Your MSP Is Doing Important Work
The short version: Your MSP keeps the technology running — but risk assessment, compliance, policies, board reporting, and incident command sit outside MSP scope. The gap is where breaches, claim denials, and regulatory findings live — and most businesses close the biggest governance gaps in the first 90 days. Book a free consultation to see where your gaps are. Read on for the full breakdown.
Let us start with something that does not get said often enough: your managed service provider is doing valuable work that your business depends on every day. The servers stay up. The patches get applied. The backups run on schedule. When a staff member cannot connect to the printer or locks themselves out of their account, your MSP resolves the ticket and keeps operations moving.
This is not trivial. Without reliable IT infrastructure, nothing else in your business functions. The MSP relationship is one of the most important operational partnerships a New Zealand small business maintains, and the growth of the sector reflects that reality. According to the Huntress MSP Threat Report, 84% of MSPs now manage their clients' cyber infrastructure, up from 64% the previous year (Huntress, 2024). Businesses are entrusting more of their technology stack to managed service providers than ever before, and for good reason.
But here is the part that most businesses have not been told clearly: managed IT services and security governance are fundamentally different disciplines. Your MSP was hired to manage infrastructure. The security programme that protects your business, satisfies your compliance obligations, and demonstrates due diligence to insurers and clients requires a different skill set, a different mandate, and a different accountability model.
This article is not a criticism of MSPs. It is a clarification of scope. And understanding that scope is one of the most important steps a business leader can take toward building a security position that actually holds up under pressure.
Security Governance Is a Different Discipline
The distinction between IT infrastructure management and security governance is similar to the distinction between building maintenance and occupational health and safety. A property manager ensures that the lights work, the plumbing functions, and the building meets its maintenance schedule. An occupational health and safety programme assesses workplace risks, develops policies and procedures, trains staff, conducts audits, reports to leadership, and ensures regulatory compliance. Both are essential. Neither can substitute for the other.
In cybersecurity, the same separation applies. Infrastructure management is about keeping technology operational. Security governance is about identifying risks, establishing controls, developing and maintaining policies, managing compliance obligations, training people, planning for incidents, and reporting to leadership and boards on the organisation's security status.
The numbers illustrate why this distinction matters. According to the Kordia New Zealand Business Cyber Security Report 2025, 59% of New Zealand businesses experienced a cyber attack in the previous year (Kordia, 2025). The Government Communications Security Bureau's National Cyber Security Centre has warned that attackers are increasingly exploiting valid credentials, misconfigured VPNs, trusted software updates, and user behaviour to gain access to networks (GCSB/NCSC). These are not attack vectors that a firewall or antivirus product alone can address. They are governance failures — weak credential policies, unmanaged vendor risk, untrained staff, and absent security programmes.
At the same time, only 31% of New Zealand small and mid-sized businesses have formal IT policies in place (ASI/NZ research), and 70% of New Zealand small and mid-market leaders say that keeping pace with technology changes is a significant challenge (ASI/NZ research). When you combine an expanding threat landscape with the absence of formal governance, the gap between what businesses need and what their MSP was hired to provide becomes clear.
What MSPs Are Great At
A competent MSP delivers genuine, measurable value across the technical foundation of your business. Understanding what MSPs do well is essential to understanding why they should not be expected to do everything.
Infrastructure management. Your MSP manages your servers, cloud environments, networking equipment, and core business systems. They make sure that hardware is maintained, capacity is planned, and infrastructure decisions align with your operational requirements.
Monitoring and alerting. Many MSPs provide 24/7 monitoring of your network and systems, alerting you to outages, performance degradation, and suspicious activity. This monitoring capability is a critical layer of operational visibility that most smaller businesses could not build or maintain internally.
Patching and updates. Keeping operating systems, applications, and firmware up to date is one of the most effective defences against known vulnerabilities. Your MSP manages patch cycles, tests updates for compatibility, and deploys them across your environment.
Helpdesk and user support. Day-to-day user support — password resets, application troubleshooting, hardware provisioning, connectivity issues — keeps your staff productive and your operations running.
Endpoint protection. MSPs deploy and manage endpoint detection and response or antivirus solutions across your devices, ensuring that agents are installed, updated, and reporting to a central console.
Backup and disaster recovery. Your MSP manages backup schedules, monitors backup success, and maintains disaster recovery procedures that enable your business to recover from hardware failure, ransomware, or data loss events.
Network management. Firewall configuration, VPN management, wireless network design, and network segmentation are core MSP services that form the technical perimeter of your environment.
