Contact

When NZ organisations get breached, the same question keeps coming up—"How did this happen when we were compliant?"

By Andrew Johnston | 2 February 2026

Summary

Compliance frameworks like NZISM, PSR, and the Privacy Act were never intended to be treated as annual checklists. Their underlying assumption is that controls operate continuously, risks are reviewed as environments change, and people actively protect information. When organisations treat compliance as a finish line, security drifts — and that gap between audits is where breaches occur. Real security maturity comes from ongoing assurance, not point-in-time compliance.

Cybersecurity Expert Insights - Staying secure requires more than NZISM, PSR, and Privacy Act checks.


Recent incidents across healthcare and legal services show an uncomfortable truth. Compliance with frameworks like NZISM, PSR, and Privacy Act obligations is often treated as a finish line. It is not—as these frameworks were never designed to be a once-a-year exercise. If you consider the use of terms like “Must and Should” in the controls though these documents the wording appears that it does not support the ongoing maturity methodology and looks like it is a tick box exercise.


However, if you look at the control assumptions, the correct interpretation is:


  • Controls are operating continuously
  • Risks are reviewed as environments change
  • People understand their role in protecting information


What happens is that individual organisations pass assessments at a point in time and over the year controls slowly drift out of alignment and:


  • Access grows but isn’t reviewed.
  • Processes exist but aren’t followed.
  • Security awareness becomes a slide deck instead of a behaviour.


This is where breaches happen, between audits. Regulators and customers don’t just care whether a policy exists. They care whether it’s actually working when it matters.


That’s why compliance alone isn’t enough.


NZ legislation increasingly expects organisations to demonstrate ongoing due care, not just point-in-time assurance. The intent is clear: security must be lived, not documented and forgotten.


Compliance is the baseline. Operational security maturity is the outcome. And the gap between the two is where attackers operate.


Need Help Securing Your Environment?

At Liverton Security, we help New Zealand organisations build robust defences against email-based threats.


Our services include:


  • Email security assessments identifying vulnerabilities like SMTP Open Relay and authentication gaps
  • Security awareness training tailored to New Zealand organisations
  • Policy and procedure development aligned with NZISM, PSR, and international standards
  • Governance and Risk assessment and training for Boards, Executive and the operational security and IT teams.
  • Penetration (PEN) Testing of cloud, web, network and mobile
  • Incident response planning for email compromise scenarios
  • Ongoing security advisory services for SMBs and local government


Kōrero mai – let's discuss how we can help protect your organisation.





About Liverton Security


Digital technology has greatly expanded opportunities for businesses, but has also introduced complex security threats that organisations cannot ignore. Protecting people, critical data, and entire organisations requires proactive and continuous security strategies.


As an influential and respected leader in global cybersecurity, Liverton Security specialises in helping businesses and government organisations neutralise evolving cyber threats in the digital age.