CISO New Zealand schedule

Drawing on frontline reporting and incident trends, NCSC outlines the current state of New Zealand’s threat landscape covering what’s changing, what’s persistent, and what’s coming next. This session offers clarity on the risks facing Kiwi organisations and where leaders should focus attention to stay ahead.

• The latest threat activity observed across sectors and systems
• Patterns in attacker behaviour, tactics, and target profiles
• Strategic implications for detection, response, and sector-wide resilience 

Join Andrew Brydon, Field CTO at HashiCorp, as he shares a Zero Trust playbook for CISOs to accelerate innovation without compromising compliance. Learn how identity-driven security, automation, and policy-as-code can secure multi-cloud environments, meet sovereignty requirements, and enable teams to move faster while staying audit-ready.

This panel unpacks where organisations are truly using AI, what’s working, what isn’t, and how leaders are separating hype from value in practical, risk-aligned ways.

• How would you assess the current level of AI implementation within your organisation?
• What challenges have you encountered in adopting AI, and how have you addressed them?
• What are the key criteria and considerations for evaluating AI technologies as part of a holistic cyber risk management strategy?  
• What indicators or benchmarks should organisations consider evaluating the effectiveness of AI-driven cyber defence initiatives?

Moderator:

Jason Wood Chair ISACA Auckland

Panellists:

Deepak Veerasamy CISO Kainga Ora

Andy Pace Network & Information Security Manager MediaWorks  

Francis Kaitano Enterprise Security Architect BNZ

Scott Morris Managing Director, Australia and New Zealand Infoblox 

This one-on-one conversation delve into stories behind the decisions, inflection points and leadership lessons that have shaped their journey. From earning trust and building influence to navigating complexity under pressure, the dialogue explores what they might approach differently today and what they still stand by. More than frameworks and controls, this session reveals how the CISO role is defined by the judgement calls that matter, focusing on the personal side of leadership in one of the most high-stakes positions in any organisation.

Interviewee:

Colin James Head of Information Security, Risk Management & Network Services Southern Cross Health Society

Interviewer:

Bob Kombora Head of IT Operations Vulcan

Security leaders are under pressure to secure AI-driven cloud environments at the speed of development. This session unpacks strategies for integrating security seamlessly into AI and cloud workflows, ensuring protection while enabling business agility.

Risk can’t just be understood — it must shape decisions, drive priorities, and speak the language of the business. This panel discusses the keys to embed risk thinking into decision-making, repositioning as a powerful tool for alignment, influence, and long-term value.

• How are leading CISOs reframing cyber risk as business risk?
• What does effective risk communication look like – up, down, and across the organisation?
• How are leading CISOs using risk to manage conflicting prioritise and budget constraints?

• What does good cyber risk governance look like; how it will leave your teams feeling empowered?

Moderator

Kavita Chetty Senior Manager Technology Risk NZAA

Panelists

Ronald Chung Head of Risk (Information, Technology & Cyber Security) BNZ

Laura Marshall Head of Information Security LIC

Richard Harrison Head of Cyber & Architecture Foodstuffs SI 

As AI rapidly transforms the cyber landscape, organisations face both unprecedented opportunities and new layers of complexity in defending against evolving threats. This session explores how to operationalise AI in cyber defence amid increasingly complex threat environments. Corne will unpack recent incidents impacting major organisations, examine practical ways to enhance cyber risk awareness and decision-making using AI and advanced monitoring tools and discuss how executives are navigating the unpredictable nature of AI - balancing innovation with integrity in every security decision.

A cyber-conscious mindset and security-aware culture are non-negotiable. It is not just about ticking boxes with e-learning or phishing tests. Real success is when people instinctively make safer choices and even share tips with family and friends. That’s when culture truly sticks. This session explores practical ways to embed that mindset and turn everyday behaviours into security habits.

