He noted one does not need to be an IT professional in order to do these activities. "I can do it, you don't need to be an IT person," said Whitmore, whose background is in accounting and law.
"The threat is real, we are a target in New Zealand just because we are here, we have money, we have IP and valuable assets," he said.
A security breach can "kill a company in nanoseconds".
He said security risks should be treated as a regular boardroom issue, "on a par with financial reporting, regulatory issues and strategic direction."
This way, "it gets the attention they need."
He said it is important that there are clear roles and responsibilities for security.
Most medium or large sized organisations will have two key roles — a chief information security officer who is responsible for information and protecting it, and an IT security manager, who is a senior person in the IT team. In smaller organisations, this may be a shared role.
He also recommended establishing a security risk management process at an organisation level and during the development or purchase of any new systems.
"Understand your risks, test your security systems, so that you are in a position to manage them," he concluded.
Sign up for CIO Asia eNewsletters.