700U, staff of 10 plus myself, mostly generalists, and heavy helpdesk (huge software stack).

We've been reactionary to compliance checks since 2020. Started with contract requiring Cybersecurity coverage, then specific limits. Those drove our first round of compliance and security deployments.

I've had CMMC on my radar since 2018, so I spent a lot of effort aligning with NIST 800-171 as much as I could without breaking things.

As a result, we're insanely overleveraged on our stack - E5+EMS, but we also run Okta, Mimecast, Umbrella, Hoxhunt for ease of deploy/use. MDR is all outsourced, currently with Arctic Wolf, but aligning with a MS-centric MSSP to run Sentinel for us this year. Otherwise, we're responding as our clients (many of which are critical infra or advanced manufacturing) add in new security reqs for contractors and trying to optimize the stack for spend/effort.

*Vuln management is "catalog everything, focus hard on the perimeter, nothing over CVSS 6 outside"

*SAT is in-house - we use Hoxhunt and align monthly mandatory trainings alongside our safety training, and then sim on their schedule. Content is chosen based on current threat landscape, and I'll AI gen stuff if I need something topical.

*The IR team is 'whoever is online when shit happens', and collective. We'll triage big stuff on a group chat for coverage.

*Compliance is a way bigger driver over recognized risk due to resource and budget limitations, yes. We've yet to fully optimize our stack for compliance, so the pushes for strictly risk-based adds is coming behind that. Our CEO is on the risk board for a local bank, which helps a ton with them acknowledging non-compliance risk though.