ZX Security

Cyber Strategy and Risk

We can help you identify and assess the security posture of your systems and people.


The ZX Security virtual Chief Information Security Officer (vCISO) offering is unique in the marketplace. We differentiate ourselves from the competitors in a number of ways:

  • Our vCISO team has been there and done that. They come from operational backgrounds and have worked their way through the industry as technical and business leaders.
  • We can accurately gauge how much effort is involved to complete a task based on our own experience.
  • We provide guidance based knowledge acquired with major NZ and international customers. The team has experience with a wide range of business sizes and industry sectors, from 2 up to 1,200,000 seat companies, across government, health, energy and technology sectors.
  • You aren’t just getting one person when you sign-up for the vCISO offering, you are receiving access to the whole ZX Security consultancy team.
  • We won’t write pages and pages of policy documentation that you will never read. We will produce a clear, concise plan that will assist you in meeting your security objectives.

We provide a wide array of services under the vCISO banner that will be of use to your business depending on where you are in your security journey. Typically, we will work with you to identify a manageable number of activities that, once implemented, will improve information security within your business.

If you think it is time to improve the security of your business this may be an opportune time to engage with ZX Security.


  • Risk / Privacy assessments

    A risk assessment puts information security threats into context for your business and provides security control recommendations to manage risk to a level that is tolerable to you. We work closely with you to understand how your business functions and how you use technology. We will:

    • Develop likelihood, impact and overall risk scales that make sense to your business.
    • Assess risk for your key information systems.
    • Identify the use of personal information and ensure you are compliant with the Privacy Act 2020.
    • Develop a catalogue of security controls that are used to manage your risk, including metrics to measure their ongoing effectiveness.
    • Develop risk assessment processes and templates that can be used when implementing new technologies or upgrading existing systems.
  • Security Health Check

    A Security Health Check provides you with a snapshot of how securely your business is operating, using recognised good practice guides and vendor supplied recommendations. The Security Health Check can quickly identify any critical weaknesses that, if exploited, may result in information being disclosed to unauthorised persons, being destroyed or being maliciously modified. The Security Health Check is not a full audit, but will provide an overview of:

    • The security posture of your people, processes and technology.
    • How systems have been configured (a configuration review).
    • The software, firmware, and hardware versions in use, and any known vulnerabilities.
    • Your access control practices, including:
      • Your management of passwords
      • Use of two-factor authentication
      • User provisioning and deprovisioning
  • Incident Response / Disaster Recovery

    How you respond to an information security incident can make the difference between having your business’ reputation destroyed or being able to manage the fallout allowing you to maintain your reputation and customers. We will help you to:

    • Develop an incident response plan that provides clear step-by-step guidelines on how to respond to an information security incident, including who to contact if the incident cannot be managed internally, and when to contact them.
    • Develop a communications plan. A communications plan will put you on the front foot and allow you to communicate confidently and accurately with your staff, clients, the media and other stakeholders.
    • Work with incident response experts to effectively manage an information security incident.
    • Carry out an independent post-incident review to identify what went well and what could do with improvement.
    • Carry out incident response exercises involving security teams and information owners.
  • Regulatory Support

    We will help you identify legislation, regulations and standards that may be applicable to your use of information and information systems. These may include:

    • Privacy Act 2020
    • EU General Data Protection Regulation (GDPR)
    • New Zealand Information Security Manual (NZISM)
    • The Payment Card Industry Data Security Standard (PCI DSS)
    • ISO/IEC 27001 Information Security Management

    We will provide a high-level assessment of your compliance to these standards and identify areas of immediate concern.

  • Security Roadmap / Programme of Work

    A security roadmap of activities will be developed based on our findings from previously completed tasks, such as the risk assessment or health check. The programme of work will:

    • Prioritise activities.
    • Provide a clear indication of milestones and target state.
    • Provide an estimate of costs and required effort.
    • Track progress to date.
    • Assess the reduction of risk after each achieved milestone.
  • Security Training and Awareness

    All staff must be aware of information security threats and the common and current methods used to trick people into performing an action that may have disastrous consequences. We will work with you to develop a Security Training and Awareness programme that will:

    • Ensure staff can identify and report potential or actual information security incidents.
    • Identify key staff that require specific training.
    • Define information security responsibilities for all staff.
    • Keep staff up to date on common and current threats, such as ongoing phishing attempts and scams.
    • Conduct regular phishing campaigns against staff to ensure the Security Training and Awareness Programme is successful

    We offer other security-related training courses too.

  • Security Operations

    Security Operations is the continual monitoring of your security controls and ensuring that regular and ad hoc tasks essential to your security posture are completed as required. We will help you develop processes and guidelines to:

    • Monitor the effectiveness of your key security controls and ensure early warning of potential issues.
    • Manage and analyse system logs and alerts.
    • Maintain the security of your infrastructure.Review changes and assess their impact on information security.
    • Review changes and assess their impact on information security.
    • Perform security investigations.
    • Keep up to date on current threats.
    • Perform vulnerability assessments.
  • Software Development Life Cycle (SDLC)

    We will work with you to ensure security is considered at all stages of your solution’s lifecycle, from development and implementation through to its ongoing maintenance. We will achieve this by helping you to develop processes to ensure security tasks are considered and completed as required. We will:

    • Help you assess the risk to a proposed solution or change (see Risk Assessment).
    • Let you know when/if penetration testing is required.
    • Manage relationships with external security providers, such as penetration testers and code reviewers.
    • Work with project teams to develop security requirements and to provide advice and guidance.
    • Help you evaluate products, vendors and designs against your security requirements.
    • Work with you to develop configuration templates and “gold” build images.
  • Security Policy Documentation

    All staff must use information systems responsibly and must protect company information. We will work with you to develop pragmatic and concise information security policy that can be adopted by all staff.

