[spsesk117]

I wouldn't call myself a security person, but I do have a fair amount of experience implementing things downstream of the security organization, and sometimes outside of that context.

I think a reasonable place to start is something like the NIST Cybersecurity standard. In my limited experience, the NIST Cybersecurity standard deals more with _risk_ than it does with discrete technical guidance, but from their fairly comprehensive risk framework you can start to frame the technical problems in your environment through this risk lens.

Additionally, I'll recommend something that's maybe wrong (security folks jump in as needed), but I typically try to work outwards in when securing an environment. In the case you've got a web app or something, reduce the attack surface of the system externally as much as possible (closing ports/IP filtering on management ports/etc) and then work your way inwards.

Put another way, try to focus on bang for you buck until you have a dedicated a team. An obscure XSS that requires a strong working knowledge of the system is _very bad_, but if you also have port 22/SSH open to the world with a 5 char password, I'd figure that one out first. That's obviously an extreme example, but I think you get the point.

[1MachineElf]

Based on my experience in top-down implementation of NIST cybersecurity framework, the holy grail (alongside their 800-37 RMF) is the lesser-known 800-65. Provides guidance on how to fund enterprise cybersecurity programs. The document itself is considered to be phased out, not because it is obsolete, but because government agencies were not up to the task.

SP 800-37 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/fi...

SP 800-65 Integrating IT Security into the Capital Planning and Investment Control Process https://csrc.nist.gov/publications/detail/sp/800-65/archive/...