Evaluate risks: Assess internal and external business and security environments. Analyse all the available historical data to look for patterns and identify vulnerabilities. What are the special features of your business? What is your network architecture like? Is your current network security infrastructure adequate? How critical is the role played by the network in your business?

Come up with a security policy: Based on risk evaluation, design and implement a security policy and link that policy to business risks. Involve business managers in risk assessment: involving business managers in identifying potential threats, vulnerabilities and the consequent impact on business operations could help them better understand the imperatives of network security.

Establish a central management focal point: Designate a central group to carry out the key activities. Provide the central group with ready and independent access to senior management. Designate dedicated funding and staff. Enhance staff professionalism and technical skills.

Promote awareness: Continually educate users and others on risks and other related policies; use attention-gaining and user-friendly techniques.

Monitor and evaluate policy and control effectiveness: Monitor factors that affect risk and indicate security effectiveness. Use results to direct future efforts and hold the managers accountable. Stay alert to new monitoring tools and techniques.

Distinguish between policies and guidelines: While the security policy should outline the fundamental outline that the senior management considers imperative, guidelines should provide more detailed rules for implementing broader policies. Guidelines can also be designed as an educational tool that can help network users understand and follow the desired security practices.

Create an incident-handling mechanism for security breaches: A security systems investigation procedure that addresses evidence preservation and forensic examination must be formulated with a trained response team in place, so as to tackle emergencies.

Go for third-party assessment: External third-party audits should be regularly carried out to get an independent assessment of network security effectiveness. Look for these in one-in-all box: If you are looking for a complete security appliance then it must have at least firewall, anti-virus, IDS, and content-inspection functions. However, look if too many features in one box are affecting its ability to perform. In many cases, that is likely to happen. So avoid asking for everything in one box if your security requirements are complex.

See that the box goes with the security policy: This is the first important factor that any enterprise should look for before buying any security appliance. One should not buy a box just because it can perform umpteen security functions. Check if the box is capable enough of meeting the stated objectives of the security policy. Also, security appliance is deployed in an extremely dynamic environment and requires constant evaluation to manage the threats posed. So, check the box for scalability.

Go for step-by-step buying: Organizations can have a diverse range of security needs ranging from anti-virus protection to malicious content inspection and hacker attacks. However, an organization may not need all the security features at one go. Depending on the context, buy only what you need today, but keep the option of upgrading always open.