This Meet Magento New York 2014 tech track presentation is Magento Security and Us by Lee Saferite. Limit your attack surface - don't open unnecessary ports, and ideally use a server in a different subnet from your web server to provide SSH access into your site.
External log file storage - if your server is compromised, you can't trust anything on it. Transfer logs to a 3rd party service or another server in realtime.
Backup security - your backups contain all of your data - it should be secured well.
Your Magento site shouldn't have any writable PHP code - only var and media need to be writable, and they should only be writable by the web server user.
Magento extension authors should define specific, granular permissions in their extensions so that Magento site owners can restrict who can do what.
Don't install extensions directly from Connect - you need to run a code review/security audit first. You also don't want extensions that automatically update, because you don't know what their code might do.
If you're online for long and you're selling online, you will be a target, and at some point you will be compromised. Have a written incident response plan for what needs to be done when this happens so that you're prepared for it.