A lot of people say they have good enough cyber security.
But in cyber security, good enough is often the first step toward not enough.
Is it an antivirus that scores average in tests, or one that ranks in the top three?
Is it using multi-factor authentication only for management, but not for the operations team?
Or a firewall that allows everything, just to make things work?
Many still believe that no one is interested in them.
But most attacks aren’t targeted – they’re automated.
They look for weak spots, and good enough is often exactly that.
We see it every week: an unpatched system, an old password, or an open rule that was never reviewed.
It works – until the day it doesn’t.
Think about it this way:
Would management say it’s fine to show up at work in swimwear twice a year,
while everyone else wears suits the rest of the time?
Probably not.
Dress code is 100% – not good enough.
Security should be treated the same way.
You either have control, or you don’t.
Good enough doesn’t protect you as well as it should – it only feels comfortable until something happens.
Threat actors don’t stop because you’re average,
but they might move on when you’re better than your neighbor.
The best organizations treat security as a competitive advantage.
They build trust, protect value, and show that quality doesn’t stop at minimum compliance.
Security isn’t about being perfect – it’s about getting a little better every week.
Attackers only need one weakness.
Your job is to close every one of them –
just like you lock every door when you leave the office, not nine out of ten.
So next time someone says good enough, ask:
Good enough for whom – you, or the attacker?
And remember: you don’t need big projects to improve.
Start small – update one system, tighten one firewall rule, remove one unnecessary access.
Do it every week.
Or take inspiration from a few simple CIS principles:
-
Know your assets. You can’t protect what you don’t know exists.
-
Keep systems updated. Most attacks exploit known vulnerabilities.
-
Limit access. Give only what’s needed – that’s how least privilege and Zero Trust start.
-
Log and monitor. What you don’t see, and don’t log, won’t be detected or stopped.
Real security isn’t built in a single project.
It’s built through small, consistent actions – logged, learned, and improved.
One step, one log, one improvement at a time.
And one more thing:
Don’t just choose the cheapest antivirus, firewall, or SOC provider.
Run your own tests and check the quality before you trust it –
unless you already know someone who has tested it thoroughly.
Good security isn’t about saving money; it’s about knowing what actually works.