Five IT questions every CEO in New Zealand should be asking their technology provider

November 6, 2025

IT systems are no longer just a back-office function. They are central to business continuity, customer trust, and competitive advantage. Without them functioning as they should, many businesses would come to a complete stand-still.


For CEOs and board members in Canterbury and across New Zealand, understanding the health of your organisation's digital ecosystem is essential, even if you're not a technical expert.


The challenge? Knowing what to ask.


Here are five essential questions that every CEO or board member should ask their IT manager or technology provider to assess whether their organisation's systems are secure, resilient, and fit for purpose.

1. How do we know that we're doing things right?

This question underpins everything. We've found that if you ask the question 'how do you know that your technology is set up and running as well as it should be' that many people fumble an answer. Or the response is an honest 'I don't know.'


As with other key areas of your business, your digital ecosystem also needs checks, balances and assessments so that you can identify what technology's performing well, what isn't, what is keeping up with industry improvements and what might be holding you back. Importantly, all this needs to be reviewed through the lens of 'what's right for your business' not just what's right for businesses in general.


This is not a quickfire Q&A. You'll need to ponder this, talk to the right people and establish baselines.


Good questions to start the journey are:

  • Who are we implicitly trusting when it comes to our technology (and are we able to assess their expertise and performance?)
  • Who do our systems rely on to stay up and running?
  • What's the weakest or most vulnerable link in the chain?


It's crucial that CEOs and board members equip themselves to ask the right questions. Knowing that your digital ecosystem is secure, modern and designed for your business needs is different to just asking the question and accepting the answer with no interrogation.

2. How quickly could we recover if we were hit by a cyber-disaster?

Cyberattacks, natural disasters and mass outages are some of the most disruptive threats facing New Zealand businesses today. You can be locked out of critical systems (and the data they manage), bad actors may encrypt your data and demand payment for restoration, or key tools your team relies on to get jobs done are no longer accessible. The resulting downtime, reputational damage, and potential data loss you can suffer can have a very real impact on your bottom line.


Ask yourself and your team:

  • What systems are business critical for us?
  • How long can the business continue to operate if those systems are down?
  • How much data can we afford to lose? For how long - an hour? A day? A week?
  • Do we have a plan on how we'll operate and communicate with our clients if those systems are down?


Ask your IT Manager:

  • What is our recovery time objective (RTO) and recovery point objective (RPO)?
  • How long will it take to get our critical systems back online?
  • How often do we backup our data?
  • Do we have tested backups that are isolated from our main network?
  • Have we run a ransomware recovery simulation in the past 12 months?


A confident, evidence-based answer here is a strong indicator of IT maturity and gets to the heart of your digital resilience and business continuity planning.

3. Who has access to what, and how is this controlled?

Access control is a cornerstone of cybersecurity. Unchecked or outdated permissions can lead to data leaks, insider threats, or compliance breaches.


Ask yourself and your team:

  • What data is critical for us to protect?
  • What would happen if someone else were to access it?
  • Have our needs changed since we set up our systems?


Ask your IT Manager:

  • Do we use role-based access control (RBAC)?
  • How often are access rights reviewed and updated?
  • Are we using multi-factor authentication (MFA) across all critical systems?


As privacy regulations are tightened to reflect not only the increased sophistication of methods to obtain data but also the increased expectations consumers and businesses have about how their data is obtained and managed, ensuring that only the right people have access to sensitive data will not just be best practice, it will support legal compliance.

4. How are we protecting our customer data and IP?

Customer trust hinges on data protection. Whether you're storing personal information, financial records, crucial business information or health data, your organisation must demonstrate robust safeguards.


Ask yourself and your team:

  • What information are we holding that's regulated?
  • How are we separating this data from our day-to-day information?


Ask your IT Manager:

  • Where is our customer data stored? On-premises, in the cloud, or hybrid?
  • Is the data encrypted both at rest and in transit?
  • What compliance frameworks do we follow (e.g. NZ Privacy Act 2020, ISO 27001)?
  • How would we know if something went wrong? Do we have the tools and skills to uncover how it happened?


With increasing scrutiny from regulators, insurers and customers alike, CEOs must ensure that data protection is a board-level priority.

5. When was the last time our cybersecurity was tested and validated?

Cybersecurity isn't a set-and-forget function. Regular testing is essential to identify vulnerabilities before attackers do.


Ask yourself and your team:

  • Have we conducted a penetration test or vulnerability assessment in the past year?
  • Who performed it? Internal staff or an external provider?
  • What were the key findings, and how have we addressed them?
  • Are we regularly training and testing our staff on cybersecurity?


In New Zealand, where cyber threats are rising and digital competitiveness is under pressure, strong cybersecurity defences can make a real difference to how your business will perform when (not if) an incident occurs.

Final thoughts.

You don't need to be a tech expert to lead on tech risk and best practice. By asking the right questions, CEOs and board members can:

  • Uncover blind spots
  • Drive accountability
  • Strengthen resilience
  • Protect customer trust


These five questions are a starting point for meaningful conversations with your IT provider. They help bridge the gap between technical operations and strategic oversight and should help ensure your organisation is not only secure but also prepared for whatever's next.