Faced with the ever-changing threat landscape and what has become a complex, confusing world of technology for IT, it's easy to lose focus and forget what otherwise would be your top priorities.
We often become so enamored with technology we forget that the employee is not only a critical part of your security solution, they are often the only part that can best react to a new threat. This is because, unlike most technologies, the employee can think and react. Therefore your priorities should start with the employee because, like it or not, they are your first line of defense.
A well trained employee with lousy tools is vastly more capable of protecting herself and her firm than a poorly trained employee with great tools. In addition, with the rate of change and the increasing involvement of online criminals, the security tools we have will likely always fall short of perfect.
As a result, your first priority is to make the employee part of the security system. They need to know what to look for, whom to call if they see something unusual, and they should have incentives that motivate them to stay focused and alert.
Passwords, or more accurately, effective user authentication, remains a massive problem across virtually all industries, governments, and even religious organizations. Making sure someone is who he's supposed to be and can only gain access to those things for which he's approved goes to the very core of security. The fact that trivial passwords are commonly used and complex passwords are commonly written down or phished out should scare us far more then it does. Until you address this exposure, you remain at high risk of being a bad example in the next exposé on companies not protecting customer data adequately.
Dual-factor authentication is becoming a common requirement for financial institutions and government entities. It will eventually spread to the companies that serve these groups, and it would be wise to get well ahead of that curve so you aren't seen as incompetent if there is a breach (better yet, circumvent that possibility in the first place). While I personally prefer a combination of biometrics and smart cards, there are a number of alternatives that may be more appropriate for your organization. In any case, lose the password.
The biggest problem with facing the level of threat diversity we have today is the tendency to layer on targeted security solutions for an increasing variety of vendors. The more complexity you create, the harder it is to manage the result systems won't talk to each other, and things that should be automated require excessive human intervention to function. This results in a resource drain and an equally excessive focus on systems maintenance rather than increasing security.
It is easy to increase complexity and incredibly hard to eliminate it. If you can focus on maintaining simplicity, your result should be systems that are vastly easier to manage, vastly more secure in total, and substantially less expensive for what they do. A side benefit typically is you are left with some free time to anticipate and prepare for new threats as opposed to having to clean up the mess after being hit.
Of these three, the first is by far the most important, but if you keep all three uppermost in your thinking and planning, you should be able to both increase your site's security and your own piece of mind substantially.