Before appropriate mitigations can be chosen, you must understand:
- Who might target your organisation?
- What particular infrastructure might they target?
- How bad could the impact from an attack on each of the parts of your infrastructure be?
Threat modelling your organisation will help answer some of these questions to identify what systems are critical for delivering essential services, and will allow you to appropriately set priorities and budget for cyber hardening activities.