<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=306561&amp;fmt=gif">
Skip to content

Cyber Leadership in New Zealand: Where Does a CISO’s Job Really End?

One question kept surfacing while I was shaping the CISO New Zealand agenda this year: how far does a CISO’s responsibility actually stretch?

I’ve mostly worked on the Australian market, so this was my first time diving into CISO New Zealand. After talking with cyber leaders across the country, I came away with some impressions and observations. This isn’t a formal report or a list of findings, just some personal reflections and an invitation to spark conversation.

New Zealand is a small, tightly connected market. Government, enterprise, and critical infrastructure are all interlinked, which has its advantages when it comes to collaboration. But it also means that when something goes wrong, the ripple effects can travel fast. Add to that the reliance on SaaS, offshore providers, and local vendors with mixed levels of maturity, and you start to see why third-party risk is so often on leaders’ minds.

The uncomfortable part is where the accountability lands. A supplier might miss a patch, or a partner might slip up, but it is usually the larger organisation and its CISO that take the heat. Is that reasonable? Or is it a sign we need to start thinking differently about what “ownership” of cyber risk really means?

Australia offers a useful comparison. Regulation there has been tightening, which forces boards to take clearer ownership. In New Zealand, things feel a little different. With less regulatory push, cyber leaders often have to rely more on influence than authority. Sometimes it is about educating decision-makers, sometimes it is about nudging for investment, and other times it is about simply keeping the issue visible. But without clear mandates, the pressure lands differently.

A line from one conversation has stayed with me: “We cannot be everyone’s CISO.” It was said with a smile, but it rings true. The role can stretch unreasonably wide, from safeguarding hybrid environments to coaching boards, from worrying about machine identities to managing SaaS sprawl.

What strikes me, though, is that cyber security is not like other domains of business. It is one of the few areas where organisations are not in competition for market share. Whether in government, banking, education, or healthcare, the goal is broadly the same: keeping systems resilient, protecting data, and maintaining trust. That makes the idea of collective ownership feel less far-fetched, because in practice, many are already working towards the same outcome.

So maybe the real question is not where a CISO’s role ends, but how much of it can be shared. What would it look like if security were spread more evenly across the business? Procurement asking tougher questions. Boards treating cyber risk as seriously as financial risk. Vendors seen as partners, not just suppliers.

It does not remove the weight CISOs carry. Far from it. But perhaps it shares the load in a way that feels more realistic for a market where resources are lean, the talent pool is stretched, and interdependencies are only growing.

And that is the real shift, not taller walls, not tighter controls on every last SaaS app, but a culture where security is part of how we all operate, whether we carry the title or not.

That is the real strength of this community: the recognition that security is a collective pursuit.

 

If you are interested in speaking at CISO New Zealand 2025 taking place on 18 - 19 November or any of the following upcoming conference, feel free to reach out to Maddie Abe (Content Director).

  • 10 - 11 February 2026: CISO Sydney 2026
  • 10 February 2026: OT Security Sydney 2026
  • 11 February 2026: Cloud Security Sydney 2026 and AppSec & DevSecOps Sydney 2026
  • 1 April 2026: CISO Perth 2026

Related Posts