These services are not optional. They are the foundation upon which everything else is built. A business without reliable infrastructure, current patches, and functioning backups is exposed to operational risks that no amount of policy documentation can mitigate. Your MSP addresses this foundation, and that foundation is indispensable.
What Falls Outside Their Scope
The gap between MSP service delivery and full security is not a gap in competence or effort. It is a gap in scope. MSPs are infrastructure providers. The security programme your business needs requires governance capabilities that infrastructure services were never designed to deliver. The following areas are where that gap is most consequential.
Risk assessment and management. A security programme begins with understanding what you are protecting, what threatens it, and how likely and consequential each threat is. Formal risk assessment involves identifying information assets, evaluating threats and vulnerabilities, assessing the likelihood and impact of risk scenarios, and developing treatment plans that prioritise resources against the risks that matter most. Your MSP knows what technology you run. They do not conduct structured risk assessments against frameworks such as the NZISM or ISO 27001, maintain risk registers, or present risk treatment options to your leadership team. Risk assessment is a governance discipline, not an infrastructure task.
Compliance programme management. New Zealand businesses face a growing web of compliance obligations: the Privacy Act 2020, the incoming Information Privacy Principle 3A, industry-specific codes like the Health Information Privacy Code, contractual security requirements from clients and partners, and increasingly prescriptive cyber insurance policy conditions. A compliance programme systematically maps these obligations, identifies gaps, tracks improvements, and maintains evidence of ongoing compliance. Your MSP does not manage this process. They may implement technical controls that contribute to compliance, but implementing a control and managing a compliance programme are different activities.
Policy development and lifecycle management. Formal security policies — covering access control, acceptable use, data handling, incident response, remote working, and more — are the documented foundation of a security programme. Policies must be drafted, approved by leadership, communicated to staff, reviewed on a defined cycle, and updated when the business, technology, or regulatory environment changes. Your MSP does not develop, maintain, or lifecycle-manage your security policy suite. Many businesses discover they have no formal policies at all only when an insurer, client, or regulator asks to see them.
Board-level reporting. Security is a business risk, and boards have a fiduciary responsibility to oversee it. Effective board reporting translates technical security status into business risk language — what the key risks are, what is being done to manage them, where residual risk remains, and what investment is required. According to the Kordia 2025 report, approximately one-third of New Zealand businesses do no board-level cyber risk reporting at all (Kordia, 2025). Your MSP produces infrastructure reports: uptime statistics, ticket volumes, patch compliance rates. They do not produce board-ready security governance reports that enable informed decision-making at the leadership level.
Vendor risk assessment. Your business relies on third-party providers for cloud services, SaaS platforms, payment processing, data storage, and more. Each vendor that touches your data introduces risk that must be assessed and managed. Vendor risk assessment involves evaluating the security position of your suppliers, reviewing their data processing agreements, assessing their breach notification capabilities, and monitoring their ongoing risk profile. Under section 11 of the Privacy Act 2020, when a third party processes data solely on your behalf, you remain fully responsible for that data. Your MSP manages the technical relationship with your cloud and SaaS vendors. They do not assess whether those vendors meet your security and privacy obligations.
Incident command and coordination. When a significant security incident occurs — a ransomware attack, a data breach, a compromised business email — the technical response is only one part of the picture. Incident command involves coordinating the overall response, making decisions about containment and removal, managing communications with affected parties, assessing notification obligations under the Privacy Act 2020, engaging legal counsel and insurers, and conducting post-incident review. Your MSP plays a critical role in the technical response: isolating affected systems, restoring from backups, and fixing the attack vector. But the incident command function — the strategic coordination layer that manages the entire event from detection through recovery and reporting — is a governance role, not an infrastructure role.
Privacy programme management. The Privacy Act 2020 imposes obligations that extend well beyond technical security. Privacy programme management includes maintaining a personal data inventory, conducting privacy impact assessments for new systems and processes, managing data subject access requests, ensuring lawful collection and use of personal information, and complying with the mandatory breach notification regime. These activities require privacy expertise, not infrastructure expertise. Your MSP does not manage your privacy programme.
Security awareness programme design. The Kordia 2025 report found that 25% of New Zealand businesses cite employee awareness as their top cybersecurity challenge (Kordia, 2025). Phishing, social engineering, credential compromise, and accidental data disclosure are all human-layer risks that technical controls alone cannot eliminate. A structured security awareness programme — with regular training, simulated phishing exercises, role-based content, and measured effectiveness — is a governance deliverable that falls outside MSP scope. Your MSP may provide basic cyber hygiene tips or phishing awareness reminders, but designing and managing a full awareness programme is a different undertaking.
