Similar but more mature practice areas have adopted different measurement standards. For example, corporate security/financial fraud units frequently measure their effectiveness by comparing audited loss statistics to industry baselines. If their losses are greater than industry baselines, they are doing poorly; if losses are lower, they are performing above average. Although the infosec industry lacks such data, history and methodology, it's clear that smart spending can reduce losses--and, conversely, negligence can cost you big.
Getting a Game Plan
You have to create a security road map centered on policy definition and asset identification before making any major technology investments. Those lacking strong policies should consider hiring a consultant or jump-starting the effort with security-template tools like NetIQ's Vigilent Policy Center (see "Policy Management Hits the Web").
Once you've laid out the basics, determine how far you are from policy compliance and baselines, and where you come up short in terms of access control. Tactical technology solutions can help here, but only if applied in the right order, for the right reasons. For example, host-based intrusion-detection systems do little good if the hosts on which the HIDS agents reside are unpatched and open to compromise. The alarm rates will be constant and the hosts vulnerable, effectively rendering the HIDS worthless. In this scenario, money and time would be better spent solidifying patch management.
You probably face political and organizational challenges as well. For example, many organizations have learned that without antivirus systems, they'll chase faceless demons indefinitely. Antivirus becomes a "must have"--its operators are clear, and the decision on the technology is simple.