Why ‘Good Enough’ Is Not Really Good Enough in IT Security

18 August 2025
min read

In technology and especially in IT Security I often hear people say:

“It’s good enough.”

It’s a phrase born of budget constraints, time pressure, or risk fatigue. But “good enough” rarely is. Especially not when the stakes are high.

To understand why, take examples outside of IT Security.

Would You Trust a “Good Enough” Brake System?

Imagine a car manufacturer releasing a vehicle with a braking system that performs well under most conditions… but occasionally locks up in the rain. Would you buy it?

Probably not. (But some still do – it will never happen to me!)

Why? Because even a 1% failure rate in your brakes could be catastrophic. The consequences of failure far outweigh the cost of a better system.

This is exactly the logic that must be applied to IT security. When the cost of failure is data loss, business disruption, reputational damage, or regulatory penalties, “good enough” simply isn’t enough.

“Mostly Reliable” Doesn’t Fly in Aviation

The airline industry doesn’t accept “good enough” when it comes to safety protocols, aircraft inspections, or pilot training. Why? Because a single oversight can result in widespread loss of life and trust.

Similarly, in IT security, a single vulnerability—a misconfigured firewall, a missed patch, a poorly secured cloud bucket—can lead to breaches that damage not just systems, but business continuity and brand reputation.

Try It Yourself

When in your walks of life or buying a service, say to others “That’s good enough”. See what their reaction is. If you are brave enough say it to your partner who has prepared you a meal or had a tough day at work. I bet it never leaves a comforting feeling.

In IT Security, Margins for Error Are Thin

Today’s threats are not theoretical—they are real, fast-moving, and sophisticated:

  • Zero-day exploits
  • Ransomware-as-a-service
  • Insider threats
  • Supply chain attacks

Attackers only need one opening. If your defences are “good enough,” that means they’re predictably exploitable in just enough places to invite trouble.

“Good Enough” Mindset

The Risk

Basic MFA, but no conditional access

Phishing bypass risk

Endpoint AV without behaviour analytics

Misses fileless malware

VPN access without context or segmentation

Overexposed network risk

Email filtering that misses zero-day payloads

Business email compromise

DLP that’s policy-based but blind to browsers

Insider risk blind spot

What’s the Alternative?

Do not settle for “good enough,” ask:

  • “Is this resilient under pressure?”
  • “Does this scale with our business and risk profile?”
  • “Does this provide visibility and control—not just coverage?”
  • “Can it adapt to real-world, modern threats?”
  • “Do I need specialist help?”

IT Security isn’t just about ticking boxes or hoping. It’s about resilience, adaptability and confidence.

Try It Yourself

When in your walks of life or buying a service, say to others “That’s good enough”. See what their reaction is. If you are brave enough say it to your partner who has prepared you a meal or had a tough day at work. I bet it never leaves a comforting feeling.

IT Security is not a Place to Cut Corners

In some parts of business, “good enough” is perfectly acceptable. Your office coffee machine? Sure. Your video conferencing tool? Probably.  Your data security? Absolutely not.  Because when “good enough” meets a motivated attacker, what’s left is not enough to stop them.  Get in touch with us today, this is something that can’t wait!

Share this post