The Gap Nobody Is Solving
The short version: 59% of NZ businesses were attacked last year and the average incident costs $530,000. Most mid-size businesses have some controls but no programme — and that gap is fixable with structured vCISO support that costs a fraction of a single incident. Book a consultation to see what the first 90 days look like. Read on for the full breakdown.
There is a question that sits at the centre of cybersecurity for most New Zealand businesses, and it rarely gets asked in explicit terms: who is actually responsible for our security programme?
Not who manages the firewall. Not who resets passwords. Not who runs the antivirus. The question is about leadership — who owns the security strategy, sets the risk tolerance, ensures compliance obligations are met, produces board-level reporting, and makes the difficult decisions when something goes wrong?
For large enterprises, the answer is clear: a Chief Information Security Officer. For the smallest businesses, the question is moot — there is no programme to lead. But for the broad middle of the New Zealand economy — businesses with 20 to 500 staff, turning over between two million and one hundred million dollars — the answer is almost always the same: nobody. Or, more precisely, somebody is doing it as an afterthought alongside their actual job.
This is not a minor gap. Kordia's 2025 New Zealand Business Cyber Security Report found that 59% of New Zealand businesses experienced a cyber attack or incident in 2024 (Kordia, 2025). The New Zealand Institute of Quantitative Research (NZIQ) reports that 92% of businesses in New Zealand and Australia experienced at least one security breach in the past twelve months (NZIQ, 2025). The threat landscape is not theoretical. It is affecting the majority of businesses operating in this country every single year.
Yet when these mid-market business owners look for solutions, they find themselves trapped between three options — none of which actually fits. This article examines why each option fails, and what the alternative looks like.
Option A: Hire a Full-Time CISO
The Cost Problem
According to PayScale and Glassdoor New Zealand data from 2025, a CISO in New Zealand commands a salary between $162,000 and $200,000 or more, depending on experience and sector. Add KiwiSaver contributions at 3%, ACC levies, professional development and conference attendance, and the tooling budget that any CISO will rightly demand, and the fully loaded cost exceeds $230,000 per year — before the person has produced a single deliverable.
For a business with 50 staff and $15 million in revenue, that is a significant line item. For a business with 20 staff, it is an impossibility. The economics of a full-time CISO are designed for enterprises with hundreds of millions in revenue. They do not scale down to the mid-market.
The Talent Problem
Even if the budget were available, the talent is not. According to the NZIQ, 70% of organisations believe the skills shortage directly increases their cyber risk (NZIQ, 2025). New Zealand competes for talent against markets — Australia, the United Kingdom, Singapore — that offer significantly higher compensation.
The practical result is that mid-market businesses that attempt to recruit a CISO face long hiring timelines, limited candidate pools, and the real risk of losing a new hire to a larger organisation within eighteen months. The recruitment cost, onboarding period, and knowledge loss create a cycle that many businesses cannot sustain.
The Utilisation Problem
There is a third issue rarely discussed openly: most mid-market businesses do not need a full-time CISO. A business with 80 staff and a manageable regulatory footprint needs strategic security leadership — but it does not need it forty hours a week. It needs it intensively during programme setup, periodically for governance and reporting, and on-demand when incidents arise.
Hiring a full-time executive for a role that requires fifteen to twenty hours per month is a structural mismatch. The executive is either underutilised — which creates retention risk — or they expand into operational work better handled by other roles.
Option B: Rely on Your MSP
Where MSPs Excel
Managed service providers are a cornerstone of IT operations for New Zealand small and mid-sized businesses, and rightly so. A good MSP keeps infrastructure running, manages endpoints, handles patching, monitors uptime, and provides help desk support. For businesses that cannot justify a full internal IT team, MSPs deliver essential operational capability at a manageable cost.
Research from Huntress confirms that 84% of MSPs manage their clients' cyber infrastructure — firewalls, endpoint protection, email security, and backup systems (Huntress, 2024). This is valuable, necessary work. No one is arguing otherwise.
Where MSPs Do Not Operate
The problem is not what MSPs do. The problem is what they do not do — and what their clients assume they are doing.
MSPs, by design and by commercial model, operate at the infrastructure layer. They keep systems running and protected. What they do not typically provide is security governance: risk assessments, compliance programme management, security policy development and lifecycle management, personal data inventories, vendor risk oversight, incident response planning and testing, board-level security reporting, or security awareness programme design.
