It's a safe bet that any enterprise that's serious about networking --- in other words, most enterprises --- have finally started to take network security seriously. In this age of zero-day exploits, malware and zombie bots, sales of security technologies and services have skyrocketed; virtual private networks (VPNs) and intrusion protection systems have become standard tools of the trade.

However, having the hardware and software isn't enough, says James Hurley, the Aberdeen Group's Vice President Risk, Security, and Compliance. Having the tools is not the same as knowing how to use them. "Looking at security only from a technology perspective leads organizations down the wrong path," Hurley says. "The most common error is the assumption that the security capabilities on network hardware and routers is all you need. Organizations that approach security solely from a technology perspective do it very poorly."

The bottom line is that protecting your network is, more than anything else, a question of policy, strategy and execution. Networks, says In-Stat group research analyst Victoria Sodale, are not insecure by definition, but by accident. "There are some basic steps all organizations can take to protect themselves," she says. It just takes the will and commitment to take them.

Here, the experts say, are eight ways to protect your network:

Define policies and ensure governance: With new regulations like the Sarbanes-Oxley Act raising the bar for corporate responsibility, governance has become particularly critical. "It's broader than just security," Sodale says. "It's not just making sure that you have it, but also that it's documented and enforced."

Exactly how an organization manages security depends on the organization, but it is imperative to have clear rules and procedures for how the network is used and secured. "The steps you should take are different if you're the Pentagon and if you're the University of Michigan," Hurley says. Nevertheless, "more than technology, this is the critical issue in determining if security works."

Policies have to be backed up with technology, but they have to be made explicit. They are the starting point for everything else Sodale says. "It really is common sense," she says. "You have to have rules if you're going to enforce rules."