Instead, everyone should implement defense-in-depth applications, such as intrusion protection and detection systems. "These days, you have to require authentication and authorization on your applications and systems," he says.

Gossels says critical advances have been made in all areas of security. For instance, he says biometrics is ready for prime time. "The obstacle used to be that you needed a separate reader to process the fingerprint. But that technology is now being integrated in many laptops and other hardware," he says.

Doing defense in depth at all levels of the network is key, he says. He recommends addressing security at the network, application and Web-based application levels. "Application-based exploits are the fastest growing area of penetration and vulnerability," he says.

3. Make sure you can produce reports

Moeller says it's imperative that IT groups be able to run reports on all their major systems. "Reports allow us to present our activities to management objectively," he says.