Questions are ordered from defining the capability gap through affordable alternatives to hiring, the boundary between internal and outsourced responsibilities, safe use of providers, staff development, privacy ownership, New Zealand training pathways, security culture and the failures caused by over-reliance on one person or supplier.
What is the cyber-security skills and capability gap, and why does it affect New Zealand SMEs?
A cyber-security capability gap exists when the security work a business needs exceeds the skills, time, authority, tools or provider oversight it has available. It is broader than a shortage of people with cyber-security job titles. A business may have competent general IT support but still lack capability in risk assessment, identity security, privacy, supplier assurance, logging, incident response or recovery. SMEs are particularly exposed because they may not be able to justify a full-time specialist, security responsibilities are added to another person's role and one provider may hold most of the technical knowledge. At the same time, NCSC research published in September 2025 found that 53% of surveyed New Zealand SMEs had experienced a cyber threat in the preceding six months, while 94% recognised that cyber security was important. The practical goal is not to make every business an internal security consultancy. It is to retain enough knowledge and decision capability to identify important risks, direct providers, recognise when specialist help is needed and respond when something goes wrong.
- specialist shortage — Experienced security practitioners can be difficult or uneconomic for a smaller organisation to recruit as permanent employees.
- organisational capability gap — The business lacks sufficient knowledge, time, authority, processes or evidence even when an IT provider is available.
- small and medium business — Security work is commonly distributed across an owner, manager, privacy officer, IT coordinator and external provider.
- minimum viable capability — Retain business ownership, basic risk literacy, provider oversight, incident authority and an escalation path to specialist help.
A cyber-security capability gap exists when the security work we need exceeds the skills, time, authority, tools or oversight available to us. We do not need every specialist skill in-house, but we must retain enough internal capability to understand our important risks, make decisions, direct suppliers, recognise problems and obtain appropriate help.
We cannot hire or afford a dedicated security specialist — what should we do?
A dedicated specialist is not the only workable model. Name one accountable internal coordinator, complete the Own Your Online assessment, identify the systems and information the business most depends on and use the NCSC Critical Controls to prioritise limited time and money. The internal coordinator does not need to perform every technical task. Their role is to maintain the action plan, bring together the owner, privacy officer and IT provider, track unresolved risks and make sure incidents reach the right decision-makers. Outsource defined specialist work such as security monitoring, technical testing, complex cloud configuration or incident response, while retaining authority over priorities, access and risk acceptance. Buy specialist advice for specific decisions rather than an undefined promise to 'handle security'. A small business should also establish who will act when the coordinator is unavailable so that one person's absence does not remove the entire capability.
- internal coordinator — Maintains the risk and action plan, coordinates suppliers, follows up evidence and escalates material issues.
- prioritised baseline — Use the Own Your Online assessment and NCSC Critical Controls to focus limited resources on the most useful actions.
- external specialist — Engage for defined technical, assurance, legal, privacy or incident-response tasks that exceed internal competence.
- continuity of capability — Maintain an alternate contact, documented accounts and provider information so knowledge is not held by one person.
We are not required to employ every security skill directly. We will name an internal coordinator, identify our most important risks, work through a prioritised baseline and engage external expertise for defined tasks. Business priorities, access approval, supplier oversight, risk acceptance and incident decisions remain inside the organisation.
What cyber-security capability must we hold internally, and what can we outsource?
Keep internal ownership of business context and decisions. The organisation must know what information, systems, accounts, payments and services matter; decide its priorities and risk tolerance; approve access and exceptions; appoint its privacy officer; direct suppliers; and retain authority during an incident. It should also be able to contact its provider, revoke access, locate important records and explain what the provider is expected to do. Technical execution can often be outsourced, including patch deployment, backup operation, monitoring, vulnerability testing, specialised architecture, forensic investigation and parts of incident response. The dividing line should be recorded rather than assumed. NCSC's Cyber Security Framework says organisations should know which security activities they are responsible for and where responsibilities lie between them and their suppliers. Outsourcing work does not remove IPP 5 responsibilities where the provider handles personal information.
- retain internally — Business context, priorities, risk acceptance, access authority, privacy oversight, provider direction and incident decision-making.
- suitable to outsource — Defined technical operations, monitoring, testing, specialist advice, forensic work and surge response.
- shared responsibility — Patching, backups, logging, identity, incident response and recovery often require both internal decisions and provider execution.