These are not infrastructure activities. They are governance activities. They require a different skill set, a different engagement model, and a different relationship with the business. An MSP technician configuring a firewall rule and a security leader presenting a risk assessment to a board of directors are operating in fundamentally different domains.
The gap is measurable. Research from ASI and New Zealand studies indicates that only 31% of New Zealand small and mid-sized businesses have formal IT policies in place (ASI/NZ research). Most of these businesses have MSPs. The MSP relationship has not produced governance capability, because governance is not what MSPs are contracted to deliver.
The MSP Risk Factor
There is an additional dimension that many businesses have not considered: MSPs themselves are a concentration of risk. A single MSP may manage the environments of dozens or hundreds of businesses. If that MSP is compromised, every one of those clients is potentially exposed.
Research from Cyvent found that 69% of MSPs have been breached two or more times (Cyvent, 2024). This is not an indictment of MSPs as a category — it is a reflection of the fact that they are high-value targets precisely because they hold the keys to so many client environments.
The Mercury IT attack in November 2022 proved this in New Zealand. A single Wellington-based MSP was compromised by LockBit ransomware, and the breach cascaded across the Ministry of Justice, Te Whatu Ora, and health insurer Accuro — exposing over 14,500 coroners' files and 4,000 post-mortem reports (SecurityWeek, 2022). No governance layer existed between the MSP and the sensitive data it held. No vendor risk assessment had been conducted. The organisations affected learned about the gap the hardest way possible.
For the businesses that rely on MSPs, the question is whether anyone is assessing and managing that third-party risk. In most cases, no one is.
Option C: Hire a Big Consultancy
The Project Problem
The engagement model for large consultancies is almost always project-based. A scoping exercise produces a statement of work. The consultancy performs an assessment. A report is presented. The engagement ends. The invoice — typically structured on hourly rates from $250 to $450 per hour — arrives.
Six months later, the report is stale. The recommendations have not been implemented because no one is accountable for implementing them. The policies have not been reviewed because no one owns the review cycle. The risk register has not been updated because the consultancy moved on to the next client.
The Relationship and Speed Problem
Project-based engagements produce point-in-time outputs. Cybersecurity is not a point-in-time problem. Threats evolve. Regulations change. Staff turn over. A security programme that is not actively maintained degrades from the moment it is delivered.
What mid-market businesses need is an ongoing relationship — someone who knows their environment, maintains their documentation, and is available when a decision needs to be made. Big consultancies are not structured to deliver this at a price point that makes sense for a $10 million business.
They also move at a pace misaligned with mid-market urgency. Scoping takes weeks. Delivery takes months. When a business owner receives a client security questionnaire and needs to respond within five business days, a consultancy engagement that begins with a two-week scoping process is not a solution.
The Missing Middle: Structured, Ongoing Security Leadership at Small Business Scale
What the Market Has Not Offered — Until Now
Between the $200,000-plus full-time CISO, the infrastructure-focused MSP, and the project-based consultancy, there is a gap. It is the space where most New Zealand mid-market businesses actually sit — needing strategic security leadership, but at a scale, price point, and delivery model that reflects their reality.
This is the space a structured Virtual CISO engagement is designed to fill.
A vCISO engagement is not a helpdesk retainer. It is not ad hoc advice purchased by the hour. It is a defined programme of security leadership delivered on a predictable monthly cadence, with documented deliverables, measurable outcomes, and an ongoing relationship that deepens over time as the provider builds knowledge of the business.
What a Structured vCISO Engagement Looks Like
A properly structured vCISO programme covers the full scope of security leadership that a mid-market business requires. This typically spans seven core disciplines: governance and strategy, risk management, compliance, policy and documentation, incident preparedness, security awareness, and reporting and oversight.
Within those disciplines, a mature vCISO provider delivers specific, tangible outputs — not hours of generic advice. These include security baseline assessments, risk registers with treatment plans, policy suites covering access control, data handling, acceptable use, and incident response, compliance programme management mapped to the Privacy Act 2020 and IPP 3A, personal data inventories, vendor risk assessments, incident response response plans, practice runs, board-ready quarterly scorecards, and security awareness programmes.
The delivery model is ongoing. Policies are reviewed on a lifecycle, not written once and forgotten. Risk registers are updated as the business changes. Board reports are produced quarterly, not annually. Incident response plans are tested, updated, and tested again. The programme builds and matures over time, rather than arriving as a static document and immediately beginning to age.
