There are not any easy answers to good computer security, and asking community moderators to prepare a security checklist would be a disservice. You would need a big book from the security community, and even that is inadequate, as it takes human experience and judgment too, in this rapidily changing environment.
For starters, everybody’s system is different, and even when the platform is the same, the versions, or the underlying OS, or the personal security practices of the site administrators is different. It only takes one flaw to be owned.
If you had the budget to hire somebody, I would suggest hiring an outside company that specializes in that sort of thing. It would be tough to be the only sysadmin at a place, and there would not be much of a career ladder, or peer support when you are by yourself.
And if you had the budget to work on being secure, I would also hire somebody to be a white hat hacker, and try to penetrate your systems. After the initial work on penetration testing, that role should be able to recede to part time. And that position could definitely be an outside resource.
A hosted community platform would be best, as the system administrators have enough volume to spend the necessary time on doing things right.
Often times, security practices interfere with getting real work done, and somebody needs to make a judgment call on what the priorities really are. So in the real world, security is often knowingly ignored, as new features take precedence.
Most people, including management, have no idea of the amount of money and work it takes to get and keep secure, and they really don’t want to know either. The best you can hope for is that somebody makes an attempt to put a dollar amount on what the worst case could be in the event of a security breach, and if it’s a large number, they start contacting security professionals.
In Ashley Madison’s case, the worst case is the collapse of their company, and I think they knew that. The question is, did they ever hire some security professionals and follow their advice.
And it’s quite possible they did, but still got breached.
mark david mcCreary