While browsing CFP's for conferences this summer, one speaking track named "The Art of Defense" had a statement that “only the largest enterprises can afford a robust defense”. I disagree, and argue that in many ways small-to- medium-size businesses can be more secure than large enterprises. I will provide an overview of the security program my team and I built that achieves enterprise-level protection AND regulatory compliance WITHOUT a massive budget or huge silo'd teams. Consider it a case study or howto for building an effective security program at a small business.