CERT Is Gone – Who Picks Up the Phone Now?

GovernmentSecurity
Written By Vic MacLennan

This week, the government quietly confirmed what many of us in cyber security circles have long seen coming — CERT NZ has been formally merged into the National Cyber Security Centre (NCSC), shifting New Zealand’s public-facing cyber response into the state intelligence apparatus.

The news barely made a ripple. But it should have!

I was part of the former Cyber Security Advisory Committee (CSAC), a group formed to provide expert advice to government on how to improve cyber resilience for all New Zealanders. Our report back in 2022 recommended the creation of a single front door for cyber security — a trusted, public-facing agency to simplify access, reduce confusion, and stop issues from falling between the cracks. The committee was disbanded about 18 months ago with the change of government, but the advice we offered still stands.

We didn’t specifically recommend what has now happened: folding CERT NZ into the GCSB’s NCSC. We asked for a clear, standalone public-facing function.

In fact, we spent quite a bit of time looking across the ditch and pointed to Australia’s model. There, the government brought cyber functions together under one umbrella — but they also appointed a Minister for Cyber Security, giving the portfolio political weight and ensuring cyber isn’t buried behind closed doors. Their model balances national security with public accountability. Ours now risks tipping the wrong way.

My biggest concern - New Zealanders have been missing out on the kind of clear, well-supported incident response they deserve. Small businesses hit by ransomware. Parents dealing with online harm. Individuals who didn’t know where to turn. The very people we were trying to help. Hopefully this new structure will simplify things.

The upshot of this blog post - cyber security must remain user-centred, not state-centred.

Don’t get me wrong - The NCSC does excellent work protecting national infrastructure and government systems, but it’s not naturally designed to serve the public. We need to ensure the front door remains visible, accessible, and trusted — especially for small businesses, community organisations, and every citizen - Māori, Pasifica, women, and every marginalised community especially those who struggle to trust government.

That means:

  • Clear, human support — not just a form on a website.

  • Fast, plain-English advice when people are in crisis.

  • Community trust that doesn’t rely on state secrecy.

Merging CERT and NCSC might tidy up the org chart. But unless the government now invests in keeping that front door truly open — well-resourced, empathetic, and easy to find — we risk creating exactly the kind of gap we set out to close.

This isn’t a critism blog post, it’s a focus one. Let’s not let cyber security become something that happens to New Zealanders, rather than with them.

The job isn’t done just because two acronyms have merged. The real work — making sure people feel safe, supported, and digitally resilient needs to start now.

Vic MacLennan

CEO of IT Professionals, Te Pou Haungarau Ngaio, Vic believes everyone in Aotearoa New Zealand deserves an opportunity to reach their potential so as a technologist by trade she is dedicated to changing the face of the digital tech industry - to become more inclusive, where everyone has a place to belong. Vic is also on a quest to close the digital divide. Find out more about her mahi on LinkedIN.

Previous

An AI Tsunami is Hitting India’s Tech Sector — Should we care?
Next

How real-time data can lead to better decisions on everything from NZ’s interest rates to business investment