Monthly Security Support for a 50-Person Business

The Question Nobody Answers Clearly

The short version: Most 50-person businesses are not stuck because they do not care about security. They are stuck because nobody owns it. 59% of NZ businesses were attacked last year, the average incident costs about $530,000, and only 31% of small and mid-sized businesses have formal security policies. Structured monthly support turns that gap into a working plan, usable evidence, and clear ownership. Book a free consultation to see what the first 90 days look like.

Most 50-person businesses do not need more security advice. They need someone to own the work.

That changes what happens in month one, what gets written in month two, and what leadership can show later to insurers, customers, and staff.

That missing picture is expensive. Kordia found that 59% of New Zealand businesses experienced a cyber attack or incident in 2024, and the average cost for a small or mid-sized business sits around $530,000. At the same time, only 31% have formal IT policies in place. Many leaders know they should act, but still cannot picture the path from "we should sort this out" to "we have something credible in place."

When something goes wrong, the damage is not just the malware or the stolen password. It is the scramble that follows: no current asset list, no clear policies, no agreed owner, and no calm response process.

This guide closes that gap. It shows what the first year of external security leadership usually looks like in a 50-person New Zealand company: what gets built first, what leadership gets back, and how the work becomes a repeatable monthly rhythm instead of another forgotten project.

Month 1: Discovery and Baseline

The first month is entirely diagnostic. Nothing is built, fixed, or purchased. The objective is to understand what you have, where the gaps are, and what the priorities should be.

Information Asset Register

Every real security effort begins with knowing what you are protecting. The security lead works with your team to build a complete information asset register — a clear inventory of the systems, applications, data stores, and infrastructure your business relies on.

For a 50-person company, this typically captures between 30 and 80 information assets. More importantly, it identifies assets that nobody was tracking — the shared spreadsheet with client data, the legacy CRM that marketing still uses, or the personal Dropbox account someone set up three years ago.

Personal Data Inventory

Under the Privacy Act 2020, every New Zealand organisation must understand what personal information it holds, where it is stored, and how it flows through the business. The personal data inventory maps this out: what categories of personal data you collect, from whom, for what purpose, where it is stored, who has access, and how long it is retained. This deliverable is foundational for Privacy Act compliance and directly supports IPP 3A transparency requirements.

Security Baseline Assessment

With the asset and data inventories complete, the security lead conducts a security baseline assessment. This is a structured evaluation of your current security status across key domains: access control, endpoint protection, network security, data protection, backup and recovery, incident response readiness, and governance.

The output is not a 200-page technical report. It is a clear, prioritised gap analysis that tells you exactly where you stand today and what needs to happen first. For most 50-person companies, the baseline assessment reveals a pattern: some technical controls are in place (antivirus, firewalls, basic backups), but governance, policy, and process controls are largely absent.

What You Have at the End of Month 1

• A complete information asset register
• A personal data inventory mapped to Privacy Act requirements
• A security baseline assessment with prioritised gap analysis
• A 12-month security roadmap tailored to your organisation

You have not spent money on tools or technology. You have spent time understanding your environment. That understanding is what makes everything that follows effective rather than reactive.

Month 2: Foundation Building

Month 2 shifts from discovery to construction. The foundations of credible security management are not technical controls — they are policies, processes, and plans that define how your organisation manages risk.

Policy Suite

A credible security setup requires a core set of policies that are board-approved, staff-accessible, and regularly reviewed. The security lead drafts a suite of 12 core policies tailored to your organisation, your industry, and your risk profile. These typically include:

1. Information Security Policy (overarching governance)
2. Acceptable Use Policy
3. Access Control Policy
4. Data Classification and Handling Policy
5. Incident Response Policy
6. Backup and Recovery Policy
7. Remote Working and BYOD Policy
8. Vendor and Third-Party Risk Policy
9. Password and Authentication Policy
10. Change Management Policy
11. Physical Security Policy
12. Privacy and Data Protection Policy

These are not templates downloaded from the internet. They are professionally drafted documents that reflect your actual business operations, systems, and regulatory obligations.

