I worked for a private company that had grown into an IT infrastructure without properly knowing how to manage it.  And that speaks to technical administration and executive governance, in addition to protection and security.

When I started looking for cybersecurity guidance, two names kept coming up:  SANS, and Center for Internet Security.  Their documents were useful to me, and I downloaded a lot of their templates and benchmarks!  But neither the documents nor my use of them to frame the risk to our company were convincing enough for leadership to prioritize cybersecurity.

SANS and CIS are highly valuable for entities who need a starting point.  SANS has great policy templates, and CIS has excellent build benchmarks.

No matter what, though, you must convince your leadership for buy-in.  You must create a compelling argument which your leadership must address as a responsibility of governance and mission.  If you don't have that, then you might as well stop.

Hello,  Common resources that SMBs frequently mention as lacking include access to affordable financing and capital, skilled labor and talent, technological infrastructure and IT support, marketing and advertising resources, and networking opportunities. Additionally, SMBs often express challenges in navigating complex regulations and compliance requirements, as well as difficulties in competing with larger businesses due to limited resources and economies of scale