The Matrix is 1/3 of the playing field in shadowrun, so naturally the Matrix defenses of a target should get its share of your attention when designing a run.
Usually there only needs to be one host per site, although if you want to make things complicated you can distribute various tasks across separate hosts. (an admin host, a security host, a customer service host, etc). Before doing stats, you need to decide what functions are controlled by the host(s) and what are not. Access control and running security devices are common functions, as well as whatever business concerns the site does. (a host in a car part manufacturing plant probably coordinates the assembly line, etc)
The first question you need to answer is how tough is the host? It should correspond with the physical nature of the site. The chart on page 247 SR5 gives you an idea of where your ballpark should be.
The next question is how to distribute the ASDF ratings. Generally, you'll use an array of HR+0, HR+1, HR+2, HR+3. How they're assigned is saying some implicit things about the security posture:
Attack: high priority here says you want to punish people who hack your host
Sleaze: high priority here says you really are trying to keep a low profile (note: if the host isn't bothering to run silent, this is doing almost nothing for the host. It should be the lowest stat 9 times out of 10)
Data Processing: It has mechanical benefits (initiative for IC) but primarily if this is the highest stat, you're communicating that the host primarily does legit business.
Firewall: Your basic security priority. 9 times out of 10 this should be either the highest or next highest stat for a host.
Once you've got Host Rating and ASDF array, you next have to decide what grid it is on. If it's a megacorporate affiliated site, it's probably on that corp's global grid. Of course that's only true if it's a publicly acknowledged site rather than some black site. Most hosts run by organizations with resources but without a TON of resources will be on the Local Grid. If it's a government or not particularly rich host, the Public grid is usually the best choice.
You've got a lot of data by now, and that data speaks a lot of implications about the host. You should be ready to decide what its security posture is by now. What IC is loaded, how many/how good are the spiders. You're as free here as you are in making up concerns about physical security. It may help to have a "binder full of NPCs" and have some stock spiders of varying threat levels so you don't have to make them up from scratch every run. As for IC, the only constraint to remember is there's only ever one of each kind of IC (so no 2x Patrol IC or similar) and the max number of different IC is equal to the Host Rating. Beyond that, it's all free-form. Generally speaking only Patrol IC is running 24/7 in most hosts, simply as an in-universe precaution against employees being attacked by IC. Although there's no mechanic for IC accidentally misidentifying legit users as hackers, so technically speaking there's nothing stopping you from having all the Host's IC running all the time (other than accusations of being a mean GM).
Sculpting is where you get to be creative. If you know your NPCs well enough, you should be able to think up some metaphors they'd find appealing (maybe the spiders and IC in a security host in Neo-Tokyo all look like robotic samurai). A rule of thumb I like to use: the more open the host is meant to be to the public, the friendlier the sculpting. A host that looks like a dark wizard's tower surrounded by a lava moat is conveying to the public that they're not welcome.
some advanced topics:
Remember, marks travel upstream but not downstream. If a decker gets marks on a slaved maglock, he'll get that many marks on the host too. However, even if you have 3 marks on the host you still need to hack the next maglock as slaved devices aren't all marked just because the host is.
Be sure to employ File Protection. Especially on things like security logs and anything confidential that the public shouldn't see. (remember, you need a mark on the host to enter the host, which means legit users can just snoop around at everything if you don't secure non-public files....)
Don't be shy to put some Data Bombs out there, too. Especially on paydata. Your choice as to whether or not the file gets deleted by the bomb, as appropriate to the paradigm you've developed and the sensitivity of the paydata itself.
Get very familiar and comfortable with the Matrix Search chart on pg 241. It is your guideline on how hard to make tests to find something, based on how well hidden you want it to have been. Most things that would qualify as paydata will probably be Limited Interest or Actively Hidden inside that host.