inherent internal tensions created between pressures for digital transformation and the established forces for security compliance. We show how a digital transformation project introduced a security incident and challenged the IS security compliance function, a process that reflected these two approaches to IS security in organizations. We conduct a participatory observation study of the implementation of Robotic Process Automation (RPA) in a financial services organization. We examine the shift from prevention to response in this project and identify generative drivers of digital transformation, and drivers of IS security compliance. Our analysis leads to the development of a process model that explains how organizations move from prevention to response when faced with tensions between IS security compliance and digital transformation.