Does your Board paper have a section on cyber risk?

In other words, is your organisation ready to take on a single incident that can paralyse your business?

No single threat event has the ability to paralyse and force a business into administration or become a takeover target more than a cyber event.

These threat events are well planned, sophisticated, complex, smart and most of the time only detected when it is too late. Customers and investors are quick to turn from any company that is frivolous with their information. Regulators are usually behind in their approach and more often than not they stifle innovation when we need to increase our speed of innovation.

Never before has speed of change been more important to ensure competitive advantage and increased revenue. We need to begin working together as a country. A collaborative group of companies working together to address the threats to New Zealand infrastructure and commercial interests to become more transparent in the way we address cyber risk.

So many times I hear that cybersecurity is a business enabler but too many times I do not see how people are enabling New Zealand to achieve that. We all need to review our approach and ensure it is aligned to the most economic way to protect our assets and use effective and robust risk management to enable business decisions.

So why, historically, has it appeared in the “too hard basket” for many NZ companies? The usual suspects are cost, resources and lack of awareness of the real threats versus the Fear Uncertainty and Doubt (FUD) approach that many professionals perpetuate.

We need to join the collective Kiwi mind through creating a network of security professionals who communicate closely with each other.

In order to address these issues, we need to join the collective Kiwi mind through creating a network of security professionals who communicate closely with each other. Working with peers and providers alike is the only way for New Zealand companies to remain competitive on the global stage.

It is also imperative to link a formal cyber risk process to any transformational strategies the company has planned. This will ensure that we start to reduce wasteful, ill focused and ineffective spend on cyber immediately. After all, we all know that retrospective application of controls is vastly more expensive than from the design phase.

Read more: The 3 phases of successful digital transformation

Related: 2015 Global Information Security Survey: The top cyber risks for NZ in an interconnected world

Mission: Demystify cybersecurity

We must enable transparency and empowerment within an organisation and demystify cybersecurity! Working to introduce processes and educating people across an organisation is imperative. All processes should be clearly documented and available to enable successful training and so that we can visually identify where to insert cyber controls.

Read more: A third of SMBS have never used cloud computing: The Alternative Board

Every single employee has a responsibility to help reduce spend on cybersecurity.

Effective, understandable, relevant and useable policies, and best practices should be made available to customers to show transparency and to gain trust that we will protect their information! I would also advocate no more than a two-page per security policy to really make them readable and empower groups of people to push the boundaries, increasing innovation, taking more informed risks.

Educating an organisation with basic awareness training is vital. As the attacks become more sophisticated we need users to act as a control; noticing potential incidents and reporting them for investigation. This will reduce the cost of the cyber reaction through early identification and minimal error in initial response. Every single employee has a responsibility to help reduce spend on cybersecurity. As it becomes more socially acceptable for companies to experience incidents the users will look for the supporting processes as a way to ensure confidence is maintained and a chance provided to the company that experiences the event.

We also need to start to be honest and open with each other about the impact that cyber has to our economy by recording and quantifying security incident impacts. This is a great way to show the benefit of security spend to any Board member.

Read more: A ‘defensive shield’ for legal cybersecurity risks

To underscore the urgency of this matter I would like to call for all industry security experts from around New Zealand to contact me directly on

I will take it upon myself to ensure we are working together to develop a mechanism to address risk and obtain budgets for business growth. I promise to work with each and every one of you to build a network, work together, share information and enable you to have a process for providing a workable security posture to present to your management.

David Kennedy
David Kennedy

David Kennedy has worked as a CIO/CISO in public and private sector organisations across the globe. He has worked in cyber security for almost two decades with over 75 companies. He has an MBA from the The University of Edinburgh, and is on the faculty and Advisory Board for the Strategic CIO Program at the University of Auckland Business School. Reach him at

Read more: Gender imbalance persists, amidst a plethora of programmes to promote women in ICT

Send news tips and comments to

Follow Divina Paredes on Twitter: @divinap

Follow CIO New Zealand on Twitter:@cio_nz

Sign up for CIO newsletters for regular updates on CIO news, views and events.

Read more: CIO Upfront: Demystifying (unconscious) bias

Join us on Facebook.

Tags information securityCISOskills shortagechange managementdavid kennedydisruptionGlobal Information Security Survey 2015CIO and board interactions

Show Comments