- evidence and escalation — The business must receive enough evidence to oversee the provider and know when a material risk or incident requires escalation.
We retain ownership of business risk, priorities, access, privacy, supplier direction and incident decisions. We may outsource defined technical and specialist work, but every outsourced responsibility must have an internal owner, a documented service boundary, expected evidence and an escalation path.
How do we choose and work safely with an IT or security provider?
Start with a written list of the outcomes and systems that need support rather than selecting a provider solely from a product bundle. Identify what the provider will do for updates, backups, logging, account administration, monitoring, incidents and recovery, and what remains the business's responsibility. Own Your Online recommends looking for a proven track record, obtaining proposals from several providers and ensuring the selected provider will follow the same security rules as staff. The agreement should identify named contacts, response and escalation arrangements, privileged access, MFA, subcontractors, data locations, notification expectations, evidence, continuity and exit. Provider-owned administrator accounts and documentation should not become a lock-in mechanism. The business should retain access to essential domains, cloud tenants, backups and records and should periodically verify that contracted tasks are actually being completed.
- selection — Define needs, assess relevant experience, compare proposals and verify references and service scope.
- responsibility schedule — Record who patches, backs up, monitors, reviews logs, manages accounts, responds to incidents and restores services.
- access and evidence — Use named accounts, MFA, least privilege, logging and regular evidence that agreed work occurred.
- continuity and exit — Preserve business control of critical accounts, records, backups, credentials and an executable provider-transition plan.
Our provider relationship must define scope, responsibilities, privileged access, service levels, evidence, incident escalation, continuity and exit. The provider must follow our security requirements. We retain control of critical business accounts and information and periodically verify that contracted security work has been completed.
How can we upskill existing staff and build baseline capability without a security team?
Begin with roles and tasks, not generic course catalogues. Identify who approves payments, manages cloud accounts, handles personal information, supports devices, administers websites, works with suppliers and coordinates incidents. Give everyone a baseline covering phishing, credentials, MFA, updates, information handling and reporting, then provide deeper training for higher-risk duties. Use short formal modules, coached work, tabletop exercises, provider demonstrations, shadowing, mentoring and documented runbooks. OPC says all staff should receive at least basic privacy training, but the level should vary according to duties and risk. It also recommends induction or pre-access training, ongoing refreshers, role lists and training records. New Zealand public-service capability guidance, while directed to agencies, identifies practical development approaches including self-directed learning, simulations, bootcamps, certifications, micro-credentials, coaching, mentoring and structured on-the-job learning. SMEs can apply the same development methods proportionately.
- baseline literacy — Give every user enough knowledge to work safely, identify common threats and escalate uncertainty or incidents.
- higher-risk role — Provide targeted capability for finance, administrators, developers, privacy personnel, managers and incident decision-makers.
- work-based learning — Use coached tasks, shadowing, tabletop exercises, provider handovers, runbooks and supervised responsibility.
- capability evidence — Record training, practical demonstrations, assigned responsibilities, observed competence and development needs.
We build capability around the work people perform. Everyone receives a security and privacy baseline. Higher-risk roles receive targeted training, practical exercises and supervised experience. Capability may be developed through formal study, short courses, coaching, mentoring, provider knowledge transfer and documented on-the-job learning.
What is the privacy officer's role, and who owns capability in a small business?
The Privacy Act requires at least one person to fulfil the privacy-officer role, but that does not automatically make the person the organisation's cyber-security engineer or sole owner of every information risk. OPC says the appropriate person depends on the organisation's size, work and personal information, and that in smaller organisations the manager commonly performs privacy work alongside other compliance responsibilities. The privacy officer should understand the privacy principles, help the organisation comply, oversee relevant complaints and requests and liaise with OPC. They may also train staff and advise on business changes. Leadership remains responsible for allocating time, authority, training and support. An IT coordinator or provider may own technical tasks, while managers own secure operation of their processes. The capability model should therefore name the accountable leader, privacy officer, technical contact, incident lead and alternates rather than placing every expectation on one person.
- business owner or senior leader — Owns priorities, resources, accountability and acceptance of material residual risk.
- privacy officer — Oversees Privacy Act compliance, privacy processes, escalation, advice and liaison with OPC.
- technical coordinator or provider — Operates and advises on technical safeguards within agreed authority and responsibility boundaries.
- managers and process owners — Apply security and privacy requirements in the work, systems, people and suppliers they control.