Digital transformation and AI aren’t side projects; they’re the growth engines of modern organisations. But the pace of change creates a tension: how do CISOs enable innovation without becoming the brake pedal? In this session, we’ll explore a playbook for balancing ambition with assurance. Drawing on lessons from boardrooms and transformation programs across ANZ, we’ll unpack how to align cyber with business strategy, translate risk appetite into clear decision guardrails, and leverage AI safely to accelerate, not hinder, innovation. The result: a pathway where security isn’t a compliance afterthought, but a catalyst for resilient growth.

• How to align digital transformation goals with cyber strategy.
• Turning risk appetite into practical decision-making guardrails.
• Where AI can safely speed up both defence and innovation.
• Positioning cyber as an enabler of resilience and growth.

Cyber incidents don't stay confined to the SOC — they quickly become whole-of-business events. This session explores how security leaders are aligning technical response with executive-level crisis management to ensure clarity, speed, and coordination when it matters most.

• The anatomy of cyber disruption from a senior leadership lens – what makes it uniquely difficult?
• How to build "muscle memory" for high-pressure response (beyond the plan)
• Bridging the gap between security experts and executive decision-makers

Phishing attacks are increasingly outsmarting traditional defenses by hijacking trusted infrastructure like Microsoft’s Direct Send. These sophisticated threats first evade legacy email filters and then go a step further, bypassing even multi-factor authentication, to deliver dangerous emails directly to CxO inboxes. Leveraging hyper-personalised tactics and advanced social engineering, attackers circumvent email authentication checks and exploit internal mail flows—putting every executive’s mailbox at risk. Blocking obvious spam is no longer enough; today's phishing is invisible, relentless, and requires modern security strategies built for today’s evolving threat landscape. Toby Guthrie from Abnormal AI will share insights on real-world examples and targeted campaigns seen in the wild.

Tick-box compliance is no longer enough. This presentation explores how organisations are moving beyond policy-driven approaches to build real and measurable cyber capability through their GRC functions. Learn how embedding technical thinking into risk frameworks, reporting and decision-making helps turn intent into action and drives stronger security outcomes.

Attackers are not "hacking in, they are logging in", they target your user accounts (like Active Directory) before anything else. Why? To break your recovery plans. This talk shows how they get in and how you can stop them.

Join Adarsh as he shares how security operations were enhanced within a critical infrastructure environment. This session will explore strategies for increasing log visibility in high-risk areas, aligning threat intelligence with detection workflows, and validating coverage through adversary simulation. It will also cover the application of structured frameworks to guide detection engineering, the use of meaningful metrics to track progress, and practical approaches to overcoming operational challenges.

Most companies are trying to use AI to streamline their cyber defences. Discover how AI-powered automation can enable organisations to shift from reactive patching to proactive risk reduction. Learn how agentic AI can:

• Continuously assess and contextualise risk across hybrid environments
• Automate remediation workflows based on business impact and exploitability
• Empower security teams to focus on strategic initiatives, not manual triage

Agentic AI is reshaping the future of cyber risk operations, turning complexity into clarity, and risk into resilience.

68% of all data breaches are due to human error, and despite significant investments in technical safeguards, phishing and social engineering attacks remain the #1 threat to your organisation.

This session will explore:

• The critical shift from traditional security awareness to human risk management (HRM).
• How social engineering and phishing—particularly via email—remain the primary vectors for breaches and ransomware, now amplified by AI technologies that make sophisticated attacks accessible to novice cybercriminals.
• Explore frameworks to quantify human risk, establish meaningful benchmarks, and provide clear metrics to measure success.

As organisations move to SaaS and cloud native or hybrid models, identity has become the new security boundary and a frequent source of risk when transitions expose gaps attackers are quick to exploit. This session explores the key questions CISOs should be asking, including:

• What’s really changing in how we manage and secure identity?
• What have we seen go wrong and how can it be avoided?
• Are we thinking clearly about trust, privilege, and lifecycle in cloud-based environments?
• How do we reduce complexity while maintaining control?

