If you get hired by an SMB and you’re the company’s first/only security practitioner, where should you start? (Should you focus on SANS top 20 controls? Or start with the NIST framework?)

When you’re the first or only security practitioner in an SMB, don’t start with a framework; start with the business. Frameworks like NIST CSF or SANS Top 20 are excellent for measuring gaps, but most small organizations lack the structure or resources to adopt them effectively at the outset. Begin by understanding how the company operates, identifying critical business processes and the people who own them, and assessing what could disrupt the organization’s ability to function, especially availability-related risks. Once that landscape is clear, frameworks become tools for structured improvement, not barriers to progress. True maturity begins with visibility into what keeps the business running and protecting that first.

I love NIST frameworks, but if you are just getting started, I prefer "Protecting Sensitive and Personal Information from Ransomware" from CISA as most organizations can get behind protecting against Ransomware. Check out https://www.cisa.gov/resources-tools/resources/protecting-sensitive-and-personal-information

I would prefer to start with NIST framework to ensure comprehensive design of cybersecurity practice across the security with objective set to achieve business goals.  Will need to first create the roadmap and structure to enhance security across the organization.