Board-level cyber governance

Cyber Security for Directors

A practical guide for New Zealand boards: your cyber risk obligations, governance responsibilities, and the questions every director should be asking.

Why cyber governance matters

As cyber threats continue to grow, organisations are facing increasing pressure to protect their systems, data, and reputation. For directors, this means moving beyond technical details and focusing on governance, accountability, and risk oversight.

Effective cyber governance ensures that the organisation is not only protected but also prepared. Boards must have visibility into cyber risks, understand their potential impacts, and ensure appropriate controls and response plans are in place.

The governance principles every board should understand

Risk Visibility

Boards must have clear visibility of cyber risks across the organisation, including systems, data, and third-party exposure.

Accountability

Cyber security responsibilities should be clearly defined, with accountability at both management and board levels.

Incident Readiness

Organisations must be prepared to respond quickly and effectively to cyber incidents, minimising impact and downtime.

Continuous Monitoring

Cyber risk is constantly evolving. Regular monitoring and reporting are essential to stay ahead of emerging threats.

Governance & Reporting

Boards should receive regular, structured reporting on cyber security posture, risks, and mitigation efforts.

Ten questions every director should ask

  1. Do we have a clear understanding of our cyber risks?
  2. Who is accountable for cyber security at an executive level?
  3. How often do we review and update our cyber risk strategy?
  4. Do we have an incident response plan, and has it been tested?
  5. How quickly can we detect and respond to a cyber incident?
  6. Are we regularly monitoring our systems and vulnerabilities?
  7. What risks do our third-party vendors introduce?
  8. Are employees trained to recognise cyber threats?
  9. How is cyber security reported to the board?
  10. Are we continuously improving our security posture?

Common red flags boards should watch for

  • No regular cyber security reporting to the board
  • Lack of a documented incident response plan
  • No testing or simulation of cyber incidents
  • Outdated or inconsistent security policies
  • Over-reliance on a single individual or team

How iT360 supports your cyber governance

iT360 helps boards turn cyber governance into something practical: clear risk visibility, accountable ownership, tested incident readiness, continuous monitoring, and reporting your board can actually act on. We translate technical posture into board-level language and keep your controls aligned with standards like SMB1001 and ISO 27001.

Explore our cyber security services →

Director’s guide

Get the complete board-level cyber governance guide

Request the guide