What does the future hold for software supply chain security in 2026? As the types and volume of software entering organizations continue to evolve, DevSecOps teams face increasingly complex challenges, including:

• How can organisations effectively manage what enters their systems?
• How can remediation be accelerated without sacrificing accuracy?
• How will the rise of AI reshape our threat landscape, and can DevOps and security unite without adding friction?

In this session, we will explore key insights into the looming challenges of software supply chain security and how they will transform operational practices. By analysing recent high-profile supply chain attacks in npm, we will expose malicious threats and offer practical, actionable solutions to mitigate both current and emerging risks. As our attack surfaces shift alongside evolving technologies, join us to discover innovative strategies and capabilities that seamlessly reintegrate security into DevSecOps.

Cyber resilience doesn’t stop at the enterprise boundary — especially in a sector reliant on seasonal staff, contractors, and legacy tech. Join Bryan as he shares how one of Australasia’s largest horticulture businesses manages cyber risk across a complex, distributed operation.

• Managing cyber security across a sprawling, seasonal, and third-party-reliant operation
• Tackling the “unsexy” risks: shared passwords, insecure remote access, outdated SCADA/PLC systems
• Setting up vendor controls, contract guardrails, and alignment with business risk appetite
• Cultivating cyber awareness in an industry where IT is often invisible — until something breaks.

This fireside chat explores what defines an effective cyber strategy in the New Zealand context — from aligning with business priorities and building resilience to uplifting sector capabilities and navigating a lighter regulatory environment. A forward-looking conversation on what matters most now, and what’s next.

Speakers:

Phil Ross CISO Air New Zealand

Edd Barber CISO WEL Networks 

In today’s rapidly evolving threat landscape, organisations must move beyond reactive security strategies and embrace predictive intelligence to stay ahead of adversaries. The rise of generative AI has dramatically lowered the barrier of entry for cybercriminals - enabling faster, more focused attacks that are harder to detect and easier to automate. This session explores how Infoblox leverages the untapped potential of DNS data to deliver actionable, predictive threat insights that empower security teams to anticipate and mitigate attacks before they materialise. By transforming DNS into a rich source of early warning signals, Infoblox enables organisations to proactively defend their environments, reduce dwell time, and strengthen their overall security posture.

New Zealand’s flexible, trust-based approach to cyber security has long been seen as a strength — but is it enough? With rising threats and growing interdependence, this panel explores whether the time has come for stronger, enforceable regulation, and what a proportionate, uniquely Kiwi model might look like.

• Is voluntary compliance still working or are gaps widening across sectors?
• What would smarter, targeted regulation look like? vs. more red tape?
• Should New Zealand follow Australia’s lead with sector-specific obligations such as SOCI Act?

Moderator:

Rebecca Holdsworth Head of Privacy & Responsible AI One NZ

Panellists:

Kavita Chetty Senior Manager Technology Risk NZAA

Deepak Veerasamy CISO Kainga Ora

Scott Shearman CISO House of Travel  

This panel explores how security leaders are embedding a culture of cyber awareness across the organisation. From influencing behaviour to measuring impact, hear how organisations are moving beyond annual training to create lasting engagement and shared responsibility.

• How does human behaviour and organisational culture influence the effectiveness of cyber security practices?
• What strategies can foster a security-conscious mindset and encourage proactive digital habits?
• How can organisations measure the real impact of security awareness efforts and adjust over time?
• What does it take to turn employees into active defenders of your cyber environment?

Moderator:

Lakshya Mehra National Security Awareness and Phishing Lead Health NZ

Panellists:

Ronnie Rahman Head of Cyber & Risk Hamilton City Council

Brad Ward Able Head of Digital Security & Assurance Mitre 10

Scott Shearman CISO House of Travel

Andy Pedroso Head of APAC SoSafe

• Explore how AI is transforming modern security operations, enhancing threat detection, prevention, and response.
• Understand the role of AI in enabling data-centric security strategies to prevent breaches and mitigate insider threats.
• Learn how advanced techniques like real-time behavioral analysis, contextual policy enforcement, and adaptive controls strengthen security.

