National security systems need to find all the dirty little holes and stuff them with cement to keep all the bugs, worms, rats, and other pests out. Small and Medium sized businesses need to spray and place traps out to stop infestations or eliminate any pests that managed to make it into the business. This means NSS needs to spend significantly more time, money, and other resources finding all the weak areas around everything: the cybersecurity systems, the manufacturing systems, the CNC machinery, fabricators, electrical systems, IT systems, etc. This also means Small and Medium sized businesses need to leverage their limited resources to tightly secure their most heavily used and sensitive systems before branching out to lesser used or less sensitive systems. NSS systems are expected to be capable of meeting the expectations of readily identifying, stopping, and recovering advanced threats that use minuscule vulnerabilities with the knowledge that the exploitation of larger vulnerabilities should be considered unthinkable because of the levels of protection that have been entrenched. Small and medium sized businesses are expected to be capable of detecting, preventing, and recovering from vulnerabilities that can be exploited using publicly available information or exploitation that uses automation while being able to retain enough information (logs) for exterminators (incident response and/or forensic specialists) to identify when an APT has attacked and what the APT did while maintaining access. Understanding what your expected level of security should be is essential to building a fully structured strategy that is well-rounded, fiscally responsible, and diligent. At least, this constitutes my opinion of the matter.