The Question Nobody Answers Clearly
The short version: 59% of NZ businesses were attacked last year and the average incident costs $530,000 — yet only 31% of small and mid-sized businesses have formal security policies. A structured vCISO programme builds a complete, measurable security programme in 12 months for a fraction of the cost of one incident. Book a free consultation to see what the first 90 days look like. Read on for the full month-by-month breakdown.
Every business leader who has considered cybersecurity investment eventually asks the same question: what does a security programme actually look like for a company our size?
The cybersecurity industry consistently fails to answer in plain terms. Instead, buyers are presented with frameworks, acronyms, capability models, and vague promises of "risk reduction." For a managing director running a 50-person company in New Zealand, that is not helpful. You want to know what happens, when it happens, and what you walk away with.
The numbers paint a stark picture of why this matters. According to Kordia's 2025 New Zealand Cyber Resilience Report, 59% of New Zealand businesses experienced a cyber attack or incident in 2024. The average cost of a cyber incident for a New Zealand small or mid-sized business sits at approximately $530,000 (Kordia, 2024). Yet only 31% of New Zealand small and mid-sized businesses have formal IT policies in place (ASI/NZ research). There is a significant gap between awareness and action.
Consider what the absence of a programme looks like in practice. When the Waikato District Health Board was hit by ransomware in May 2021, the insurance claim reached NZD $16.5 million and exceeded the policy limit. Clinical systems were offline for months. The premium jumped from $400,000 to $1.3 million per year (Reseller News; Te Whatu Ora). When Mercury IT — a Wellington-based MSP — was compromised by LockBit ransomware in November 2022, the breach cascaded across the Ministry of Justice, Te Whatu Ora, and health insurer Accuro, exposing over 14,500 coroners' files (SecurityWeek, 2022). In both cases, the organisations affected had some technical controls. What they lacked was a structured security programme — the governance, policies, risk management, and incident readiness that turn controls into a defensible security position.
This article walks through exactly what happens when a 50-person New Zealand company engages a virtual CISO to build a security programme from the ground up. Month by month, deliverable by deliverable. No jargon. No sales pitch. Just a transparent look at what a modern security programme looks like in practice.
Month 1: Discovery and Baseline
The first month is entirely diagnostic. Nothing is built, fixed, or purchased. The objective is to understand what you have, where the gaps are, and what the priorities should be.
Information Asset Register
Every security programme begins with knowing what you are protecting. The virtual CISO works with your team to build a complete information asset register — a structured inventory of the systems, applications, data stores, and infrastructure your business relies on.
For a 50-person company, this typically captures between 30 and 80 information assets. More importantly, it identifies assets that nobody was tracking — the shared spreadsheet with client data, the legacy CRM that marketing still uses, or the personal Dropbox account someone set up three years ago.
Personal Data Inventory
Under the Privacy Act 2020, every New Zealand organisation must understand what personal information it holds, where it is stored, and how it flows through the business. The personal data inventory maps this out: what categories of personal data you collect, from whom, for what purpose, where it is stored, who has access, and how long it is retained. This deliverable is foundational for Privacy Act compliance and directly supports IPP 3A transparency requirements.
Security Baseline Assessment
With the asset and data inventories complete, the virtual CISO conducts a security baseline assessment. This is a structured evaluation of your current security status across key domains: access control, endpoint protection, network security, data protection, backup and recovery, incident response readiness, and governance.
The output is not a 200-page technical report. It is a clear, prioritised gap analysis that tells you exactly where you stand today and what needs to happen first. For most 50-person companies, the baseline assessment reveals a pattern: some technical controls are in place (antivirus, firewalls, basic backups), but governance, policy, and process controls are largely absent.
What You Have at the End of Month 1
- A complete information asset register
- A personal data inventory mapped to Privacy Act requirements
- A security baseline assessment with prioritised gap analysis
- A 12-month programme roadmap tailored to your organisation
You have not spent money on tools or technology. You have spent time understanding your environment. That understanding is what makes everything that follows effective rather than reactive.
Month 2: Foundation Building
Month 2 shifts from discovery to construction. The foundations of a security programme are not technical controls — they are policies, processes, and plans that define how your organisation manages risk.
Policy Suite
A modern security programme requires a core set of policies that are board-approved, staff-accessible, and regularly reviewed. The virtual CISO drafts a suite of 12 core policies tailored to your organisation, your industry, and your risk profile. These typically include:
- Information Security Policy (overarching governance)
- Acceptable Use Policy
- Access Control Policy
- Data Classification and Handling Policy
- Incident Response Policy
- Backup and Recovery Policy
- Remote Working and BYOD Policy
- Vendor and Third-Party Risk Policy
- Password and Authentication Policy
- Change Management Policy
- Physical Security Policy
- Privacy and Data Protection Policy
These are not templates downloaded from the internet. They are professionally drafted documents that reflect your actual business operations, systems, and regulatory obligations.
