Written by James Palmer – Managing Consultant at Gradian
In technology and especially in IT Security I often hear people say:
“It’s good enough.”
It’s a phrase born of budget constraints, time pressure, or risk fatigue. But “good enough” rarely is. Especially not when the stakes are high.
To understand why, take examples outside of IT Security.
Would You Trust a “Good Enough” Brake System?
Imagine a car manufacturer releasing a vehicle with a braking system that performs well under most conditions… but occasionally locks up in the rain. Would you buy it?
Probably not. (But some still do – it will never happen to me!)
Why? Because even a 1% failure rate in your brakes could be catastrophic. The consequences of failure far outweigh the cost of a better system.
This is exactly the logic that must be applied to IT security. When the cost of failure is data loss, business disruption, reputational damage, or regulatory penalties, “good enough” simply isn’t enough.
“Mostly Reliable” Doesn’t Fly in Aviation
The airline industry doesn’t accept “good enough” when it comes to safety protocols, aircraft inspections, or pilot training. Why? Because a single oversight can result in widespread loss of life and trust.
Similarly, in IT security, a single vulnerability—a misconfigured firewall, a missed patch, a poorly secured cloud bucket—can lead to breaches that damage not just systems, but business continuity and brand reputation.
Try It Yourself
When in your walks of life or buying a service, say to others “That’s good enough”. See what their reaction is. If you are brave enough say it to your partner who has prepared you a meal or had a tough day at work. I bet it never leaves a comforting feeling.
In IT Security, Margins for Error Are Thin
Today’s threats are not theoretical—they are real, fast-moving, and sophisticated:
- Zero-day exploits
- Ransomware-as-a-service
- Insider threats
- Supply chain attacks
Attackers only need one opening. If your defences are “good enough,” that means they’re predictably exploitable in just enough places to invite trouble.
|
“Good Enough” Mindset |
The Risk |
|
Basic MFA, but no conditional access |
Phishing bypass risk |
|
Endpoint AV without behaviour analytics |
Misses fileless malware |
|
VPN access without context or segmentation |
Overexposed network risk |
|
Email filtering that misses zero-day payloads |
Business email compromise |
|
DLP that’s policy-based but blind to browsers |
Insider risk blind spot |
What’s the Alternative?
Do not settle for “good enough,” ask:
- “Is this resilient under pressure?”
- “Does this scale with our business and risk profile?”
- “Does this provide visibility and control—not just coverage?”
- “Can it adapt to real-world, modern threats?”
- “Do I need specialist help?”
IT Security isn’t just about ticking boxes or hoping. It’s about resilience, adaptability and confidence.
Try It Yourself
When in your walks of life or buying a service, say to others “That’s good enough”. See what their reaction is. If you are brave enough say it to your partner who has prepared you a meal or had a tough day at work. I bet it never leaves a comforting feeling.
IT Security is not a Place to Cut Corners
In some parts of business, “good enough” is perfectly acceptable. Your office coffee machine? Sure. Your video conferencing tool? Probably. Your data security? Absolutely not. Because when “good enough” meets a motivated attacker, what’s left is not enough to stop them. Get in touch with us today, this is something that can’t wait!