![CIO STUDIO - HORIZONTAL WORDMARK GREEN LOGO [TRANSPARENT BACKGROUND].png](https://static.wixstatic.com/media/82946b_1b179689a47d4c47b4d4927c90833a83~mv2.png/v1/crop/x_64,y_89,w_619,h_99/fill/w_250,h_40,al_c,q_85,usm_0.66_1.00_0.01,enc_avif,quality_auto/CIO%20STUDIO%20-%20HORIZONTAL%20WORDMARK%20GREEN%20LOGO%20%5BTRANSPARENT%20BACKGROUND%5D.png){kind=small}
Cyber breaches don't start in IT - they start in the boardroom.
- Ray Delany
- 3 days ago
- 4 min read
When a major cyber breach occurs, like the one involving Manage My Health in the closing days of 2025, the public debate follows a familiar pattern. Everyone has something to say, even though very little reliable information is available at the time.
It brings to mind an old saying: those that speak do not know, those that know do not speak.
Not long ago I was in a meeting with senior health leaders when one executive said, in effect, “I don’t want to spend scarce health dollars on cyber security. Everything gets hacked eventually, so what’s the point?”
What shocked me most was not the comment itself, but that nobody in the room challenged it.
To me, it sounded like, “We don’t need sprinklers or smoke alarms - we’ll deal with the burning building if and when it happens.”
Years earlier, when I was part of the executive team at a large hospital, the fire service advised after a routine check that our fire safety systems needed upgrading. The cost was significant, and some managers understandably questioned whether the money would be better spent on patient care.
The fire service’s response was simple. Fire safety is not optional. If the hospital failed to comply, it could be shut down.
Those two memories came back to me when news broke of the Manage My Health breach, now reported as the largest of its kind in New Zealand.
Together, they illustrate both the problem and the solution.
What's the real problem?
Anyone who has been involved in managing a major cyber incident knows that the hardest part is simply working out what has happened. When vast amounts of personal data are involved, clarity takes time. In the early stages, speculation - however well-intentioned and inevitable - rarely helps with that process.
High-profile incidents also act like Rorschach tests, people see a reflection of what they already believe. Some argue the breach is the result of under-investment in public sector digital teams. Others say organisations should have done more to secure their systems. Some shrug and say breaches are inevitable.
Under growing public pressure, the Minister commissions an inquiry. That is a normal and understandable response. But while the investigation is necessary, it does not help much in the middle of a crisis.
Pointing out that a disaster should never have happened is of limited value when people are focused on containing damage and protecting individuals.
Kiwis live with constant awareness that earthquakes, floods, or volcanic eruptions could strike at any time. We do not respond by saying civil defence is a waste of money, or that disasters should not occur.
Instead, we plan for the worst and hope for the best.
The EQC fund made a real difference after the Christchurch earthquakes. It was not perfect, but few would argue we would have been better off without it.
The same is true of KiwiSaver. When it was introduced, there was strong opposition. Yet many people now acknowledge it helped them save in ways that good intentions alone rarely achieve.
Cyber security is a similar singular challenge. It is a costly, but essential infrastructure, and it is invisible (and thus under-appreciated) when it works. It does not attract customers or improve services in obvious ways. As a result, it is often under-funded until something goes wrong.
As consumers, we enjoy the convenience of digital services. We accept assurances that systems are secure and ask few questions - until a breach affects us personally. It is massively cost-effective (in the short term) to provide such assurances while skimping on the detail work to make them real.
A modest proposal: take responsibility
What is missing is the cyber security equivalent of the fire service: a trusted authority with the expertise, independence, and authority to insist on reasonable standards before a crisis occurs.
In the absence of any such authority with real powers, boards of directors will take the advice of people that they trust. The evidence of recent years clearly shows this is not working.
We wouldn’t excuse fiscal irresponsibly on the basis that directors don’t understand accounting practices. I don’t see why it should be any different with cyber security.
This is not a technical issue, it is a governance issue, and it needs to be governed properly by people who understand what they are dealing with at board level. This doesn’t require directors to become technical experts it requires them to take the threat seriously.
Digital threats are amongst the most prevalent risks for any business. It’s long past time for them to be governed with forethought by the people who have the power to actually mitigate them.
Until everyone does so, the same arguments will be replayed every time a major breach occurs.
And the next one might be tomorrow.
CIO Studio provides independent digital strategy and leadership for New Zealand's health, NGO, and community organisations. If you want to talk to an expert about mitigating your cyber security risk, get in touch for a no obligation conversation.
Comments