You can load up on software and software to safeguard systems but don't forget the training. Top to bottom training for IT folks will enable an organization to know the risks. The delegation process to security specialists will likely slow down when the IT department takes security a higher level.
The United States has tried to provide a framework, but the British have been more systematic. The U.K. Department of Trade and Industry recently published a best-practices standard.
Coursework that has case studies is most helpful when deciding what classes to send people to. The cost is generally around $500 per person plus don't forget to add in the employee time. Always consider the potential for attacks that could result in downtime that then could result in the loss of revenue.