The real question isn't whether to hire a CISO
The short version: A full-time CISO costs $180,000–$280,000+ per year. For most NZ businesses between 10 and 500 staff, that is the wrong shape of solution. The right question is who actually owns security in the business right now, and what it costs to put a real person in that seat without hiring an executive. The answer is usually a named, part-time security lead working a few days a month on a defined rhythm — same person each time, with deliverables you can show clients and insurers — from $1,750 a month. View pricing or book a consultation to see what that looks like for a business your size.
Most NZ business owners do not have a tools problem first. They have an ownership problem. Security questions keep arriving from customers, insurers, auditors, and leadership, but there is no clear person whose job it is to answer them. The IT person also runs the printers. The accountant also handles the computers. The MSP keeps the lights on. None of them sign off on whether the business is actually defensible.
Hiring a full-time CISO solves the ownership problem at enterprise scale. It also comes with enterprise economics. By the time salary, KiwiSaver, benefits, recruiting, and tooling are loaded in, the role lands between $180,000 and $280,000+ per year.
For organisations with 10 to 500 staff, that is the wrong shape. You do not need forty hours a week of executive time. You need a real owner, on a real rhythm, who turns the next hard question into a calm answer.
What "someone who actually owns it" looks like
Not a helpdesk. Not a one-off audit. Not a retainer that produces an invoice and silence between visits. The useful version is a named person — the same person — working with the business on a monthly rhythm. They run the baseline assessment, write the policies that match how the business actually operates, keep the risk register current, hold the relationship with the cyber insurer, draft the response plan before it is needed, and present security at board meetings in language the board can act on.
The model is part-time. The ownership isn't.
The cost comparison
| Full-time CISO | A named, part-time security lead | Doing nothing | |
|---|---|---|---|
| Annual cost | $180K–$280K+ salary, plus on-costs | $18K–$72K/year depending on tier | $0 upfront |
| Ramp-up time | 3–6 months to recruit and onboard | Operational within weeks | N/A |
| What you get | Depends entirely on the individual | A defined deliverable list every quarter | Nothing until something breaks |
| Coverage | Single point of failure | Backed by a team, consistent each month | No coverage |
| NZ context | Variable depending on hire | NZ-grounded, NZ-hosted infrastructure | N/A |
| Cost of doing nothing | — | — | Average breach $200K–$1M+, insurance refusal, regulatory action |
The "doing nothing" column is the one most owners underestimate. The average cost of a cyber incident for an NZ small or mid-sized business sits in the high six figures, and cyber insurers are increasingly declining renewals from businesses with no demonstrable security ownership.
What the work actually delivers
Inside a working monthly rhythm, the business gets:
- Security Baseline Assessment — a clear picture of where things actually stand
- Policy Suite — written for the business's real systems and people, not generic templates
- Risk Register — prioritised, with treatment plans
- Compliance Programme — mapped to Privacy Act 2020 (including IPP 3A and IPP 12) and the standards your industry actually faces
- Quarterly Security Scorecards — board-ready reporting that tracks progress and surfaces drift
- Incident Response Plans — practical, tested, ready before the call comes in
- Vendor Risk Register — so the third-party gap doesn't quietly become your gap
These are documented, maintained, and yours. They go to insurers, customers, and auditors when those people start asking hard questions.
When you actually do need a full-time hire
A full-time security executive is the right call when the business has more than 500 staff, runs complex multi-site environments, has its own internal security team to lead, or operates under regulation that names a specific officer. At that scale, full-time is the right shape and the spend pays for itself.
For most NZ businesses below that line, full-time is the wrong shape — not because the work doesn't matter, but because the work doesn't fill an executive's week.
Why the NZ version of this looks different
The version of this role that works for NZ businesses is delivered locally. Your security programme is built for the NZ regulatory environment by people who understand the local context — the Privacy Act, FMA, RBNZ, NZISM, NZQA, AML/CFT, ANZ insurers, the lot. Client work is held on NZ-hosted infrastructure. For organisations with strict data-residency obligations, the Sovereign Processing add-on means every AI-assisted analysis runs on private New Zealand infrastructure — no data crosses the border.
What it costs to fix this properly
You already know the business needs a real security owner. Hiring a full-time CISO at $180,000 to $280,000 per year is the right move at 500+ staff. For most NZ businesses between 10 and 500 people, it is not. A named, part-time security lead — same person, monthly rhythm, defined deliverables — covers the work that matters from $1,750 a month. The gap between "we need someone running security" and "we can actually afford that" is already closed.
Book a free consultation — see what the first 90 days can look like for a business your size.