Insights from Adam Needham CySA+, ITHealth Professional Services Consultant

It’s easy to believe we’re doing enough to stay secure. But are we really?

The real question is, enough for what exactly?

Enough to feel comfortable?
Enough to pass an audit?
Enough until the next zero-day exploit?

In reality, “good enough” often means just enough to stay out of trouble but not enough to deal with the scale of today’s threats.

For most NHS organisations, the challenge is even tougher. Legacy infrastructure, split governance, and limited budgets all play a part. Many trusts are still running end-of-life platforms or unsupported software, which leaves gaps for attackers. Security responsibilities are often spread across several teams, which slows decisions and makes accountability unclear. With resources already stretched, understanding where to focus becomes essential. Too often, our approach to security is shaped by old risk appetite, not the realities we face today.

Cyber maturity isn’t measured by how many policies you have or how many tools you’ve bought, it’s about how effectively you respond when something goes wrong. Some organisations have dozens of policies and multiple security tools but still fail to detect breaches quickly. In contrast, teams with fewer tools but clear processes and real-time visibility respond faster to contain incidents effectively.

Things we can do:
1. Know your assets
You can’t secure what you don’t know exists. Having an up-to-date, centralised view of devices, users, and vulnerabilities ensures your focus is on the areas that matter most. Tools like the ITHealth Dashboard help turn assumptions into insight, showing what’s in your environment and where the risks are.

2. Review your risks regularly
Monitor live data to keep your view of vulnerabilities current and not reactive. Regular risk reviews help you spot changes early – things like new gaps appearing, priority shifts, or known issues getting worse. This doesn’t need to be a big exercise, small frequent check-ins or scheduled reports help keep your focus on what matters right now.

3. Test your response plan
Practice before it matters. Small run-throughs and tabletop exercises make a difference and will show you where things need improvement and what parts don’t work. The more familiar the team are with this process, the quicker and more confidently the team can respond when something goes wrong.

4. Build a culture of awareness
Make security part of how everyone works. Small habits make a big difference – reporting something that looks odd, questioning requests, or knowing who to speak to if something doesn’t feel right is all it takes for someone to feel confident enough to act.

“Good enough” thinking might get you through an audit, but it won’t prepare you for what’s next. Resilience is about being ready, not just being compliant. National initiatives, like NHS England’s cyber resilience programmes, emphasise that organisations must not only prevent attacks but also respond and recover when disruption occurs. Compliance alone isn’t enough – organisations must plan for continuity, recovery, and trust.

When we stop treating “good enough” as the benchmark, we start asking better questions.

– Not: Are we compliant?
– But: Could we recover from tomorrow’s breach with our operations, reputation, and trust intact?

Security isn’t about confidence. It’s about readiness – and readiness is what separates recovery from resilience. Visibility, clear measurement, and proactive planning are what turn “good enough” into truly resilient security.

In future posts, we’ll explore what it means to go beyond ‘good enough’ in key areas – from compliance to vulnerability management to managing legacy risk and preparing for zero-day threats. Along the way, we’ll show how tools like the ITHealth Dashboard help organisations see clearly, act decisively, and build security that isn’t just adequate, but resilient.