Cybersecurity in the Public Sector

Five-Day Intensive Classroom Programme | Wellington, New Zealand

Programme Overview

This five-day programme equips senior and mid-level government officials with the knowledge, frameworks, and practical tools required to strengthen cybersecurity governance and resilience within their public sector organisations.

It is designed for officials with policy, management, or leadership responsibilities in the areas of digital government, ICT, national security, public administration, or civil service management – not for technical specialists alone, but for those who must lead and govern cybersecurity as an institutional and strategic priority.

The programme is delivered in Wellington, New Zealand, and includes daily site visits to New Zealand government agencies at the forefront of public sector cybersecurity. New Zealand is consistently ranked among the world’s most digitally advanced and cyber-resilient governments, and the programme leverages this standing to provide participants with direct exposure to mature, operational cybersecurity capabilities and the leaders who have built them.

Each day addresses a distinct dimension of public sector cybersecurity – from understanding the threat environment, through governance and policy, to protecting critical systems, managing incidents, and building the workforce culture needed to sustain a strong security posture over time.

Learning Outcomes

Upon completing this programme, participants will be able to:

  • Describe the current cyber threat landscape facing governments and identify the threats most relevant to their own public sector context.
  • Assess the maturity of their organisation’s cybersecurity governance and policy frameworks against international standards and good practice.
  • Apply structured risk and control frameworks to the protection of critical government systems, networks, and data.
  • Lead and participate effectively in incident response and business continuity planning for cyber events.
  • Design and advocate for a government-wide cybersecurity awareness and workforce development programme.
  • Develop a prioritised cybersecurity improvement action plan for implementation within their home organisation.

Contextual Rationale: Why Cybersecurity Matters for Developing Nations

Governments in developing nations are among the most vulnerable targets in the global cyber threat environment. As these nations invest in digital government infrastructure – including online service delivery, digital identity systems, electronic revenue collection, and interconnected public administration platforms – they create new attack surfaces that are increasingly exploited by a range of malicious actors, including financially motivated criminal organisations, state-sponsored threat actors, and hacktivists.

The consequences of a significant cyber incident for a developing nation government can be severe: disruption of essential public services, exposure of sensitive citizen data, compromise of national security systems, erosion of public trust, and substantial financial cost. Unlike larger economies, many developing nations have limited redundancy in their digital infrastructure, meaning a successful attack on a core system can have cascading effects across government.

Despite this, cybersecurity remains underfunded and under-governed in many developing nation public sectors. Policy frameworks are often nascent or absent; technical staff are scarce and difficult to retain; senior leaders may not yet recognise cybersecurity as a strategic priority; and incident response capabilities are frequently improvised rather than planned. These gaps are well understood by threat actors, who specifically target less defended government networks.

New Zealand’s experience is particularly valuable in this context. New Zealand has built a sophisticated, whole-of-government cybersecurity architecture – including a national CERT, a dedicated National Cyber Security Centre within government, a coherent policy and legal framework, and a culture of cross-agency collaboration – starting from a position, not long ago, of relative immaturity.

The journey New Zealand has taken, and the lessons learned along the way, are directly applicable to developing nations that are now at an earlier stage of the same journey. Critically, New Zealand’s practitioners are experienced in sharing these lessons internationally and understand how to adapt them for different resource environments and administrative cultures.

Programme Format

The programme is delivered over five consecutive days in Wellington, New Zealand. Each day combines structured classroom learning with a site visit to a relevant New Zealand government agency, enabling participants to observe operational cybersecurity practices firsthand and engage directly with New Zealand practitioners.

The programme accommodates up to 18 participants per cohort to ensure the quality of site visit access and depth of facilitated discussion.

Each day includes:

  • Morning classroom session: lecture, case study analysis, or structured workshop
  • Afternoon site visit: to a relevant New Zealand government agency or cybersecurity organisation
  • Debrief and reflection: structured consolidation of learning at the close of each day
  • Evening reading (optional): short preparatory material for the following day’s session

