IT - work like a slave and plan like
Your entire resource pool is sitting under the proverbial coyote's anvil.
I've been doing this for 30 years now. From cabling things, to mainframes, to networking to storage and *nix coding to SA and others.
I've seen a crapton of things and forgotten more than I stand a chance of recalling. What scares the most crap out of me is that I've been outsourced to "MegaITCorps" twice in my life and goddamn it, the Really Big Guns in the industry typically have worse security than the little guys, not due to lack of knowledge, or due to bad SA's. Its due to trying too damn hard to do security, and making things so complex, long winded, and difficult to execute, that the SAs, programmers, architects etc develop a culture of working AROUND the security rules. Too many rules, too many security tools, and too many demands to meet schedules that were not realistic with functional requirements that were bolted on after the initial project plan.
KISS. Plan for the worst. Automate deployment. Automate basic SA use cfengine, puppet, chef, whatever, Global Policy, LDAP, centralize syslog and BUY a decent log miner. Kill the snowflakes before they land, because those jackasses are the reason systems will get compromised. Automate backups, and use *smart* rules about them - and then post those rules in big block capitals where the devs, the SA's and the users can all see them every day.
In truth, I don't think that putting your full set of security tools *on* the hosts you are trying to keep healthy is necessary, IDS can be done (given the funds I suppose) from the edge of the network and using a separate network for control. Yes, AV/AM software on windows systems is needed, and if your *nix hosts are doing SMB/CIFS to the windows world then appropriate tools are appropriate - I've seen a scanning set that kept the software on a single host and essentially copied the binaries over each time it ran scans on a node - but that was a fairly small network of nodes and the tool fit that circumstance. CODE REPOSITORIES !!! dammit - if you're developing stuff (any stuff) in house, use SOME sort of code repository that tracks who did what when and what code they changed. And lock it up tight, back it up daily and use it.
Part of the issue I've seen is that frequently one needs different tools on different platforms to do what is essentially the same job, which complicates matters, and prevents "single view" - it makes it quite hard for some folks to see what happened and when in relation to what other events.
But yes, Trevor, assume you will get hacked. Essentially, one should plan to fail and then not have the tag "failed to plan".