The privacy officer oversees Privacy Act responsibilities but does not automatically own all cyber-security work. Leadership owns capability and resourcing. Technical personnel and providers operate assigned controls. Managers own secure operation of their processes. Each critical role must have clear authority, training and an alternate.
What training and certification pathways are available in New Zealand?
Choose the pathway according to the capability needed. For general staff and privacy fundamentals, NCSC, Own Your Online and OPC provide free guidance and online learning that can support induction and refreshers. For workers developing formal technical capability, NZQA lists a current New Zealand Diploma in Cybersecurity at Level 6 with 120 credits. Its stated purpose is to prepare people for entry-level specialist roles or further study, and it identifies pathways to further specialist training and industry certifications. NZQA also maintains a register of approved micro-credentials, which can support smaller, defined learning outcomes, but employers should confirm that a named provider is currently delivering the programme. For workforce planning and skills mapping, New Zealand has a Whole-of-Country licence for the Skills Framework for the Information Age, and public- and private-sector organisations can use SFIA in New Zealand without a normal licence fee. Qualifications and certifications should be combined with relevant experience, ethical conduct, communication skills and demonstrated ability to perform the required work.
- baseline learning — Use free NCSC, Own Your Online and OPC material for general awareness, privacy fundamentals and role refreshers.
- short targeted development — Use workshops, provider training, approved micro-credentials and defined short courses for a specific capability gap.
- formal specialist pathway — Consider current NZQA qualifications and relevant industry certification for technical or professional roles.
- skills mapping — Use a framework such as SFIA to describe required skills, assess gaps and plan development rather than relying on job titles alone.
Training must match the capability required. We use free New Zealand guidance for baseline awareness, short or micro-credential learning for defined gaps, and formal qualifications or relevant certifications for specialist roles. Credentials are considered alongside practical experience, communication, judgement, ethical conduct and demonstrated performance.
How does a security-aware culture become part of our capability?
Capability is not confined to specialists. A person who recognises a suspicious payment request, reports an unexpected MFA prompt or quickly admits opening a malicious file may prevent or contain an incident. NCSC treats security awareness as one of its ten Critical Controls and says people play a key role in protecting systems and information. It recommends ongoing training and human interaction rather than a one-off induction or annual video, simple reporting channels, accessible policies and a positive culture that rewards reporting instead of stigmatising mistakes. A small organisation can nominate a security representative in each relevant team or function who can answer basic questions, knows the incident plan and can reach specialist help. Those representatives are not substitutes for qualified technical advice; they extend the organisation's ability to detect, escalate and apply basic controls during everyday work.
- shared awareness — Everyone understands common threats, essential safeguards and how to escalate uncertainty or incidents.
- security representative — A trained contact can answer basic questions, reinforce expected behaviour and connect staff with specialist support.
- positive reporting culture — People are encouraged to report early, including after a mistake, without automatic stigma or blame.
- continuous reinforcement — Use current threat examples, exercises, meetings, reminders, accessible policies and feedback rather than annual training alone.
Every person contributes to security capability by following basic safeguards, recognising unusual activity and reporting concerns quickly. We provide regular, practical training and simple reporting channels. Trained security representatives may support teams, but they escalate matters beyond their competence to the responsible internal owner or specialist provider.
What common capability-gap failures should New Zealand SMEs avoid?
Common failures include assuming general IT support automatically covers security strategy, privacy and incident response; outsourcing every decision to one provider; having no named internal owner; allowing the provider to control domains, cloud tenants, backups and administrator credentials without business access; purchasing tools that nobody monitors; relying on certificates without checking practical competence; assigning privacy or cyber work to someone without time, authority or development; using the same generic training for every role; failing to retain provider documentation; and having no alternate when the only knowledgeable person leaves. Other gaps include no defined responsibility for patching, logs, backups or incident response, no independent check of provider claims and no knowledge-transfer or exit plan. The capability model should also avoid importing Australia's Essential Eight, SMB1001 or ASD ISM as New Zealand frameworks. New Zealand SMEs should ground their baseline in the Privacy Act, OPC, NCSC and Own Your Online.
- ownership failure — No internal person owns priorities, provider direction, evidence, escalation or unresolved risk.
- provider dependency — One supplier controls critical accounts and knowledge without clear responsibilities, verification, continuity or exit.
- development failure — Training is generic, qualifications are treated as sufficient and people receive responsibility without time or supervised experience.