The Cost Comparison
The financial case is straightforward. A full-time CISO costs $200,000 or more per year, fully loaded. A structured vCISO engagement delivers equivalent strategic outcomes — governance, compliance, risk management, board reporting, incident readiness — at a fraction of that cost. Monthly pricing for a full vCISO programme typically ranges from $1,750 to $8,500 per month depending on the scope, complexity, and maturity of the business (Good Security, 2026). That translates to $21,000 to $102,000 per year — a fraction of the cost of a full-time hire and a fraction of the average $530,000 cost of a cyber incident for a New Zealand small or mid-sized business (Kordia, 2024).
The comparison is not just about what you spend. It is about what you risk by spending nothing. Kordia's 2025 report found that approximately one-third of New Zealand organisations do no board-level cybersecurity reporting (Kordia, 2025). That means a third of businesses have no structured visibility into their own security status at the governance level. The cost of that blind spot is difficult to calculate until the day it matters — and on that day, it is the most expensive line item on the ledger.
What to Look for in a vCISO Engagement
Not all vCISO offerings are created equal. The label has become popular enough that it is applied to a wide range of services, some of which bear little resemblance to actual security leadership. If you are evaluating vCISO providers, the following criteria separate credible programmes from marketing exercises.
Red Flags
Generic templates with no local context. If the policies and compliance frameworks are not adapted to New Zealand legislation — the Privacy Act 2020, IPP 3A, the NZISM where applicable — they are not fit for purpose.
No ongoing relationship. If the engagement is structured as a one-off assessment with an optional add-on for "continued advisory," it is a consultancy project wearing a vCISO label. The value of a vCISO model is that it is ongoing — building institutional knowledge and adapting the programme as the business evolves.
No measurable outcomes. If the provider cannot articulate what you will receive, when you will receive it, and how progress is measured, the engagement is undefined. Demand a deliverable catalogue with timelines.
No evidence-based delivery. A vCISO programme should produce evidence the business can use — for insurance applications, client questionnaires, and board reporting. If the output is advice rather than documentation, the programme is incomplete.
Green Flags
New Zealand-specific knowledge. The provider understands the NZ Privacy Act 2020, the implications of IPP 3A, the NZISM framework, and the NZ cyber insurance market. They know the regulatory environment your business operates in, not just the generic global best practices.
Structured methodology. The programme follows a defined framework — baseline assessment, gap analysis, prioritised improvements, ongoing governance cycle. There is a clear starting point, a defined cadence, and a capability model that shows where the business is heading.
Transparent pricing. Monthly costs are predictable and published. There are no hidden hourly charges for "additional queries" or penalty rates for incident support. The business knows what it is paying and what it is receiving.
Evidence-based delivery. Every deliverable produces documentation — assessments, policies, registers, scorecards, response plans — that the business owns and can present to anyone who asks. The programme builds an evidence library, not a collection of meeting notes.
Data sovereignty. For New Zealand businesses, where sensitive security data is processed and stored matters. A provider operating on New Zealand-based infrastructure, with no offshore data flows, provides assurance that security programme data remains within the jurisdiction.
The Gap Is Not Closing on Its Own
The numbers tell a clear story. Fifty-nine percent of New Zealand businesses were attacked in 2024 (Kordia, 2025). Ninety-two percent of ANZ businesses experienced at least one breach in the past twelve months (NZIQ, 2025). Seventy percent of organisations believe the skills shortage is increasing their risk (NZIQ, 2025). Only thirty-one percent of small and mid-sized businesses have formal IT policies (ASI/NZ research). Approximately one-third of businesses do no board-level cybersecurity reporting (Kordia, 2025). The average cost of a cyber incident for an NZ small or mid-sized business is $530,000 (Kordia, 2024).
These are not problems that resolve themselves. They are not problems that an MSP will solve by managing your firewall more diligently. They are not problems that a big consultancy will solve with a one-off report. And they are not problems that most mid-market businesses can solve by hiring a $200,000 executive into a role they cannot fill or fully utilise.
They are governance problems. And governance problems require governance leadership — structured, ongoing, and scaled to the business that needs it.
The missing middle is not missing any more. It is a vCISO engagement designed for the businesses that need it most.
Close the Gap
59% of NZ businesses were attacked last year. The average cost of a cyber incident in New Zealand is $530,000 (Kordia, 2025). The gap between "we should do something" and "we have a programme" is where that cost lives.
A structured vCISO programme closes that gap — and costs a fraction of a single incident. Most businesses see measurable improvement in their security status within the first 90 days.
Book a consultation or view pricing — see what the first 90 days can look like for a business your size and what level of programme fits.