  • Reporting

    We will keep your key stakeholders up to date on the current state of information security within your company. This will be done through:

    • Regular reporting of activities completed and the progress of key security initiatives.
    • Attending board meetings / steering committee meetings as required.

    Reporting on the effectiveness of your key security controls, showing trends over time.

  • Solution Design Review / Control Framework Alignment

    ZX Security has extensive experience building systems that implement security controls for our clients. This knowledge allows us to identify shortcomings in customer designs and highlight these issues before the solution moves to the implementation phase, saving our clients time and re-design effort.

    We provide our customers with assurance that a design has been reviewed from an information security perspective and that any identified security issues have been appropriately highlighted.

    We also have a breadth of knowledge in understanding various security frameworks (NZISM, NIST CSF, ISO/IEC 27001) and the underlying controls that need to be implemented for differing information security classifications.

    At the conclusion of an engagement we present the client with a detailed report. This report presents the identified security issues in an easily digestible format with a focus on the risk and impact to the business of a particular vulnerability being realised.

  • Board Advisor Service

    The Institute of Directors have highlighted the importance of boards paying close attention to cyber security risk.

    They say “the principles behind cyber-risks are no different to other areas of risk. Boards must graps the specific risks, determine risk appetite and take actions to deal with cyber-risk”.

    Engaging an external and independent advisor can help your board understand and address these risks. Our Cyber Strategy and Risk Team work with senior leaders and boards by reviewing the current state of a company’s cyber security and assisting boards to understand the technical issues in a business-focused context. We advise on what risks could be accepted and which need treating, and can propose a prioritised plan based on your risk appetite, available budget, and business operating context.

    We can work with you on a retainer basis to regularly brief you on current threats and risks, and to review reports from your IT team or third-party vendors to ensure you are making decisions based on clear and independent advice.

  • Due Diligence for Mergers & Acquisitions

    These are some of the most significant financial decisions a company can make, whichever side of the transaction you are on. A thorough assessment of a company’s cyber security posture can ensure that this is considered when determining the appropriate valuation, and when considering Warranty and Indemnity insurance.

    ZX Security has deep experience in assessing the cyber security of a business, across all facets of their People, Processes and Technology.

    Where the transaction involves bespoke software or code, we can conduct a comprehensive review of the code to:

    • determine the quality of the code and how well deployment is managed
    • identify security vulnerabilities that may leave you exposed
    • understand where open-source software may have been included and associated license obligations and conflict analysis.
  • PSR Assessment, Roadmap and Uplift

    Understanding and building your maturity across the four Protective Security Requirements (PSR) domains of Governance and Information, Personnel, and Physical security should not only be for the mandated government agencies. All organisations that work with government information, including private companies, should consider assessing themselves against the PSR. This enables you to demonstrate to your government clients that you are meeting the same standard that they are required to meet.

    Depending on your needs, we will work with you to assess your maturity across all four areas of the PSR or will perform a more targeted assessment against one or more of the areas.

    Following the assessment, we will work with you and your senior leadership to determine appropriate target maturity levels and develop a tailored roadmap to support you achieving these.

    We can also support with the implementation of the roadmap. This could include:

    • Development of policies and processes.
    • Project/programme management.
    • Progress reporting.
    • Periodic reassessment.
  • ISO/IEC 27001:2022 Implementation

    Increasingly, organisations are being asked by stakeholders to prove the effectiveness of their information security practices through certification against standards such as ISO 27001.

    Achieving this can seem like a daunting task for many organisations. Our experienced ISO27001 consultants can help you to go from nothing, to ready for certification. To support your alignment to ISO 27001 we will:

    • Conduct a readiness assessment to determine the gap between your current state and achieving certification.
    • Work with you to implement the standard, including conducting risk assessments, development of policies and processes, and documenting control design.
    • Conduct internal audit assessments to assess control effectiveness and overall effectiveness of your ISMS.


We start with an initial meeting where we will:

  • Understand what your business does and where the key areas of risk are
  • Discuss the services that we deliver under the vCISO offering
  • Determine whether an initial light risk assessment or Security Health Check are necessary
  • Document a scope for the engagement which covers
    • The services you wish to subscribe to
    • How often the vCISO will work with you to meet your objectives.

The amount of time we spend working with you will differ from client to client, the most common engagement options are:

  • Casual - On site or remotely one to two days per week
  • Dedicated - On site for a longer period of time (typically a few months) to build a programme of security
  • Ad-hoc - we bill you a minimum of eight hours per month and you have the ability to call us for any security related matters