Meet our CISO Collin Penman
Datacom's Chief Information Security Officer on what's top of mind when it comes to cybersecurity and the one thing an organisation can do to improve its security posture right now.
The State of Cybersecurity Index 2025 highlights a critical gap between leadership confidence and employee readiness. While nearly three-quarters of security leaders believe their employees are well-informed about cyber risks, only half of employees agree.
AI-based cyber-attacks are ranked as the number one concern for security leaders, yet employee awareness of AI risks and cybersecurity policies remains low. At the same time, New Zealand is falling behind Australia in key areas of cyber resilience, with fewer businesses implementing business continuity plans, cloud security strategies, and managed security services.
Collin Penman, Chief Information Security Officer at Datacom, says the findings highlight the opportunity for businesses to take a more structured approach to cyber resilience - ensuring employees are better equipped to handle cyber threats while maximising the benefits of emerging technologies.
“Some organisations are getting this right, with business continuity and resilience plans in place, but they remain the exception rather than the rule. Leaders are overestimating employee preparedness, and that overconfidence increases cyber risk. With threats becoming more sophisticated and AI adoption rising, businesses need to double down on security investment and governance. The opportunity is there to leverage technology for growth, but it has to be done safely and responsibly.”
New Zealand security leaders believe their organisations are cyber ready, but employees are divided.
The survey found that while most security leaders (71%) believe employees are well-informed about cyber risks, only half of employees agree (51%), indicating many employees may not recognise or know how to respond to a cyber threat accordingly.
At the same time, burnout is weakening defences. Three in five New Zealand security leaders (61%) report cyber fatigue, surpassing Australia (58%), signalling the increasing strain on tech teams.
“There is a real risk that businesses are operating with a false sense of security. Leaders believe their teams are ready to tackle threats, but this disconnect is leaving businesses exposed. Cybersecurity is only as strong as the organisation's weakest link, and if employees don’t have the right training or awareness, security strategies won’t hold up when they’re most needed.”
In the year ending June 2024, The National Cyber Security Centre (NCSC) recorded 7,122 cybersecurity incidents, marking a significant increase in malicious cyber activity across the country. Of these incidents, 343 were considered of potential national significance. (1)
“This demonstrates the pressing need for robust security frameworks and incident response capability,” Penman added.
AI adoption and confidence are growing rapidly across New Zealand businesses. Datacom’s latest State of AI Index: AI Attitudes research shows two-thirds of organisations now use AI and 80% report a positive impact, improving efficiency in automation, data analytics, and workflow optimisation.
However, as AI adoption increases, many businesses lack clear governance frameworks to ensure security keeps pace with innovation. The State of Cybersecurity Index 2025 found that four in ten employees are using AI tools like ChatGPT and Copilot, but fewer than one in four have read their organisation’s AI security policies.
Meanwhile, six in ten employees are unsure whether their organisation has safeguards in place.
Penman says, “AI is proving to be a transformative force for businesses. The challenge now is to ensure security and governance keep pace with its adoption. A recent report projects an economic boost of NZ$76 billion by 2038 from generative AI (2), reinforcing its role in shaping the country’s future economy.
“New Zealand businesses are already experiencing a positive impact, and as confidence continues to climb, we expect to see more companies embedding AI into their overall strategy to handle more advanced tasks like complex decision-making and enhancing employee productivity.”
The report highlights a gap between New Zealand and Australia in cybersecurity readiness. New Zealand businesses are significantly less likely to have a cyber resilience plan in place, and fewer have formal cloud security strategies or managed security services.
The research also found that Australian employees are more likely to be aware of AI security risks than their New Zealand counterparts.
“New Zealand cannot afford to fall behind in cyber resilience,” says Penman.
“With AI adoption accelerating and cyber threats evolving, governance must be embedded into business and security frameworks. Cybersecurity investment supports business continuity, growth, and trust - because preventing a breach is always better than responding to one.”
(1) NCSC Cyber Threat Report 2023/24, released February 2025
(2) Microsoft Report Generative AI: What have we got to win?
The State of Cybersecurity Index 2025 findings are based on a survey of 211 security leaders and 506 employees in New Zealand and Australia. The survey was conducted in November 2024 by TRA.
