Beyond Compliance: Building Cybersecurity Resilience in Defense and Engineering

September 25th, 2025 in

Jeff and Neil sit in the studio for an episode of Jaktalk

Cybersecurity is among the most pressing challenges facing defense contractors, aerospace suppliers, and engineering firms today. With the rapid spread of connected devices, global supply chain risks, and AI-enabled threats, protecting intellectual property, prototypes, and people requires more than passing an audit.

On this episode of JAKTALK, JAKTOOL founder Jeff Kinsberg sits down with Neal Fennimore, Director of IT at JAKTOOL, to dig into how small and mid-sized companies can meet cybersecurity requirements while staying productive and competitive. Neal brings over 14 years of experience in software engineering, cloud infrastructure, and defense cybersecurity, giving him a unique perspective on how organizations can strengthen their defenses without slowing down innovation.

Compliance vs. Security: What Defense Contractors Must Understand

Frameworks like CMMC (Cybersecurity Maturity Model Certification) and NIST 800-171 establish how defense suppliers must handle controlled unclassified information (CUI). For companies working with the Department of Defense, these requirements are non-negotiable. However, as Neal explains, compliance does not equal security.

Too often, businesses treat compliance as a box-checking exercise. They pass an audit but remain vulnerable in real-world conditions. Neal emphasizes that security is about embedding best practices into everyday operations so that systems stay resilient even as new threats emerge.

Common Mistakes Small Businesses Make

Engineering firms and small-to-mid-sized defense contractors face unique challenges because they often operate without large IT teams. Neal describes how companies stumble by giving employees overly broad system access, relying on unmanaged personal devices, and failing to segment sensitive projects.

These missteps create CMMC audit failures and expose organizations to industrial espionage, ransomware, and insider threats. The first step is visibility: knowing what devices are connected, who has access, and where sensitive data resides. From there, small teams can make simple changes such as enforcing multi-factor authentication (MFA), setting up role-based access, and creating dedicated enclaves for sensitive projects.

The Risks of Everyday Devices

The conversation turns to the hidden dangers of smart devices and IoT technology inside workplaces. Breakroom assistants, printers, and HVAC systems may seem harmless, but they can act as gateways for attackers. Neal points to high-profile cases like the Target breach, where hackers exploited an HVAC vendor to access point-of-sale systems.

Much of the technology in modern offices and factories is built overseas, often in countries that are also cyber adversaries. This introduces the risk of devices being compromised before they arrive. To mitigate this, Neal recommends creating a connected device map, segmenting networks with VLANs, and isolating critical machines with firewalls or air gaps.

Hidden Data Leaks and OSINT

Not all risks involve malware or compromised devices. Neal and Jeff explore the threat of OSINT (open-source intelligence) data that organizations unintentionally share. The “Pentagon Pizza Index,” where spikes in pizza deliveries signaled activity at the Pentagon, is a classic example.

For engineering firms, the equivalent could be shipping schedules, vendor visits, or employee social media posts. Even metadata embedded in photos can reveal sensitive details. Neal stresses that operational security (OPSEC) requires training, awareness, and clear policies on what employees can post or share publicly.

AI: Promise and Peril

Artificial intelligence is changing the game in cybersecurity. Neal explains how AI benefits defenders by analyzing massive volumes of log data, detecting anomalies, and identifying threats that human analysts might miss. But attackers also use AI to their advantage.

Phishing campaigns become more convincing, social engineering becomes more sophisticated, and sensitive data becomes harder to control. Neal highlights the importance of developing formal AI use policies so that proprietary information is not fed into unsecured tools. Done right, AI can support threat detection without creating new vulnerabilities.

Striking the Balance Between Productivity and Protection

Throughout the episode, Jeff and Neal return to a central tension: security versus productivity. Too much friction in daily workflows frustrates employees, but weak security policies invite disaster. Neal suggests focusing on “smart friction.”

For example, requiring multi-factor authentication on high-value systems adds some steps but dramatically reduces risk. Single sign-on (SSO) can simplify logins while still improving security. Network segmentation ensures that IoT devices never overlap with core engineering systems. These adjustments protect the business without stifling its ability to innovate.

Actionable Starting Points for SMBs

Neal offers a set of high-ROI steps that small and mid-sized businesses can immediately implement. First, MFA and SSO should be rolled out to strengthen authentication across the board. Next, segment networks so sensitive systems are shielded from guest or general-use devices. Finally, invest in log collection and monitoring with a SIEM (Security Information and Event Management) platform to gain visibility into what’s happening across the organization.

These practices don’t require massive budgets but significantly improve resilience and prepare companies for higher-level contracts.

Why Cyber Security Matters for Innovation

Cybersecurity isn’t just about compliance; it’s about protecting the lifeblood of an engineering-driven company and its innovations. Jeff points out that one breach can erase years of R&D, compromise intellectual property, or destroy customer trust. By investing in proactive security measures, companies are reliable partners to the DoD, aerospace primes, and advanced manufacturers.

At JAKTOOL, cybersecurity is not a side project. It is embedded into every aspect of product development and prototyping. The company treats it as part of solving challenging engineering problems for mission-critical industries.

Cybersecurity is not a one-time project.

The takeaway from Jeff and Neal’s conversation is clear: cybersecurity is not a one-time project. It is an ongoing process of adapting, anticipating, and preparing for threats that will only continue to grow. Compliance is essential, but security goes deeper.

For small and mid-sized engineering firms, the path forward starts with visibility, simple technical safeguards, and stronger employee awareness. By taking these steps, companies meet DoD standards and build resilience that protects their people, products, and future innovations.