On the issue of spending on monitoring versus prevention, I stand by what I said about spending on monitoring equal to prevention. But there's another point worth making that I missed the first time around. So, if I may, I'd like to tell your CISO another thing.
1b) Let the results of your 2007 monitoring determine what you spend your 2008 prevention dollars on. Simply put, no consultant, auditor, or magazine is going to know better than you what your security problems are. So, unless you still don't believe me about monitoring, don't let them tell you how to spend your money. (Remember that "deep packet inspection firewall" you bought in 2005? That's what you get for listening to a magazine.)
Set aside time each year to review what your big messes were as well as where your analysts spent the majority of their time. Then look at the market for technologies that can cut the amount of time your talent spends doing the same thing over and over by hand. Also look at technologies that can help you keep the promises you made under your breath to never let _____ happen again.
So while there may be no Security-ROI-Santa-Claus, comprehensive operational security is self-supporting. Leverage it to the maximum extent that you are able.