Another blog - this time it's "all about the money" - over on the State of Security blog by myself: https://www.tripwire.com/state-of-security/measure-investment-security

Investment in detective controls too, with an aim to detect security violations when they occur, are increasingly deployed because there is no absolute security that will completely prevent all intrusions. 

What makes for good "value" in security is always hard to define - I appreciate as a consultant I'm not the "cheapest" option for getting things done, but the value of a consultant with deep knowledge of compliance and hardening, to my (biased!) mind, still seems pretty gosh darn important when it comes to extracting maximum value!