TelcoNews New Zealand - Telecommunications news for ICT decision-makers
New Zealand
Okta whitepaper guides NZ firms on cyber standards
PAM MFA Cloud Security

Okta whitepaper guides NZ firms on cyber standards

Mon, 18th May 2026 (Today)
Mark Tarre
MARK TARRE News Chief

Okta has published a whitepaper for New Zealand organisations on meeting the National Cyber Security Centre's Minimum Cyber Security Standards. The guide is aimed at both public sector agencies and private organisations.

Titled "Mastering the NZ NCSC Standards with Okta", the document focuses on how identity controls align with the Cyber Security Capability Maturity Model, or CS-CMM, which underpins the standards. The standards set baseline controls for critical systems across agencies covered by the Government Chief Information Security Officer mandate, with compliance reporting due to begin in April 2026.

The paper is intended to help organisations understand how identity security fits into the maturity-based approach used by the New Zealand framework. Rather than treating compliance as a checklist exercise, it sets out how controls must be shown to be planned, repeatable and effective.

That point was reinforced in a blog published alongside the release. "Unlike a simple checklist, these standards are built on a maturity model, the Cyber Security Capability Maturity Model (CS-CMM). The goal isn't just to have a security control, but to prove that it is planned, repeatable, and effective. While intended for agencies under the Government Chief Information Security Officer (GCISO) mandate, the framework serves as a best-practice guide for any New Zealand organisation serious about building a mature security posture," said Mathew Graham, Chief Security Officer, Asia Pacific, Okta and Nick Connelly, Senior Presales Solution Architect.

Identity focus

The whitepaper identifies three areas where identity is presented as central to meeting the standards: multi-factor authentication, detection of unusual behaviour and least-privilege access. These are framed as primary controls within the wider framework.

On multi-factor authentication, the standards are described as treating MFA as a foundational requirement. The paper points to adaptive controls, risk-based policies and phishing-resistant authentication factors across cloud services and other parts of an organisation's technology environment.

For threat detection, the document highlights behavioural risk analysis, protections against attacks such as session hijacking and brute-force attempts, and tools designed to identify risky OAuth authorisations and unmanaged AI-related applications. The inclusion of shadow AI reflects growing concern among security teams about unsanctioned software and services being used by staff.

The paper also emphasises least-privilege access. It outlines an approach based on just-in-time access rather than standing privileges, applying that model to human administrators, non-human identities and autonomous AI agents. It also refers to automated access certification and ongoing posture monitoring as part of that approach.

Maturity model

The framework behind the New Zealand standards uses maturity levels to assess not only whether controls exist, but whether they are managed consistently. Okta says its guide maps identity-related measures across every level of the CS-CMM and addresses both primary and supporting standards.

It argues that the Level 2 threshold in the model, described as Planned & Tracked, will require organisations to produce evidence that controls are operating in a structured way. That includes audit records and policy enforcement that can be examined during compliance reporting.

Graham and Connelly set out that view in a further quote. "The NCSC Minimum Cyber Security Standards challenge New Zealand organisations to build a truly resilient and provable security posture. Achieving CS-CMM Level 2 requires a strategic platform that can centralise, enforce, and automate your identity controls," Graham and Connelly said.

Broader market

Although the standards are aimed at agencies under the GCISO mandate, Okta is also positioning the document for private sector organisations. That reflects a broader trend in cyber security, where government frameworks often become reference points for regulated industries and for companies seeking to benchmark internal security programmes.

Identity management has become a larger part of that discussion as organisations contend with cloud adoption, third-party access, machine identities and the spread of AI tools. Security suppliers increasingly frame identity as a control layer spanning authentication, access governance, monitoring and incident response.

For New Zealand organisations, the immediate issue is practical preparation for the reporting phase of the new standards. Okta's paper seeks to connect the technical requirements of identity and access management with the evidence-based maturity model used by the NCSC, including the "immutable audit evidence required to demonstrate maturity at the mandated CS-CMM Level 2 (Planned & Tracked) and aspiring to higher levels of maturity requires a strategic approach."

Related stories
ANZ firms shift to cyber resilience as AI risk grows
Cloud security turns to identity, access & sovereignty
AI to transform business risk, trust & compliance by 2026
Infobip launches AgentOS platform, targets agentic AI shift
Akamai warns of rising API attacks across APAC as AI spreads
Top stories
F5 says AI inference now core to business operations
One NZ sells refurbished phones in New Zealand pilot
Freeview NextGen brings free-to-air TV to broadband
Project STRIM warns of Golden Bay telecoms resilience gap
Panduit offers 20-year warranty on solar cable ties