For years, cyber security has been built on a simple assumption. Organisations should continuously become more secure. Frameworks, maturity models, roadmaps, audits and investment plans all point in the same direction. More capability. More coverage. More visibility. More control.
Yet conversations with security leaders across New Zealand this year suggest something different. Many organisations are no longer asking how to achieve comprehensive security.
They are asking what they can realistically sustain. That raises an uncomfortable question.
Has minimum viable security become the operating reality rather than a temporary state?
Last year, my discussions with the cyber security community centred on expanding governance boundaries, supplier dependency, and the growing complexity of interconnected environments. Leaders spoke about increasing responsibility and the difficulty of managing risk beyond direct control.
The focus was expansion. More systems. More dependencies. More accountability.
Building on those conversations, this year the tone has shifted. The dominant theme is constraint.
Security leaders describe environments where expectations continue to rise while capacity remains static. New obligations are added faster than old ones are retired. AI governance, identity, resilience, third party risk, privacy requirements, and executive reporting all sit on the same teams.
The result is a widening gap between what organisations are expected to manage and what security teams can realistically deliver.
This shift is not only visible in practitioner conversations. It is also reflected in NCSC Cyber Report 2025, where emphasis is increasingly placed on resilience, dependency management, and the reality of known vulnerabilities being actively exploited.
Not due to lack of awareness, but because of operational capacity.
For a long time, the industry has framed security as a maturity journey. Step by step progression towards a more complete security state. Some leaders no longer describe their environments this way.
In recent conversations, I noticed a subtle but consistent shift in language.
Instead of optimisation, they talk about prioritisation.
Instead of maturity, they talk about survivability.
Instead of asking what more they should do, they are increasingly asking what can be reduced or removed.
That shift matters.
Not because organisations care less about security, but because they are recognising that not everything can be addressed at once. Not every risk can be treated. Not every control can be implemented. Not every recommendation can be funded.
This tension is also reflected in formal governance frameworks such as NZISM, where the breadth of control expectations continues to expand against the realities of implementation capacity.
When you can’t win every battle, how do you define success?
It is becoming less about completeness and more about making deliberate choices under constraint.
Few organisations would describe themselves as operating with “minimum viable security”. Yet in practice, many are already making decisions that resemble it.
Some vulnerabilities remain open longer than intended. Some remediation work is deferred. Some controls are applied unevenly. Some governance activities are deprioritised in favour of higher urgency demands.
These are not necessarily signs of failure. They are signs of capacity limits in complex environments.
The challenge is that the industry narrative still assumes comprehensive security is the target state.
This gap between expectation and operational reality is also reflected in the NCSC reporting, which continues to highlight that many incidents stem from known weaknesses and delayed remediation rather than novel or highly sophisticated techniques.
Many practitioners no longer believe that reflects reality.
The issue is not awareness of risk. It is the ability to act on all of it at once.
We don’t have a single day without hearing the word “AI” nowadays. Too many buzz marketing and AI is often framed as a new security challenge. In practice, it is acting more as an accelerant of existing constraints.
Several leaders observed that AI is increasingly arriving through SaaS platforms, embedded services, vendor ecosystems, and automation tools rather than through deliberate enterprise strategies.
This means new governance requirements are being introduced continuously, often without a corresponding increase in capacity.
The challenge is not only understanding AI. It is absorbing another layer of complexity into environments that are already operating at or near capacity.
In this sense, AI is less a separate problem and more a visibility tool for existing structural pressure.
Perhaps the most provocative question emerging from this year's research is whether comprehensive security remains a realistic objective.
The industry has traditionally treated minimum viable security as a transitional phase. A temporary compromise on the way to something stronger.
But what if, for many organisations, it is becoming the default operating model?
If that is the case, then the question shifts.
It is no longer only about building more security capability.
It is about making clearer decisions about what matters most, what can be delayed, and what may never be fully addressed.
The most difficult question is also the simplest.
If trade-offs are already happening every day, what does responsible minimum viable security actually look like in practice?
And more importantly, are organisations prepared to be honest that this may not be a temporary condition, but an ongoing reality of modern cyber security leadership?
My earlier article asked how leadership should respond to expanding responsibility.
This year’s question is slightly different.
What happens when expanding responsibility outpaces the ability to respond?
For speaking and interview opportunities on cyber leadership topics, feel free to reach out to Maddie Abe.
Join us to share your insights at our upcoming events: