I'm not going to entirely answer your question, rather, I'll tell you about how we dealt with this issue in a non-profit that I co-founded.<p>Our organization had a large and strong online presence. Because of this and my technical background, I really wanted to get a security audit done. We looked around quite a bit and found that auditors fell into two camps. There were those who simply cost too much for our organization to possibly afford, and there were those who simply couldn't demonstrate competence.<p>In the end, we decided on kind of a hybrid strategy. To start, we decided that all of our applications were 100% vulnerable to a motivated attacker. From there, we developed a strategy to mitigate the possible damage. For example, we took frequent backups and practiced to make sure we could fully restore from backups. And, we monitored the hell out of our stack in hopes of (hopefully) knowing quickly whether we had been compromised. The "hopefully" was actually an important part of our strategy - we assumed we were 100% vulnerable which meant that everything that was connected could also be compromised.<p>Then, we wrote some solid policy. In retrospect, writing the policy was about half cover our ass and half useful security. Our policy covered things like password reuse, frequency/responsibility for backups/automatic updates/etc, and the like.<p>To summarize, at the time (this was 2007 ~ 2010 so the market may have changed), we couldn't find a company to do a security audit within our budget. Rather than settle on an organization we had little confidence in, we developed a hybrid approach where we decided we were 100% vulnerable and enacted procedures to mitigate the possible damage.<p>Edit - Fixed a sentence that made no sense.