The Gap Nobody Is Solving
The short version: 59% of NZ businesses were attacked last year and the average incident costs $530,000. Most mid-size businesses have some controls but no clear security owner — and that gap is fixable with consistent external security leadership that costs a fraction of a single incident. Book a consultation to see what the first 90 days look like. Read on for the full breakdown.
There is a simpler way to frame the problem. Once a business grows past basic IT, security stops being a tooling question and becomes an ownership question. Someone has to decide what matters first, what has to be proved to customers and insurers, what leadership needs to see, and who coordinates the response when something goes wrong.
For large enterprises, that owner is a CISO. For very small businesses, the work is usually still informal. The pain shows up in the middle: businesses with enough customers, staff, data, and scrutiny to need real security leadership, but not enough scale to justify a $200,000-plus executive hire.
That is where most New Zealand businesses get stuck. The MSP keeps systems running. A consultancy can produce a report. An internal manager carries the question until their day job takes over. But none of those options gives the business consistent ownership of risk, evidence, reporting, and decision-making.
The pressure is no longer theoretical. Kordia's 2025 New Zealand Business Cyber Security Report found that 59% of New Zealand businesses experienced a cyber attack or incident in 2024 (Kordia, 2025). The New Zealand Institute of Quantitative Research (NZIQ) reports that 92% of businesses in New Zealand and Australia experienced at least one security breach in the past twelve months (NZIQ, 2025). Businesses are dealing with customer questionnaires, insurer renewals, privacy obligations, and leadership accountability now, often without a clear security owner.
That leaves buyers staring at three familiar options: hire a full-time CISO, lean harder on the MSP, or bring in a big consultancy. Each sounds reasonable. For most mid-market businesses, each also breaks in a different way.
Option A: Hire a Full-Time CISO
The Cost Problem
According to PayScale and Glassdoor New Zealand data from 2025, a CISO in New Zealand commands a salary between $162,000 and $200,000 or more, depending on experience and sector. Add KiwiSaver contributions at 3%, ACC levies, professional development and conference attendance, and the tooling budget that any CISO will rightly demand, and the fully loaded cost exceeds $230,000 per year — before the person has produced a single deliverable.
For a business with 50 staff and $15 million in revenue, that is a significant line item. For a business with 20 staff, it is an impossibility. The economics of a full-time CISO are designed for enterprises with hundreds of millions in revenue. They do not scale down to the mid-market.
The Talent Problem
Even if the budget were available, the talent is not. According to the NZIQ, 70% of organisations believe the skills shortage directly increases their cyber risk (NZIQ, 2025). New Zealand competes for talent against markets — Australia, the United Kingdom, Singapore — that offer significantly higher compensation.
The practical result is that mid-market businesses that attempt to recruit a CISO face long hiring timelines, limited candidate pools, and the real risk of losing a new hire to a larger organisation within eighteen months. The recruitment cost, onboarding period, and knowledge loss create a cycle that many businesses cannot sustain.
The Utilisation Problem
There is a third issue rarely discussed openly: most mid-market businesses do not need a full-time CISO. A business with 80 staff and a manageable regulatory footprint needs strategic security leadership — but it does not need it forty hours a week. It needs it intensively during the initial reset, periodically for governance and reporting, and on-demand when incidents arise.
Hiring a full-time executive for a role that requires fifteen to twenty hours per month is a structural mismatch. The executive is either underutilised — which creates retention risk — or they expand into operational work better handled by other roles.
Option B: Rely on Your MSP
Where MSPs Excel
Managed service providers are a cornerstone of IT operations for New Zealand small and mid-sized businesses, and rightly so. A good MSP keeps infrastructure running, manages endpoints, handles patching, monitors uptime, and provides help desk support. For businesses that cannot justify a full internal IT team, MSPs deliver essential operational capability at a manageable cost.
Research from Huntress confirms that 84% of MSPs manage their clients' cyber infrastructure — firewalls, endpoint protection, email security, and backup systems (Huntress, 2024). This is valuable, necessary work. No one is arguing otherwise.
Where MSPs Do Not Operate
The problem is not what MSPs do. The problem is what they do not do — and what their clients assume they are doing.
MSPs, by design and by commercial model, operate at the infrastructure layer. They keep systems running and protected. What they do not typically provide is the ownership and evidence layer around security: risk assessments, compliance management, policy lifecycle work, personal-data visibility, vendor oversight, incident planning, board reporting, or staff awareness planning.