Incident Response Plans
Policies define the rules. Response plans define the actions. The virtual CISO develops five core incident response plans covering the scenarios most likely to affect a 50-person company:
- Ransomware or malware outbreak — containment, isolation, recovery, and communication steps
- Business email compromise — detection, account lockdown, financial fraud prevention
- Data breach involving personal information — Privacy Act notification obligations, evidence preservation
- System outage or IT failure — notification paths, backup restoration, business continuity
- Insider threat or policy violation — investigation procedures, HR coordination, evidence handling
Each plan includes roles and responsibilities, notification contacts, decision trees, and communication templates. When an incident occurs, your team does not have to figure out what to do — they follow the plan.
Risk Register
The risk register translates the baseline assessment into a structured, prioritised list of security risks with defined treatment plans. Each risk is assessed for likelihood and impact, assigned an owner, and tracked through to resolution. For a 50-person company, the initial risk register typically contains between 15 and 30 risks, ranging from technical vulnerabilities to governance gaps.
Vendor Risk Assessment
Most 50-person companies rely on 10 to 30 third-party vendors who have access to company data or systems. The vendor risk assessment evaluates the security position of your critical vendors and establishes a framework for ongoing vendor risk management.
What You Have at the End of Month 2
- 12 core security policies, board-ready for approval
- 5 incident response plans with roles and decision trees
- A prioritised risk register with treatment plans
- A vendor risk assessment covering critical third parties
Your organisation now has the foundational governance framework that most cybersecurity capability models require. This is the layer that insurers, auditors, and clients look for when they ask whether you take security seriously.
Month 3: Compliance Sprint
With governance foundations in place, Month 3 focuses on regulatory and commercial compliance — the requirements that directly affect your ability to win work, secure insurance, and meet legal obligations.
Cyber Insurance Readiness Assessment
Cyber insurance applications have become significantly more demanding. Insurers now ask detailed questions about multi-factor authentication, endpoint detection and response, backup strategies, incident response plans, and employee awareness training. The virtual CISO conducts a cyber insurance readiness assessment that maps your current controls against common insurer requirements and identifies gaps that could result in declined coverage or inflated premiums.
The policy suite and incident response plans completed in Month 2 close the majority of insurer requirements. The readiness assessment identifies remaining technical gaps — such as MFA on all remote access or offline backup copies — so they can be addressed before renewal.
Privacy Act Compliance Review
The Privacy Act 2020 applies to every New Zealand organisation that handles personal information. The compliance review evaluates your practices against the 13 Information Privacy Principles and produces a compliance status report with improvement plan. For most 50-person companies, the primary gaps are around transparency (telling people what you collect and why), retention (keeping data longer than necessary), and access (responding to information requests within the required timeframe).
IPP 3A Preparation
IPP 3A requires organisations to notify individuals when personal information is collected from sources other than the individual — such as referrals, background checks, or third-party data feeds. The virtual CISO maps your indirect collection points, prepares the notification templates and processes required to demonstrate compliance, and builds the internal procedures for identifying and responding to new third-party data flows.
Security Questionnaire Response Capability
Your clients and prospective clients will increasingly send you security questionnaires as part of their vendor due diligence. Without a security programme, responding is time-consuming and often embarrassing. With the programme built during Months 1 through 3, the virtual CISO establishes a questionnaire response capability — a library of pre-approved answers and supporting evidence that allows you to respond confidently and efficiently.
What You Have at the End of Month 3
- Cyber insurance readiness assessment with gap closure
- Privacy Act compliance review and improvement plan
- IPP 3A documentation and processes
- Security questionnaire response capability
At the end of the first quarter, your organisation has moved from "we know we should be doing something" to "we have a documented, structured security programme with demonstrable compliance." That is the kind of change a structured programme is meant to create in the first 90 days.
Months 4 to 6: Maturation
The first quarter builds the programme. The second quarter embeds it into how your organisation operates.
Security Awareness Programme
Technology controls are only effective if staff understand their role in security. The virtual CISO implements a security awareness programme that includes training modules, simulated phishing exercises, and role-specific guidance. The programme is practical and relevant, not empty box-ticking. Staff learn to recognise phishing emails, understand password hygiene, and know what to do if something looks wrong.
Board Advisory Reporting
Security governance requires board-level visibility. The virtual CISO produces monthly reports and quarterly board advisory packs that translate technical security status into business language — programme progress, risk status, incident summary, compliance position, and upcoming priorities. Directors do not need to understand firewall rules. They need to understand whether security risk is being managed effectively.