This panel explores how security leaders are navigating supply chain complexity, driving uplift among vendors with varying levels of maturity, and balancing commercial relationships with the need for assurance.

• How are you gaining visibility into third-party and SaaS risk across your ecosystem?
• How are you evolving vendor assessments to keep up with the pace of procurement and onboarding?
• Where should organisations draw the line between shared responsibility and direct control?
• How can mitigation strategies be tailored to address financial, reputational and operational risks linked to third-party vulnerabilities?

Moderator:

Adwin Singh Cybersecurity Domain Lead – CISO Office Inland Revenue NZ 

Panellists:

Eli Hirschauge Head of Info Security ANZ

Darren Beattie Head of Information Security Tower Insurance  

Join Kamo for an unfiltered look inside New Zealand’s cyber threat reality. From dissecting a real phishing kit found on local networks to uncovering how attacker tactics evolve, this session reveals what drives today’s biggest risks including ransomware, credential theft, card fraud, DDoS and hacktivism, and how security leaders can stay one move ahead. Expect sharp insights, local relevance and practical takeaways that help CISOs turn intelligence into action and resilience.

Cyber security investment is a balancing act. The goal isn’t to spend more, it’s to spend wisely. This panel explores how security leaders are aligning investment with actual risk, avoiding overengineering, and prioritising what matters most. From risk assessments to board conversations, it's about building fit-for-purpose capability that protects what counts without paying for the platinum package when the essentials will do.

• How do you prioritise investment toward high-value areas without overinvesting in low-risk domains?

• What metrics or KPIs help demonstrate whether security spend is driving real impact?

• How can you balance the need for thorough evaluation with the urgency of fast-moving threats?

• What are the key challenges in securing board support and how do you respond when the answer is no?

Moderator:

Luke Taylor CEO SSS Cybersecurity Specialists

Panellists:

Ashley Archibald CISO Natural Hazards Commission

Marek Jawurek Head of Cyber Security Advisory Ampol

Hassham Idris Manager Cyber Risk and Assurance Ministry of Justice - New Zealand 

OT is digitalising fast and remote access is now the softest target. Join us for a pragmatic walkthrough of the SANS 5 Critical Controls, with a special focus on securing remote access without slowing operations. We’ll unpack common missteps (and why they happen), share lessons from the field, and show how to implement controls that both the security team and the engineers will actually support.

This panel explores the expanding ecosystem of cyber decision-makers — from heads of risk and GRC to operations leads, architects, and advisors — who are driving impact without necessarily holding the top title. Hear how they’re shaping strategy, building capability, and influencing outcomes across diverse career paths.

• What leadership roles are emerging beneath or alongside the CISO?
• How can professionals grow influence without chasing a title?

• How can organisations recognise and support non-linear career growth?

Moderator:

Michael Karich Deputy CISO University of Auckland

Panellists:

Ronald Chung Head of Risk (Information, Technology & Cyber Security) BNZ

Lakshya Mehra National Security Awareness and Phishing Lead Health NZ Francis Kaitano Enterprise Security Architect BNZ

Bridging the gap between strategy and execution is one of the hardest parts of cyber leadership. This session explores how to turn high-level plans into clear, achievable actions that deliver measurable outcomes. From prioritisation and stakeholder alignment to delivery roadmaps and metrics that matter, it’s about making cyber real across the organisation. 

Innovation and security are often seen as opposing forces, but the most successful organisations find ways to balance both. This dialogue brings together forward-thinking cyber security leaders to explore how to foster creativity while maintaining the rigour needed to safeguard organisations.

• What does an innovation mindset mean to you as a cyber leader and how have you applied it in practice?
• How do you create space for experimentation and bold ideas in environments where minimising risk is the norm?
• Can you share a moment where thinking differently led to a shift in your cyber strategy, tooling, or team culture?

Speakers:

Shawn Wang Head of Cybersecurity Governance Risk & Architecture Spark

Kane Narraway Head of Enterprise Security Canva