For many businesses, determining where to start with cybersecurity can often be a daunting and overwhelming question.

A lot of business leaders can feel intimidated by their potential lack of understanding around this growing business risk, and may be unsure where to turn for help.

Well, good news… Help is here my friends!

When you cut through all the ‘noise’ that many businesses find themselves embroiled in when dealing with cybersecurity issues (and there is a lot of it in the media and across the tech industry), mapping out where to start growing your organisation’s cybersecurity preparedness and resilience is actually pretty straight forward.

The secret to realising this clarity of thought lies in this simple truism: 

Cybersecurity in its purest form is simply about people making risk-based decisions regarding how to best protect the data that matters most to their business’ survival and/or success.

That’s it… Truly! Everything else ultimately extends from this premise.

With this in mind, having the ability to understand how realise this fundamental within your own context lies in being able to conclusively answer the below six questions for your business:

1. What are your organisation’s operationally critical information assets?

This question is probably the most critical one of all. If you don’t know (or can’t mutually establish) what the most important ‘stuff’ within your business requiring protection, then you will be unable to make ‘right-sized’ cybersecurity resilience decisions to protect your livelihood’s future.

Such an ambiguous scenario could see you spending money you cannot afford on security capabilities that are nor right for you, see your implement a security posture that could unintentionally disrupt your business’ base-line digital functionality. After all, effective cybersecurity should always support and empower their businesses to grow, and not stymie their productivity through excessive security controls.

(And for the avoidance of doubt, an information asset, as defined by the Australian Cyber Security Centre, is “anything of value, such as ICT equipment, software, or data“).

(There is some really sensible advice available here from the NZSIS’ Protective Security Requirements team to help you do this.)

2. What is your organisation’s information security risk appetite and tolerance?

As established earlier, because cybersecurity is fundamentally about making risk-based decisions regarding how to best protect the data that matters most to a business, it is only the organisation’s senior leaders who can define what:

  • level of digital disruption a business can tolerate; and
  • what is the minimum level of digital business functionality that the business must maintain.

In other words, it is only the C-suite and/or Board who can say “how much cybersecurity is enough”.

Once these thresholds have been established, and communicated to the business, the development of a security work programme can be built around these security expectations and requirements. NCSC has developed a fantastic suite of guidance to support senior business leaders on this risk assessment journey.

3. What are the government, legal, privacy, and security compliance obligations your organisation must contend with?

Depending on the industry your business is within, non-compliance with certain privacy and cybersecurity obligations may pose a serious legal penalty and/or commercial risk to your organisation’s livelihood.

For government agencies, complying with the Protective Security Requirements, the New Zealand Information Security Manual, and the Government Chief Digital Office’s Cloud Risk Assessment and ICT Assurance Requirements is key; for health sector agencies, ensuring alignment with the NZ Ministry of Health’s Health Information Security Framework and the Health Information Privacy Code is important; and for hospitality/tourism/financial industry partners, adhering to PCI-DSS and NZ’s Anti-Money Laundering Act remains vital. And of course, there is the NZ Privacy Act 2020 which we all must account for.

All of these standards represent a mandatory digital “WoF”/license required by certain businesses to demonstrate to their key stakeholders they can operate safely. Without a fundamental awareness of your business’ obligations in these areas (and an accurate understanding of how to best satisfy them), this may pose a serious risk [or “blind-spot”] to your organisation that may cause unintended consequences.

4. Whom is accountable for the security and integrity of your organisation’s IT systems and data-sets?

This is not a trick question I assure you. Furthermore, I would assert there is only really one answer here too: its your organisation ELT and/or Board-equivalent.

Further to the points made under Question 2, seeing as it is only the C-suite and/or Board who can say ‘how much cybersecurity is enough’. By this same logic, these leaders can also be the only ones who are ultimately accountable for the security and integrity of your organisation’s data and information infrastructures. NCSC has a great suite of guidance here to support business leaders in making these risk-based decisions.

While in reality many of these accountabilities are notionally delegated down to the CIO-equivalent to responsibly execute, when the tough cybersecurity risk calls need to be made, it should be the senior-most members of the organisation who make them. 

5. What is your organisation’s current information security maturity “current state”, its “future state” and the “gap” between the two?

Once you have established the answers to Questions 1 & 2, then it’s time to gain a clear-eyed and unvarnished understanding of the current state of your digital security posture.

This first step of a discovery journey can often be quite confronting for organisations, but once it has been established what your most important information assets are, and how much potential risk/”pain” you are willing to expose them to, it’s much easier to pragmatically and proportionately survey your digital landscape without being terrified at what you might find, and then iteratively plan accordingly.

There are a number of cybersecurity frameworks out there that can assist you with this task. However, from my perspective, the NIST Cyber Security Framework and/or the Australian Signal Directorate’s “Essential Eight” Capability Maturity Model are among the most practical and business-friendly ones to use. CERT NZ also has really guidance on this process too.

6. Does your organisation’s have a cybersecurity incident response plan in place (and has it been tested)?

When starting engagements with businesses for the first time, this is often one of the first questions I will ask them. This is because the advent of a cybersecurity incident is one of the least predictable, and most disruptive events, that can happen to a business.

Simply, we need to ensure, while we are working towards lifting an organisation’s overall cybersecurity posture, we are nonetheless still in a position to guard against the very thing we are seeking to grow greater resilience within our business against.

Or put another way, you need to ask yourself: “do you want cybersecurity done to your business, or do you want to do it on your own terms?” Choosing whether having a validated and tested cybersecurity incident response plan in place, or not, is in essence a business making this choice. Again, our friends at CERT NZ and the NCSC have some great advice to share on how to do this.

In conclusion, by working your way through these six questions, this will give your business a pretty safe and effective place to begin ‘right-sizing’, prioritising, and funding your cybersecurity maturity work programme safe in the knowledge that you are protecting the data that matters most to your business.


For more on this topic, please read “What Employees Want From the Hybrid Workplace” and “Playing the Transformation Chess Game“.