Procurement at bigger firms will likely only get harder at least around CS. The auditing required to be SOC2 or PCI DSS can be time consuming and expensive, but probably better to do earlier than later. I understand that may not be financially possible at the moment, but there are some benefits to being small for that type of compliance, like actually knowing your networking setup, where you're data lies, etc. This type of auditing for enterprises, especially legacy ones, can be brutal because they're too big and don't know where anything is.

My two cents for whatever that's worth. If you can't financially do it, focus on growing your business with the SMBs until you can, but enterprise firms will want to see these things. If it's tight pick one that is often sought after like SOC2 and build from there. If money isn't as much of an issue, get the certifications and go for the big fish.