The Complementary Model: MSP and vCISO Working Together
The most effective security position for a New Zealand small or mid-sized business is not a choice between an MSP and a virtual CISO. It is both, working together with clearly defined roles.
Your MSP owns the technical layer: infrastructure, security tools, patching, monitoring, and operational IT services. They are the execution arm for technical controls. Your vCISO owns the governance layer: risk assessment, policy development, compliance management, board reporting, vendor risk, awareness programmes, and incident coordination. They are the strategic layer that ensures your security programme exists, is documented, and demonstrates due diligence.
The handoff points between these two roles are clear and well-defined.
When the vCISO conducts a risk assessment and identifies that multi-factor authentication needs to be deployed across all remote access, the MSP implements the technical change. When the MSP's monitoring detects a security incident, the vCISO activates the incident response plan and coordinates the overall response while the MSP handles technical containment and recovery. When the vCISO develops an access control policy, the MSP configures the technical systems to enforce it. When the MSP proposes a new cloud migration, the vCISO assesses the security and privacy implications before the migration proceeds.
This model eliminates the dangerous assumption that infrastructure management equals security. It gives your MSP a clear mandate to focus on what they do best — keeping technology running reliably and securely. And it gives your business the governance programme that insurers, clients, regulators, and boards increasingly expect to see.
The Cyvent research underscores why this separation matters: 69% of MSPs reported being breached two or more times in the past 12 months (Cyvent, 2024). This is not because MSPs are negligent. It is because MSPs are high-value targets with broad access to client environments, and the threat landscape is relentless.
New Zealand has already seen what happens when this risk materialises. In November 2022, Wellington-based managed service provider Mercury IT was hit by a LockBit ransomware attack. Because Mercury IT managed infrastructure for multiple government agencies, a single MSP breach cascaded across the Ministry of Justice, Te Whatu Ora (Health NZ), and health insurer Accuro. Over 14,500 coroners' files and 4,000 post-mortem examination reports were compromised. The stolen data was listed for sale on the dark web, and the Privacy Commissioner opened a formal compliance investigation (SecurityWeek, 2022; Bank Info Security, 2022). The organisations affected had outsourced their infrastructure management — exactly as they should have. What they had not done was independently assess and govern the security risk that outsourcing created. No vendor risk register. No independent oversight of the MSP's security position. No governance layer between the MSP and the sensitive data it held.
Having an independent governance layer that assesses risk, monitors controls, and maintains oversight is not a commentary on your MSP's competence. It is a sound risk management practice for any business that takes security seriously.
Questions to Ask Your MSP About Security Boundaries
If you are not sure where your MSP's responsibilities end and your security governance needs begin, the following questions can start a productive conversation. These are not adversarial questions. They are clarification questions that benefit both parties by establishing clear expectations.
On risk and compliance: Do you conduct formal risk assessments for our business, and if so, against which framework? Do you maintain a risk register on our behalf? Do you track our compliance obligations under the Privacy Act 2020 and any industry-specific requirements?
On policies and documentation: Have you developed a formal security policy suite for our organisation? If so, when was it last reviewed and updated? Do you manage the policy lifecycle, including board approval, staff communication, and periodic review?
On incident response: If we experience a data breach, who coordinates the overall response — including Privacy Act notification, communications with affected parties, and OPC reporting? Is that documented in a plan we can review?
On board reporting: Do you provide board-level security governance reports that translate our security status into business risk language? If not, who is producing that reporting for our leadership team?
On vendor risk: Do you assess the security position of our third-party vendors and cloud providers against our obligations under the Privacy Act? Do you review their data processing agreements on our behalf?
On awareness training: Do you design and manage a structured security awareness programme for our staff — including simulated phishing, role-based training, and measured effectiveness? Or do you provide basic cyber hygiene reminders as part of your service?
Most MSPs will answer these questions honestly: some of these activities fall within their service, and some do not. That honest answer is the starting point for building a complete security position. The goal is not to find fault with your MSP. The goal is to identify the gaps so they can be addressed before an incident, an insurer, or a regulator finds them for you.
The Next Step Is Yours
You hired your MSP to keep the technology running, and they do. But the governance gaps between what your MSP covers and what your business needs are where breaches happen, insurance claims get denied, and the Privacy Commissioner starts asking questions.
Those gaps are fixable — and most businesses close the biggest ones in the first 90 days of a structured programme.
Book a free security health check — 30 minutes to find out what is covered, what is not, and what to do about it.