These are not infrastructure activities. They are leadership, ownership, and evidence activities. They require a different skill set, a different engagement model, and a different relationship with the business. An MSP technician configuring a firewall rule and a security leader presenting a risk assessment to a board of directors are operating in fundamentally different domains.
The gap is measurable. Research from ASI and New Zealand studies indicates that only 31% of New Zealand small and mid-sized businesses have formal IT policies in place (ASI/NZ research). Most of these businesses have MSPs. The MSP relationship has not produced governance capability, because governance is not what MSPs are contracted to deliver.
The MSP Risk Factor
There is an additional dimension that many businesses have not considered: MSPs themselves are a concentration of risk. A single MSP may manage the environments of dozens or hundreds of businesses. If that MSP is compromised, every one of those clients is potentially exposed.
Research from Cyvent found that 69% of MSPs have been breached two or more times (Cyvent, 2024). This is not an indictment of MSPs as a category — it is a reflection of the fact that they are high-value targets precisely because they hold the keys to so many client environments.
The Mercury IT attack in November 2022 proved this in New Zealand. A single Wellington-based MSP was compromised by LockBit ransomware, and the breach cascaded across the Ministry of Justice, Te Whatu Ora, and health insurer Accuro — exposing over 14,500 coroners' files and 4,000 post-mortem reports (SecurityWeek, 2022). No governance layer existed between the MSP and the sensitive data it held. No vendor risk assessment had been conducted. The organisations affected learned about the gap the hardest way possible.
For the businesses that rely on MSPs, the question is whether anyone is assessing and managing that third-party risk. In most cases, no one is.
Option C: Hire a Big Consultancy
The Project Problem
The engagement model for large consultancies is almost always project-based. A scoping exercise produces a statement of work. The consultancy performs an assessment. A report is presented. The engagement ends. The invoice — typically structured on hourly rates from $250 to $450 per hour — arrives.
Six months later, the report is stale. The recommendations have not been implemented because no one is accountable for implementing them. The policies have not been reviewed because no one owns the review cycle. The risk register has not been updated because the consultancy moved on to the next client.
The Relationship and Speed Problem
Project-based engagements produce point-in-time outputs. Cybersecurity is not a point-in-time problem. Threats evolve. Regulations change. Staff turn over. Security work that is not actively maintained starts degrading from the moment it is delivered.
What mid-market businesses need is an ongoing relationship — someone who knows their environment, maintains their documentation, and is available when a decision needs to be made. Big consultancies are not structured to deliver this at a price point that makes sense for a $10 million business.
They also move at a pace misaligned with mid-market urgency. Scoping takes weeks. Delivery takes months. When a business owner receives a client security questionnaire and needs to respond within five business days, a consultancy engagement that begins with a two-week scoping process is not a solution.
The Missing Middle: Ongoing Security Governance at Business Scale
What the Market Has Not Offered — Until Now
Between the $200,000-plus full-time CISO, the infrastructure-focused MSP, and the project-based consultancy, there is a gap. It is the space where most New Zealand mid-market businesses actually sit — needing strategic security leadership, but at a scale, price point, and delivery model that reflects their reality.
This is the space consistent external security leadership is designed to fill.
This kind of engagement is not a helpdesk retainer. It is not ad hoc advice purchased by the hour. It is defined monthly security leadership with documented deliverables, measurable outcomes, and an ongoing relationship that deepens over time as the provider builds knowledge of the business.
What Ongoing Security Governance Looks Like
A strong engagement covers the full scope of security leadership that a mid-market business actually needs. In practice, that means tangible outputs: a baseline assessment, a working risk register, current policies, incident plans, privacy and customer evidence, staff awareness planning, and reporting leadership can use.
Within those disciplines, a mature provider delivers specific, tangible outputs — not hours of generic advice. These include security baseline assessments, risk registers with treatment plans, policy suites covering access control, data handling, acceptable use, and incident response, compliance management mapped to the Privacy Act 2020 and IPP 3A, personal data inventories, vendor risk assessments, incident response plans, practice runs, board-ready quarterly scorecards, and staff awareness plans.
The delivery model is ongoing. Policies are reviewed on a lifecycle, not written once and forgotten. Risk registers are updated as the business changes. Board reports are produced quarterly, not annually. Incident response plans are tested, updated, and tested again. The operating rhythm deepens over time, rather than arriving as a static document and immediately beginning to age.
