New Zealand already has several strengths when it comes to cyber security. From our perspective, regulation is generally pragmatic, public and private sectors collaborate well and many organisations carry less legacy technical debt than their overseas peers. These are solid foundations.

From what we see, however, there is still work to be done to help New Zealand organisations manage cyber risk consistently at scale. Looking at how the United Kingdom has approached similar challenges offers useful reference points. Not because the UK has it “right”, but because it has faced the same problems earlier and has had to respond under pressure.

Below is a practical, forward-looking view of lessons New Zealand can adapt in its own way.

Treat Cyber as National Infrastructure, not just IT

One of the more effective shifts the UK has made is treating cyber security as part of national resilience rather than a purely technical concern. Cyber incidents are planned for alongside other disruptive events.

What this highlights for New Zealand:

• Cyber resilience benefits from clear national coordination during major incidents.
• Critical digital services deserve the same resilience focus as power, water, and telecommunications.
• Earlier intervention and clearer authority can reduce confusion when incidents escalate.

This is not about central control, but about faster, clearer coordination when it matters.

Move Faster on Baseline Cyber Standards

New Zealand guidance is generally sensible, but much of it remains voluntary. This creates uneven maturity across sectors.

What we see as an opportunity:

• Establish minimum, outcome-based cyber standards for higher-risk sectors such as healthcare, education, local government, and critical infrastructure.
• Focus on raising the floor nationally, rather than driving complex or vendor-led controls.

Baseline standards help organisations understand what “good enough” looks like and give boards something concrete to measure against.

Make Cyber Risk Easier for Boards to Act On

In many organisations, cyber reporting is still too technical or inconsistent to support effective decision-making.

What could improve outcomes:

• Cyber risk reporting that is comparable, measurable, and easy for boards to digest.
• A shift from listing controls to explaining business impact, likelihood, and recovery time.

When cyber risk is framed in business terms, funding and accountability tend to follow.

Scale incident response and information sharing

New Zealand’s size should be an advantage, but incident coordination can still be fragmented.

From our perspective:

• Sector-based information sharing could be more formalised, particularly for schools, healthcare providers, and councils.
• Regular national cyber exercises, based on realistic scenarios, help organisations respond under pressure rather than theory.

Real incidents rarely follow playbooks. Practice matters.

Invest in People, not just Tech

Technology is only part of the solution. Skills take longer to build and are harder to scale. This won’t be a quick fix. It could take a generation.

Areas that deserve continued focus:

• Security operations and incident response capability.
• Risk and governance skills, not just engineering roles.
• Developing domestic talent to reduce long-term reliance on imported skills.

Conclusion

New Zealand has strong fundamentals and a collaborative can do culture. The opportunity now is consistency at scale. The UK experience shows how governance, standards, and coordination evolve when cyber risk becomes a board and national issue, not just an IT one. Several nationwide huge incidents in the United Kingdom in 2025 could be considered a turning point for the UK. New Zealand can learn from this.

New Zealand does not need to copy another country’s model. But it can borrow proven approaches and adapt them to local context. Cyber security is ultimately about resilience, leadership, and informed decision-making.

We will be in New Zealand from 16 to 27 February. If this article resonates, or you are in New Zealand and would like to hear more about what we are seeing in the UK market and how it may apply to you locally, get in touch.

Email: simon@itogether.com
Phone: +64 (0)9 802 2444