Quarterly Security Scorecards
The quarterly security scorecard tracks your security position over time against defined metrics across governance, technical controls, compliance, and awareness. It provides a clear, visual representation of where the programme started, where it is today, and where it is heading — the deliverable that demonstrates continuous improvement to insurers, auditors, and clients.
Ongoing Monitoring and Advisory
Between formal deliverables, the virtual CISO provides ongoing advisory support — answering security questions, reviewing proposed technology changes, and advising on emerging threats. This is not reactive break-fix support. It is proactive, strategic guidance that keeps security aligned with business objectives.
What You Have at the End of Month 6
- An embedded security awareness programme with measurable engagement
- Monthly reporting and quarterly board advisory packs
- Two quarterly security scorecards showing measurable improvement
- Ongoing strategic advisory and threat monitoring
Your organisation now operates a functioning security programme. Staff understand their responsibilities. The board has visibility. Risk is being actively managed and measured.
Months 7 to 12: Continuous Improvement
The second half of the year shifts focus from building and embedding to refining and proving.
Cross-Framework Mapping
Many organisations face multiple compliance obligations — the Privacy Act, industry-specific regulations, client contractual requirements, and frameworks like NZISM or ISO 27001. The virtual CISO maps your security programme across applicable frameworks to identify where a single control satisfies multiple requirements and where gaps remain.
Audit Readiness
Whether you are pursuing formal certification, responding to a client audit, or preparing for a regulatory inquiry, audit readiness means having evidence organised, documentation current, and controls demonstrable. The virtual CISO ensures your programme is audit-ready — not by creating paperwork for its own sake, but by maintaining the evidence that auditors, regulators, and clients expect to see.
Annual Security Report
At the 12-month mark, the virtual CISO produces a detailed annual security report. This document summarises the year's programme activities, risk position changes, incident history, compliance achievements, and recommendations for the year ahead. It serves as both a governance record and a strategic planning tool for the next phase of your security programme.
Programme Refinement
No security programme is static. The annual review identifies what is working, what needs adjustment, and what new risks have emerged. The programme roadmap is updated for the next 12 months, incorporating lessons learned and changes in your business environment.
What You Have at the End of Month 12
- Cross-framework compliance mapping
- Audit-ready documentation and evidence library
- Detailed annual security report
- Updated programme roadmap for Year 2
After 12 months, you do not just have a collection of documents. You have a living, measurable security programme that your organisation owns. If you ever change providers or bring security in-house, the programme, the documentation, and the processes stay with you.
What It Costs
Transparency matters. Here is what a virtual CISO engagement costs and what each tier delivers.
Baseline — $1,750 per month
The entry point for organisations that need foundational security governance. Baseline delivers the core programme elements: security baseline assessment, policy suite, risk register, incident response plans, and quarterly reporting. This tier is suited to organisations with lower complexity and straightforward compliance requirements, or businesses that need to move from "we should probably do something" to "we now have a real programme."
Assurance — $3,500 per month
The tier most 50-person companies move into once customer, insurer, or privacy pressure becomes active. Assurance includes everything in Baseline plus the broader compliance and evidence programme: Privacy Act review, IPP 3A preparation, cyber insurance readiness, vendor risk management, security awareness design, cross-framework mapping, and stronger reporting support. This is the engagement level that delivers the month-by-month programme described in this article when the scrutiny is already real.
Leadership — $8,500 per month
For organisations with higher complexity, regulatory exposure, or accelerated timelines. Leadership includes everything in Assurance with expanded scope: more frequent touchpoints, deeper technical assessments, dedicated incident response support, and strategic advisory at the executive and board level.
All tiers include monthly reporting, quarterly scorecards, and annual reviews as standard. There are no hidden fees, no hourly overage charges, and no lock-in contracts. You own every deliverable produced during the engagement.
For a 50-person company on the Assurance tier, the annual investment is $42,000 — a fraction of the $180,000 to $280,000 cost of a full-time CISO hire, and a fraction of the $530,000 average cost of a cyber incident.
Building a Capability, Not Buying a Product
The purpose of a virtual CISO engagement is not to create a dependency. It is to build a security capability within your organisation that you own and retain regardless of who manages it.
After 12 months, your organisation has a complete security programme: policies, processes, risk management, compliance documentation, staff awareness, board reporting, and a track record of measurable improvement. That programme belongs to you.
The average NZ cyber incident costs $530,000. A full-time CISO costs $200,000+ per year. An Assurance programme costs $42,000 per year and delivers the same governance outcomes — risk assessment, policy lifecycle, compliance management, board reporting, and incident coordination. The question is not whether you can afford a security programme. It is whether you can afford another year without one.
Book a free consultation — see what the first 90 days can look like for a business your size.