You know what your boss is going to say next…"We need to prevent those things!" And, that's where we stuck with trying to prevent every possible breach scenario that we can think of, even those we can't think of via methods that haven't been discovered. One of the things you have to decide is how to balance preventive security with that of reactive security. In other words, do you spend money on laptop encryption and patch management or intrusion detection and centralized log monitoring?
I keep thinking back to Dave Shackleford's blog entry, "5 Reasons Your Security Program is a Failure." There are several great points there, but the one that I keep thinking about is #2, Lack of monitoring capabilities. Where does monitoring fall in terms of preventive and reactive security?