In this episode of the Cyber Brisket Podcast, Chris Engler sits down with John Gibson, founder and CEO of Just Right IT, for a conversation that connects cybersecurity, compliance, and AI in a way that makes sense for everyday business owners.
John brings a rare perspective to the table. He started his company while still serving on active duty in the Navy, and that background shaped how he thinks about risk, accountability, and operational discipline. The result is a conversation that goes beyond software and tools. It is really about how businesses build habits, systems, and safeguards that help them stay resilient.
Here are the biggest insights from the episode and what they mean for small and mid-sized businesses today.
A security-first mindset starts with discipline, not just technology
One of the most interesting parts of the conversation is how John traces his approach back to his Navy experience. Working in high-security environments taught him that security is not something you think about only after a problem appears. It has to be built into the way you operate every day.
That mindset carried into how he built his business. He talked about the value of documented processes, continual improvement, and consistency. For business owners, that is an important reminder: strong cybersecurity is not only about buying the right product. It is also about having repeatable processes, clear responsibilities, and a culture of paying attention.
In simple terms, businesses get into trouble when too much depends on memory, improvisation, or good intentions. The stronger approach is to build systems people can follow consistently.
Cybersecurity works best in layers
A major theme in the episode is that no single tool can fully protect a business. John makes the case for a layered approach, sometimes called “defense in depth.” That means using several types of protection together so one gap does not become a full-blown incident.
He points to a few basics that matter most:
- strong endpoint protection on devices
- email security to catch phishing attempts
- web filtering to block dangerous websites
- password managers to reduce weak or repeated passwords
- allow-listing, which helps block unknown or unauthorized software
- zero-trust tools that verify users and connections before allowing access
For a non-technical audience, the core idea is simple: businesses are safer when they do not rely on one lock on one door. They need multiple checkpoints.
John also makes an important distinction between protection, detection, and response. Many businesses spend almost all their security budget on prevention, but that is only one part of the picture. You also need to know when something gets through and have a plan for what happens next. In practice, that means having tools and people watching for suspicious activity, not just hoping the front line catches everything.
Small businesses are not too small to be targeted
Another strong takeaway from the episode is that small businesses should stop assuming they are beneath a criminal’s notice. John explains that attacks are constant, automated, and often opportunistic. In many cases, criminals are not choosing a business because it is famous. They are choosing it because it looks easy.
That is why phishing remains such a big concern. The episode highlights that many successful incidents still begin with a deceptive email or message that tricks someone into clicking, responding, or sharing credentials. In other words, the human side of security is still one of the biggest pressure points.
The conversation also touches on how AI is changing the threat landscape. Attackers can now use AI to scale their efforts faster, produce more convincing messages, and operate around the clock. That does not mean businesses should panic, but it does mean they should stop thinking about cybersecurity as an occasional project. It is now an ongoing business function.
Compliance is becoming a leadership issue, not just an IT issue
The discussion then shifts into cybersecurity compliance, especially the FTC Safeguards Rule. This is one of the most practical parts of the episode because it addresses a common misunderstanding: many business owners do not realize they may already fall under rules that require them to protect customer information.
John explains that businesses handling certain types of sensitive financial or customer data may need to meet specific safeguards. Just as important, compliance is not only about checking boxes or generating paperwork. It is about being able to prove that the right controls are actually in place.
One of the clearest points in the episode is accountability. Even if a business hires an outside firm to help manage compliance, leadership still owns the responsibility. That is a message many owners need to hear. Outsourcing support does not outsource accountability.
For growing businesses, this means compliance should be treated as an operational priority. Somebody needs to own it, understand it, and make sure it is being maintained over time.
Cyber insurance now expects evidence, not promises
The conversation also makes a strong connection between cybersecurity and cyber insurance. Insurance carriers are asking more detailed questions, and they increasingly want proof that businesses are doing what they claim.
That matters because policies can become far less useful if a company cannot support its answers during a claim. If a business says it has security controls in place but cannot produce evidence later, it could face serious problems when it needs coverage most.
This is where items like role-based access, documentation, and ongoing monitoring become more than IT best practices. They become business protections. Good records, clear permissions, and actual enforcement can affect whether a company gets help after an incident.
The message here is straightforward: cyber insurance is valuable, but it works best when paired with real operational discipline.
AI can save time, but it needs guardrails
The AI portion of the episode brings a practical balance to the conversation. John is not anti-AI. In fact, he shares a useful example of how AI can improve productivity right away: summarizing email, surfacing what needs action, and even helping draft responses.
That is the kind of AI use case many business owners can relate to immediately. It saves time, reduces inbox friction, and helps people move faster.
At the same time, John warns against careless adoption. Free tools are not always free, especially if the tradeoff is giving up more information than expected. He emphasizes reading terms carefully, choosing tools based on actual business use cases, and keeping client data separate from internal company data.
That is especially important when employees start using tools on their own without approval. This “shadow IT” problem can create compliance, privacy, and access issues quickly. The takeaway is not to avoid AI. It is to adopt AI intentionally, with policies and boundaries that protect the business.
Final thoughts
What makes this episode stand out is that it frames cybersecurity, compliance, and AI as leadership issues, not just technical ones. John Gibson’s perspective is grounded in long-term operational thinking: build systems, document what matters, verify what is in place, and do not confuse convenience with safety.
For business owners, the lesson is clear. You do not need to become a cybersecurity expert overnight. But you do need to treat security, compliance, and AI adoption as connected parts of running a modern business well.
Key Takeaways
- Cybersecurity starts with disciplined processes, not just tools.
- Small businesses are still major targets because attackers often look for easy openings.
- Phishing remains one of the most common ways breaches begin.
- Effective security requires layers: prevention, detection, and response.
- Compliance is a leadership responsibility, even when outside experts help manage it.
- Cyber insurance is important, but insurers increasingly expect proof of your controls.
- AI can deliver fast productivity gains, especially in email management.
- Businesses should adopt AI carefully and keep client data separate from company data.
- Unauthorized employee use of AI tools can create privacy, security, and compliance risks.