By just looking at the vast variety of answers in this thread, I think we have a telltale sign of the magnitude of the problem, and the state of denial in which society has evolved.
Whether a startup, a small company or a large corporation, there is at least one IT security standard in each developed country, if not an international standard (e.g., ISO27002 , NIST cybersecurity, etc.). Their role is exactly what they are called for: they tell whoever owns an IT system what should be done to protect it.
Unless you're an academic doing research, or you have personally reached the limits of a standard in your organization, there is no reason to look elsewhere.
Pull the standard from your country, or pull the ISO27002, and start working on your spreadsheet and assigning tasks :)
Whether a startup, a small company or a large corporation, there is at least one IT security standard in each developed country, if not an international standard (e.g., ISO27002 , NIST cybersecurity, etc.). Their role is exactly what they are called for: they tell whoever owns an IT system what should be done to protect it.
Unless you're an academic doing research, or you have personally reached the limits of a standard in your organization, there is no reason to look elsewhere.
Pull the standard from your country, or pull the ISO27002, and start working on your spreadsheet and assigning tasks :)