- capability illusion — Tools, policies and provider reports are counted as capability even though nobody can demonstrate that controls work.
We will not confuse purchased tools, provider contracts or certificates with operating capability. Every critical security responsibility requires an internal owner, sufficient authority, evidence, an escalation path and continuity when a person or provider changes. Australian frameworks must not be described as New Zealand law or official New Zealand baselines.
What's my next step?
Common misconceptions
- A small business must hire a full-time CISO before it can manage cyber risk. A proportionate model can combine internal ownership, baseline staff capability and defined external expertise. INFERRED
- Outsourcing IT transfers all security and privacy responsibility to the provider. IPP 5 still requires the organisation to take reasonable steps concerning provider handling of personal information. VERIFIED
- General IT support automatically includes risk governance, privacy advice, monitoring, incident response and recovery. The service boundary must be defined rather than assumed. INFERRED
- A certification proves that a person is competent for every cyber-security role. Qualifications and certifications should be considered alongside relevant experience and demonstrated capability. INFERRED
- Every employee needs expert-level cyber-security training. NCSC says people do not need to be security experts to use systems safely, while OPC recommends training that reflects each role and risk. VERIFIED
- The privacy officer must be a full-time technical security specialist. OPC says the role depends on the organisation's size, work and information and is commonly performed by a manager in a small organisation. VERIFIED
- An annual awareness video creates sufficient internal capability. NCSC says effective awareness requires regular, ongoing training and human interaction. VERIFIED
- Buying more security tools automatically closes a skills gap. Tools require ownership, configuration, monitoring, maintenance and response capability. INFERRED
- No reported incidents prove that an IT provider is performing effectively. Assurance requires evidence that agreed controls and detection processes operate. INFERRED
- A small business can outsource every cyber-security decision. It still needs internal business context, access authority, provider oversight, privacy ownership and incident decision-making. INFERRED
- A university degree is the only credible pathway into cyber security. NZQA qualifications, micro-credentials, certifications and structured work-based development provide different pathways for different capability needs. VERIFIED
- Australia's Essential Eight, SMB1001 and ASD ISM are New Zealand cyber-capability frameworks. They are not and should not be presented as New Zealand law or official New Zealand baselines. INFERRED
Obligations at a glance
The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.
| OBLIGATION | REGULATOR | TRIGGER | TIMEFRAME | PENALTY |
|---|---|---|---|---|
| Privacy Act 2020 IPP 5 reasonable security safeguards | Office of the Privacy Commissioner | The organisation holds personal information. | Ongoing while the information is held and whenever personnel, systems, providers, access arrangements or risks change. | |
| IPP 5 safeguards for service-provider handling | Office of the Privacy Commissioner | Personal information is given to a provider in connection with a service supplied to the organisation. | Before access is granted and throughout the service relationship, using everything reasonably within the organisation's power to prevent unauthorised use or disclosure. | |
| Privacy officer appointment | Office of the Privacy Commissioner | The entity is an organisation or agency subject to the Privacy Act. | Maintain at least one person fulfilling the privacy-officer role on an ongoing basis. | |
| Notifiable privacy breach capability | Office of the Privacy Commissioner | A privacy breach has caused or is likely to cause serious harm to an affected individual. | Notify OPC and affected people as soon as practicable; OPC says notification should ideally occur within 72 hours after awareness of a notifiable breach. | Failure without reasonable excuse to notify the Commissioner is an offence punishable by a fine up to NZD 10,000. |
Sources
- NCSC — Build security awareness in your organisation primary
- NCSC Critical Controls: Summary primary
- NCSC Cyber Security Framework primary
- NCSC Protect your organisation primary
- More than half of New Zealand businesses experiencing cyber threats primary
- Own Your Online — Choosing an IT service provider primary
- Own Your Online — Business online security assessment tool primary
- Own Your Online — Create an online security policy for your business primary
- Own Your Online — Top online security tips for your business primary
- Privacy Act 2020 Principle 5 — Storage and security of information primary
- Information for privacy officers primary
- Poupou Matatapu — Building Capability and Awareness primary
- NotifyUs of a serious privacy breach primary
- Privacy Act 2020 primary
- Digital.govt.nz — How to build digital capability primary
- Digital.govt.nz — Skills Framework for the Information Age primary
- New Zealand Diploma in Cybersecurity (Level 6) primary
- NZQA micro-credential listing, approval and accreditation primary
- Register of NZQA listed and approved micro-credentials primary
This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.