Incident Response Plans

Policies define the rules. Response plans define the actions. The security lead develops five core incident response plans covering the scenarios most likely to affect a 50-person company:

1. Ransomware or malware outbreak — containment, isolation, recovery, and communication steps
2. Business email compromise — detection, account lockdown, financial fraud prevention
3. Data breach involving personal information — Privacy Act notification obligations, evidence preservation
4. System outage or IT failure — notification paths, backup restoration, business continuity
5. Insider threat or policy violation — investigation procedures, HR coordination, evidence handling

Each plan includes roles and responsibilities, notification contacts, decision trees, and communication templates. When an incident occurs, your team does not have to figure out what to do — they follow the plan.

Risk Register

The risk register translates the baseline assessment into a structured, prioritised list of security risks with defined treatment plans. Each risk is assessed for likelihood and impact, assigned an owner, and tracked through to resolution. For a 50-person company, the initial risk register typically contains between 15 and 30 risks, ranging from technical vulnerabilities to governance gaps.

Vendor Risk Assessment

Most 50-person companies rely on 10 to 30 third-party vendors who have access to company data or systems. The vendor risk assessment evaluates the security position of your critical vendors and establishes a framework for ongoing vendor risk management.

What You Have at the End of Month 2

• 12 core security policies, board-ready for approval
• 5 incident response plans with roles and decision trees
• A prioritised risk register with treatment plans
• A vendor risk assessment covering critical third parties

Your organisation now has the foundational governance framework that most cybersecurity capability models require. This is the layer that insurers, auditors, and clients look for when they ask whether you take security seriously.

Month 3: Compliance Sprint

With governance foundations in place, Month 3 focuses on regulatory and commercial compliance — the requirements that directly affect your ability to win work, secure insurance, and meet legal obligations.

Cyber Insurance Readiness Assessment

Cyber insurance applications have become significantly more demanding. Insurers now ask detailed questions about multi-factor authentication, endpoint detection and response, backup strategies, incident response plans, and employee awareness training. The security lead conducts a cyber insurance readiness assessment that maps your current controls against common insurer requirements and identifies gaps that could result in declined coverage or inflated premiums.

The policy suite and incident response plans completed in Month 2 close the majority of insurer requirements. The readiness assessment identifies remaining technical gaps — such as MFA on all remote access or offline backup copies — so they can be addressed before renewal.

Privacy Act Compliance Review

The Privacy Act 2020 applies to every New Zealand organisation that handles personal information. The compliance review evaluates your practices against the 13 Information Privacy Principles and produces a compliance status report with improvement plan. For most 50-person companies, the primary gaps are around transparency (telling people what you collect and why), retention (keeping data longer than necessary), and access (responding to information requests within the required timeframe).

IPP 3A Preparation

IPP 3A requires organisations to notify individuals when personal information is collected from sources other than the individual — such as referrals, background checks, or third-party data feeds. The security lead maps your indirect collection points, prepares the notification templates and processes required to demonstrate compliance, and builds the internal procedures for identifying and responding to new third-party data flows.

Security Questionnaire Response Capability

Your clients and prospective clients will increasingly send you security questionnaires as part of their vendor due diligence. Without clear security ownership, responding is time-consuming and often embarrassing. With the foundation built during Months 1 through 3, the security lead establishes a questionnaire response capability — a library of pre-approved answers and supporting evidence that allows you to respond confidently and efficiently.

What You Have at the End of Month 3

• Cyber insurance readiness assessment with gap closure
• Privacy Act compliance review and improvement plan
• IPP 3A documentation and processes
• Security questionnaire response capability

At the end of the first quarter, your organisation has moved from "we know we should be doing something" to "we have a documented, working security operating rhythm with demonstrable compliance." That is the kind of change strong monthly support is meant to create in the first 90 days.

Months 4 to 6: Maturation

The first quarter builds the foundation. The second quarter embeds it into how your organisation operates.

Security Awareness Plan

Technology controls are only effective if staff understand their role in security. The security lead implements a Security Awareness Plan that includes training modules, simulated phishing exercises, and role-specific guidance. The plan is practical and relevant, not empty box-ticking. Staff learn to recognise phishing emails, understand password hygiene, and know what to do if something looks wrong.

Board Advisory Reporting

Security governance requires board-level visibility. The security lead produces monthly reports and quarterly board advisory packs that translate technical security status into business language — work completed, risk status, incident summary, compliance position, and upcoming priorities. Directors do not need to understand firewall rules. They need to understand whether security risk is being managed effectively.

