One of the challenges in security is that folks suggest that when you are successful nothing happens. I like the paradox of this and often use an analogy to Y2K as an example of this phenomenon.

The only problem is that, it isn't really true that "nothing happens" when you employ some specific security control to prevent an exploit. Not only that, but even when it is difficult to collect data on what didn't happen, one can devise experiments to tell how frequently that nothing occurred.

Using better reporting and data correlation techniques, it is possible to measure the effect that a security solution had on an organization. The key is to find some control group, either within the company or some other organization. Even better these days, an organization can employ honeypots to provide much more information on what didn't happen.

Bottom line: you definitely have to be creative, and it will be challenging, but you CAN tell when "nothing happened."