In this months edition of The Conference Debrief, our Head of Software, Dan Wehner, and Software Business Unit Manager, Simon Tabrum attended the National Cybersecurity Summit. This edition captures the key themes, discussion, and observations from across the summit sessions, with a focus on what matters most for organisations navigating today's security landscape.
A clear message from the conference was that cybersecurity is no longer being treated as a purely technical concern. It is increasingly a national and board level priority. The focus on critical infrastructure regulatory reform signals a shift toward clearer accountability and minimum standards, particularly across essential services. This is less about compliance for its own sake, and more about lifting the baseline resilience across the country.
At the same time, New Zealand’s position at 60th on the National Cyber Security Index highlights the gap that still exists between intent, policy and operational capability. The direction is clear, but execution at scale remains the challenge.
One of the strongest themes was that many targeted intrusions can still be prevented through consistent execution of the basics. Application control, patching operating systems and applications, and restricting administrative privileges are not new concepts. These controls have been well established for years, dating back to the ASD Essential Eight introduced in 2015.
Yet despite their maturity, consistent execution across environments remains a challenge. This reinforces that cyber maturity is often less about adopting the latest tools, and more about discipline, prioritisation, and operational follow‑through.
There is growing recognition that cybersecurity and privacy are inherently linked. As organisations collect and retain more sensitive data, expectations are rising around how that data is protected end‑to‑end.
What stood out was the shift from treating privacy as a compliance obligation to viewing it as part of broader risk management and organisational trust. Principles such as IPP5 are no longer just a checklist — they are increasingly a reflection of how well an organisation understands, secures, and governs its data. In practice, this is where privacy expectations intersect directly with cybersecurity capability, particularly across access control, data protection, monitoring, and incident response.
This shift is also driving closer collaboration between teams that have traditionally operated separately. Security, legal, risk, and compliance functions are increasingly needing to work together rather than in parallel. Organisations doing this well are not only reducing risk, but building greater confidence with customers, regulators, and stakeholders.
An underappreciated challenge discussed was the cognitive load placed on security teams. With around 48,000 new vulnerabilities disclosed last year alone — up roughly 20 percent — the volume of information teams are expected to triage, prioritise, and respond to continues to grow faster than capacity.
At the same time, 70 percent of NZ organisations believe talent shortages are directly increasing cyber risk. This is not just a hiring problem — it is a scalability problem. Even well‑resourced teams are being stretched, driving a need to prioritise more effectively, automate where possible, and reduce noise rather than simply add more tools.
Alongside this, the human element remains central to how attacks succeed. Threat actors are increasingly relying on social engineering, trust exploitation, and psychological manipulation, often enhanced by AI‑driven techniques such as highly personalised phishing and convincing impersonation. Many successful incidents are no longer the result of complex technical failures, but of everyday human behaviours and decisions.
A standout discussion was how quickly AI tools are creeping into day‑to‑day work - often without formal approval or oversight. This creates real exposure, including data leakage, compliance risks, and new attack paths.
AI tools and agents increasingly need to be treated like identities: granted access deliberately, monitored continuously, and governed by policy. Without this, organisations risk introducing significant risk unintentionally.
Another consistent message was that AI is shrinking the defender’s reaction window. Attackers can research, target, impersonate, and move laterally at scale - often faster than human‑led security teams can respond.
As a result, AI‑assisted detection, investigation, and response is rapidly becoming baseline capability rather than a “nice to have”.
This theme was echoed repeatedly: attackers are increasingly “logging in” rather than “breaking in”. Techniques such as token theft and adversary‑in‑the‑middle attacks are enabling threat actors to bypass traditional, checkbox‑style MFA.
With humans, service accounts, workloads, third‑party vendors, and even AI agents all in scope, identity hygiene and identity‑centric monitoring must be treated as a core operating discipline.
A defining shift is underway from prevention‑led security to resilience‑led outcomes. Incidents are no longer a question of if, but when. As a result, organisations are increasingly being judged on their ability to respond, recover, and continue operating.
The economic impact reinforces this urgency, with NZ businesses losing an estimated $1.6 billion annually due to outages and cyber‑related incidents. The bar is moving from “we have backups” to “we can prove we can recover” — with defined and tested RTO and RPO targets, immutable backups, separation of duties, and regular restore testing.
Operational Technology emerged as a particularly urgent area. Legacy environments are being connected faster than they are being secured, especially within critical infrastructure. Expectations are shifting toward audited baselines, clearer accountability, and governed third‑party access.
Asset visibility, segmentation, and controlled vendor access were highlighted as practical foundations organisations can begin implementing now.
The overarching message from the summit was clear: cyber resilience is increasingly a leadership responsibility. Not because leaders need to be technical, but because prioritisation, habits, and governance ultimately drive outcomes.
The pattern is consistent. When identity is treated as foundational, AI is governed sensibly, and response and recovery are practised, organisations cope better when things go wrong.
If you’d like to go deeper on any of the areas above, come and chat with the team at Dicker Data. We’re happy to share what we’re seeing across the market and practical ways to help you and your customers get started - software.sales@dickerdata.co.nz