Quarterly Security Scorecards

The quarterly security scorecard tracks your security position over time against defined metrics across governance, technical controls, compliance, and awareness. It provides a clear, visual representation of where the business started, where it is today, and where it is heading — the deliverable that demonstrates continuous improvement to insurers, auditors, and clients.

Ongoing Monitoring and Advisory

Between formal deliverables, the security lead provides ongoing advisory support — answering security questions, reviewing proposed technology changes, and advising on emerging threats. This is not reactive break-fix support. It is proactive, strategic guidance that keeps security aligned with business objectives.

What You Have at the End of Month 6

• An embedded Security Awareness Plan with measurable engagement
• Monthly reporting and quarterly board advisory packs
• Two quarterly security scorecards showing measurable improvement
• Ongoing strategic advisory and threat monitoring

Your organisation now operates with a functioning security rhythm. Staff understand their responsibilities. The board has visibility. Risk is being actively managed and measured.

Months 7 to 12: Continuous Improvement

The second half of the year shifts focus from building and embedding to refining and proving.

Cross-Standard Mapping

Many organisations face multiple compliance obligations — the Privacy Act, industry-specific regulations, client contractual requirements, and standards like NZISM or ISO 27001. The security lead maps your security evidence across applicable standards to identify where a single control satisfies multiple requirements and where gaps remain.

Audit Readiness

Whether you are pursuing formal certification, responding to a client audit, or preparing for a regulatory inquiry, audit readiness means having evidence organised, documentation current, and controls demonstrable. The security lead makes sure the business is audit-ready — not by creating paperwork for its own sake, but by maintaining the evidence that auditors, regulators, and clients expect to see.

Annual Security Report

At the 12-month mark, the security lead produces a detailed annual security report. This document summarises the year's security work, risk position changes, incident history, compliance achievements, and recommendations for the year ahead. It serves as both a governance record and a strategic planning tool for the next phase of the work.

Year-Two Planning

No security capability is static. The annual review identifies what is working, what needs adjustment, and what new risks have emerged. The security roadmap is updated for the next 12 months, incorporating lessons learned and changes in your business environment.

What You Have at the End of Month 12

• Cross-framework compliance mapping
• Audit-ready documentation and evidence library
• Detailed annual security report
• Updated security roadmap for Year 2

After 12 months, you do not just have a collection of documents. You have a living, measurable security capability that your organisation owns. If you ever change providers or bring security in-house, the documentation and the processes stay with you.

What It Costs

Transparency matters. Here is what external security leadership costs and what each tier delivers.

Baseline — $1,750 per month

The entry point for organisations that need foundational security governance. Baseline delivers the core monthly-support elements: security baseline assessment, policy suite, risk register, incident response plans, and quarterly reporting. This tier is suited to organisations with lower complexity and straightforward compliance requirements, or businesses that need to move from "we should probably do something" to "we now have a real operating rhythm."

Assurance — $3,500 per month

The tier most 50-person companies move into once customer, insurer, or privacy pressure becomes active. Assurance includes everything in Baseline plus the broader compliance and evidence work: Privacy Act review, IPP 3A preparation, cyber insurance readiness, vendor risk management, Security Awareness planning, cross-standard mapping, and stronger reporting support. This is the engagement level that delivers the month-by-month support described in this article when the scrutiny is already real.

All tiers include monthly reporting, quarterly scorecards, and annual reviews as standard. There are no hidden fees, no hourly overage charges, and no lock-in contracts. You own every deliverable produced during the engagement.

For a 50-person company on the Assurance tier, the annual investment is $42,000 — a fraction of the $180,000 to $280,000 cost of a full-time CISO hire, and a fraction of the $530,000 average cost of a cyber incident.

Building a Capability, Not Buying a Product

The purpose of this kind of engagement is not to create a dependency. It is to build a security capability within your organisation that you own and retain regardless of who manages it.

After 12 months, your organisation has a complete security capability: policies, processes, risk management, compliance documentation, staff awareness, board reporting, and a track record of measurable improvement. That capability belongs to you.

The average NZ cyber incident costs $530,000. A full-time CISO costs $200,000+ per year. Assurance support costs $42,000 per year and delivers the same governance outcomes — risk assessment, policy lifecycle, compliance management, board reporting, and incident coordination. The question is not whether you can afford proper security ownership. It is whether you can afford another year without it.

Book a free consultation — see what the first 90 days can look like for a business your size.