The Cost Comparison
The financial case is straightforward. A full-time CISO costs $200,000 or more per year, fully loaded. Ongoing external security leadership delivers equivalent strategic outcomes — governance, compliance, risk management, board reporting, incident readiness — at a fraction of that cost. Monthly pricing for this kind of engagement typically ranges from $1,750 to $8,500 per month depending on the scope, complexity, and current state of the business (Good Security, 2026). That translates to $21,000 to $102,000 per year — a fraction of the cost of a full-time hire and a fraction of the average $530,000 cost of a cyber incident for a New Zealand small or mid-sized business (Kordia, 2024).
The comparison is not just about what you spend. It is about what you risk by spending nothing. Kordia's 2025 report found that approximately one-third of New Zealand organisations do no board-level cybersecurity reporting (Kordia, 2025). That means a third of businesses have no clear visibility into their own security status at the governance level. The cost of that blind spot is difficult to calculate until the day it matters — and on that day, it is the most expensive line item on the ledger.
What to Look for in This Kind of Engagement
Not all offerings are created equal. The label has become popular enough that it is applied to a wide range of services, some of which bear little resemblance to actual security leadership. If you are evaluating providers, the following criteria separate credible engagements from marketing exercises.
Red Flags
Generic templates with no local context. If the policies and compliance frameworks are not adapted to New Zealand legislation — the Privacy Act 2020, IPP 3A, the NZISM where applicable — they are not fit for purpose.
No ongoing relationship. If the engagement is structured as a one-off assessment with an optional add-on for "continued advisory," it is a consultancy project wearing a security-leadership label. The value of this model is that it is ongoing — building institutional knowledge and adapting the work as the business evolves.
No measurable outcomes. If the provider cannot articulate what you will receive, when you will receive it, and how progress is measured, the engagement is undefined. Demand a deliverable catalogue with timelines.
No evidence-based delivery. This kind of engagement should produce evidence the business can use — for insurance applications, client questionnaires, and board reporting. If the output is advice rather than documentation, the engagement is incomplete.
Green Flags
New Zealand-specific knowledge. The provider understands the NZ Privacy Act 2020, the implications of IPP 3A, the NZISM framework, and the NZ cyber insurance market. They know the regulatory environment your business operates in, not just the generic global best practices.
Clear methodology. The engagement follows a defined framework — baseline assessment, gap analysis, prioritised improvements, and an ongoing governance cycle. There is a clear starting point, a defined cadence, and a practical model for what happens next.
Transparent pricing. Monthly costs are predictable and published. There are no hidden hourly charges for "additional queries" or penalty rates for incident support. The business knows what it is paying and what it is receiving.
Evidence-based delivery. Every deliverable produces documentation — assessments, policies, registers, scorecards, response plans — that the business owns and can present to anyone who asks. The engagement builds an evidence library, not a collection of meeting notes.
Data sovereignty. For New Zealand businesses, where sensitive security data is processed and stored matters. A provider operating on New Zealand-based infrastructure, with no offshore data flows, provides assurance that security delivery data remains within the jurisdiction.
The Gap Is Not Closing on Its Own
The numbers tell a clear story. Fifty-nine percent of New Zealand businesses were attacked in 2024 (Kordia, 2025). Ninety-two percent of ANZ businesses experienced at least one breach in the past twelve months (NZIQ, 2025). Seventy percent of organisations believe the skills shortage is increasing their risk (NZIQ, 2025). Only thirty-one percent of small and mid-sized businesses have formal IT policies (ASI/NZ research). Approximately one-third of businesses do no board-level cybersecurity reporting (Kordia, 2025). The average cost of a cyber incident for an NZ small or mid-sized business is $530,000 (Kordia, 2024).
These are not problems that resolve themselves. They are not problems that an MSP will solve by managing your firewall more diligently. They are not problems that a big consultancy will solve with a one-off report. And they are not problems that most mid-market businesses can solve by hiring a $200,000 executive into a role they cannot fill or fully utilise.
They are governance problems. And governance problems require governance leadership — structured, ongoing, and scaled to the business that needs it.
The missing middle is not missing any more. It is consistent external security leadership designed for the businesses that need it most.
Close the Gap
59% of NZ businesses were attacked last year. The average cost of a cyber incident in New Zealand is $530,000 (Kordia, 2024). The gap between "we should do something" and "someone clearly owns this" is where that cost lives.
An ongoing monthly security-leadership engagement closes that gap — and costs a fraction of a single incident. Most businesses see measurable improvement in their security status within the first 90 days.
Book a consultation or view pricing — see what the first 90 days can look like for a business your size and what level of support fits.