Five-Day Programme Plan

Day Topics and Focus Materials Learning Activities NZ Context and Rationale
Day 1 The Cyber Threat Landscape for Governments.
Understanding the nature, scale, and evolution of cybersecurity threats facing public sector organisations.
  • NZ NCSC: Annual Cyber Threat Report
  • CERT NZ: Government Threat Intelligence Briefing
  • Readings: common attack vectors
  • Case studies: global government cyber incidents
  • OECD: Digital Security Risk Management framework
  • Welcome and programme orientation
  • Keynote lecture: global cyber threat environment
  • Facilitated discussion
  • Workshop: threat mapping exercise
  • Afternoon site visit: NZ NCSC
  • Day debrief and reflection journal
New Zealand’s NCSC is one of the most operationally sophisticated cybersecurity agencies in the Asia-Pacific region. Participants gain direct insight into a mature national cyber defence capability.
Day 2 Governance, Policy and Legal Frameworks.
Building the institutional and regulatory foundations for public sector cybersecurity.
  • NZ Cyber Security Strategy 2019
  • NZ Privacy Act 2020
  • NIST Cybersecurity Framework (CSF)
  • ISO/IEC 27001
  • Case study: building a national framework
  • Lecture: cybersecurity governance
  • Workshop: assessing policy frameworks
  • Panel discussion with NZ CISOs
  • Afternoon site visit: NZ GCDO
  • Group activity: identifying policy gaps
  • Reflection journal
New Zealand has developed a coherent, whole-of-government cybersecurity policy architecture that offers a practical and adaptable model for developing nations.
Day 3 Protecting Critical Systems and Government Data.
Securing the infrastructure, networks, and data that governments depend upon.
  • NZ Information Security Manual (NZISM)
  • CERT NZ: Protecting Critical Infrastructure
  • Readings: cloud security considerations
  • Case study: securing identity systems
  • Overview: zero trust architecture
  • Lecture: critical national infrastructure
  • Technical workshop: applying NZISM
  • Small group exercise: data classification
  • Afternoon site visit: NZ Police or DIA
  • Group synthesis
  • Reflection journal
The NZISM is a highly detailed and useful standard. New Zealand’s experience managing classified information and cloud migration provides directly applicable lessons.
Day 4 Incident Response, Resilience and Recovery.
Preparing for, responding to, and recovering from cyber incidents.
  • CERT NZ: Incident Response Guide
  • NZ Civil Defence and Emergency Management
  • Readings: business continuity planning
  • Tabletop exercise scenario pack
  • Case study: NZ public sector response
  • Lecture: building organisational resilience
  • Tabletop exercise: ransomware simulation
  • Debrief of tabletop exercise
  • Afternoon site visit: CERT NZ
  • Workshop: designing an IR plan
  • Reflection journal
CERT NZ operates an accessible and collaborative incident response service. New Zealand’s integrated approach to cyber resilience provides a scalable model.
Day 5 Building a Cybersecurity Culture and Workforce.
Leadership, awareness, capability development, and planning for the long term.
  • NZ Public Service Commission: Digital and Data Profession
  • NCSC: Cyber Awareness resources
  • Readings: building cybersecurity culture
  • Case study: awareness campaign
  • Action plan template
  • Lecture: the human factor
  • Workshop: designing an awareness programme
  • Guest speaker: senior NZ leader
  • Action plan development
  • Peer review and feedback
  • Closing panel discussion
  • Programme evaluation & certificates
New Zealand’s investment in building a professional government cybersecurity workforce provides a human-centred model essential for nations facing scarce technical talent.

Site Visit Organisations

Site visits are a defining feature of this programme and are carefully selected to align with each day’s learning theme. Proposed visit organisations include:

  • National Cyber Security Centre (NCSC) – New Zealand’s lead agency for national cyber defence, including threat monitoring and classified incident response.
  • CERT NZ – the government’s public-facing cyber incident response and advisory service.
  • Government Chief Digital Officer (GCDO), Department of Internal Affairs – responsible for whole-of-government digital policy including cybersecurity standards.
  • New Zealand Police – Digital Crime Unit and identity management systems.
  • A major New Zealand public sector agency – for discussion of agency-level security governance and workforce capability.

All site visits are subject to host agency availability and appropriate security clearance arrangements. The Institute will confirm visit organisations in advance of each cohort. In the event that a proposed visit cannot be accommodated, an equivalent alternative will be arranged.

Practical Information

  • Location: Wellington, New Zealand
  • Duration: Five days (Monday to Friday)
  • Cohort size: Up to 18 participants
  • Target audience: Senior and mid-level government officials with policy, management, or leadership responsibility for digital government, ICT, national security, or public administration
  • Technical prerequisites: None – the programme is designed for leaders and managers, not technical specialists. A general familiarity with digital government concepts is beneficial but not required.
  • Language: English. Interpretation services may be arranged on request.