Cyber Security Strategy and Action Plan Public Workshop Summary

In the week of 25 June the National Cyber Policy Office held workshops in Auckland, Wellington and Christchurch on the refresh of New Zealand’s Cyber Security Strategy and Action Plan (released in 2015).

The workshops were an opportunity to hear from a diverse range of stakeholders, including Connect Smart partners and the broader community.  This included representatives from multi-national corporations, telecommunications companies, energy companies, banks and financial services, insurance, district health boards, a range of cyber security and IT providers, universities and other tertiary education providers, non-government organisations and more.  The workshops were split into four activities. We asked the participants:

  • why is cyber security important to individuals, businesses and the community, New Zealand, and the world?
  • what principles are important when addressing cyber security?
  • what should be our goals?
  • what do we want New Zealand to be known for in the cyber security space?

Workshop Photo 1

Discussion during an Auckland workshop                                                                                                 

WS Minister Curran

Minister Clare Curran addressing a Wellington workshop

We gained valuable insights and ideas from participants in the workshops. Some of the key themes and concepts are set out below. 


What is important for an individual’s cyber security?

Vision- Individuals

What is important for businesses and the community?

Vision- Business and Community 

What is important for New Zealand and the World?

 Vision- NZ and the worldWhat is important to Everyone?

 Vision- everyone



What do we need to bear in mind when implementing the Cyber Security Strategy and Action Plan?

 WS Principles

Goals and priority areas

Participants generally considered the current goals (resilience, capability, addressing cybercrime and international cooperation) to still be relevant and appropriate areas of focus.  Some participants challenged whether they should remain in their current form. For example, some participants said that the goals were too narrow or reflected what should be standard practice or business-as-usual, and could be more ambitious.

In groups, participants focused on what more might need to be done in each area:   



Current goal: New Zealand's information infrastructure can resist cyber threats and we have the cyber tools to protect our national interests.


Examples of some of the questions:

  • What more can be done to support small and medium businesses (SMBs)?  How can we ensure basic cyber hygiene at the point of entry into business?
  • How can we be more proactive in preventing cyber incidents (rather than being the ambulance at the bottom of the cliff)?
  • How do we improve information sharing between government and private sector on threats and mitigations?
  • Is enough being done to protect critical national infrastructure – and how is critical national infrastructure (CNI) defined?  Is the balance right between protection of CNI and SMBs?
  • How might we incentivise organisations to improve cyber security?  What “teeth” are required?  Should there be a national standard for cyber security insurance?




Current goal: New Zealanders, businesses and government agencies understand cyber threats and have the capability to protect themselves online


Examples of some of the questions:

  • How can particular vulnerable sectors be supported (e.g. elderly)?
  • How can we increase awareness and understanding of cyber security issues?  How can we demystify and make it easy for non-technical people?
  • How can education at all levels on cyber security help to generate a cyber security workforce?
  • How can we improve the cyber security awareness of employees, and also Chief Executives and Board members?
  • Is the school curriculum appropriate? Are teachers trained on cyber security? Should there be cyber security scholarships? Could student loans be off-set to attract students?  Is there adequate investment?




Current goal: New Zealand improves its ability to prevent, investigate and respond to cybercrime


Examples of some of the questions:


  • How can we prevent cybercrime and minimise the impact? 
  • How can we improve international cooperation on cybercrime?
  • Is New Zealand legislation fit for purpose to address cybercrime?  Are there gaps?  Does it enable law enforcement detection of cybercrime?  Does it enable “responsible disclosure” of vulnerabilities?
  • Is there clarity about where to report cybercrime and what to do? 
  • How do we measure incidents of cybercrime and understand trends (e.g. who is targeted and vulnerable)?
  • What restitution and support is available to victims post-cybercrime?




Current goal: New Zealand protects and advances its interests on cyberspace issues internationally


Examples of some of the questions:


  • Should “international cooperation” be expanded to include cooperation across domestic and international stakeholders?
  • How can we leverage off our international relationships and links to international organisations (and not reinvent the wheel)?
  • How could New Zealand influence the development of global standards on cyber security?
  • How can New Zealand be a good international citizen on cyber security issues, including promoting norms and international law, and working with a cyber security coalition?
  • How can we support our Pacific neighbours to improve their cyber security?
  • How do we ensure that international regulations and cooperation match the borderless nature of information flows?
  • What should New Zealand do to support the international network of CERTs as independent and trusted national entities?


What else?  We also asked the participants what goals or priorities are missing. Below are some examples of the questions and ideas posed by participants:

  • How can we better measure and evaluate progress?
  • How can we ensure the refreshed Strategy has the necessary resources?
  • How can we be “proactive by design, thinking about tomorrow's security not just today's”?
  • How do we create the “cyber aware citizen”?
  • How can we encourage innovation in the cyber security industry?
  • How can the public and private sector jointly develop the cyber security workforce?
  • How can we meet the differing needs of individuals, businesses, community organisations, and the country as a whole?

 Next steps and having your say

The workshops are one part of the understand phase of the Cyber Security Strategy refresh:

If you have any questions, feel free to get in touch at

The National Cyber Policy Office