Like many things in the IT world, many executives are led to believe that just implementing a SIEM will be a reason for great rejoicing as all their security problems go away.  Unfortunately, this is not the case.
Successfully implementing the technology to perform security event correlation is the beginning of a journey, a journey that has many benefits, some foreseen, and many unforeseen.

So let us step back and look at the bigger picture.  Once you have your SIEM up and ready to go, you have to determine what “alerts” you are going to switch on.  I say alerts since some are simple security rules and some, if you are lucky, are correlated use cases. 
Determining how many and which “alerts” you are going to activate on your first phase, can be the determining factor for success or failure.  Generating too many alerts, a typical situation that I have seen many times, results in information overload, with too many alerts being sent.  This results in your team being overworked and in a knee jerk reaction, by either switching off the “noisy ones” or just sending the alerts to the trashcan.  A large percentage of the alerts being sent, are usually false positives leading people to assume that the investment and quality of the SIEM to be called into question or ignored.  This is a phased approach, with multiple releases of additional and modified rules.  This approach delivers a Security Event Correlation system that generates tuned alerts specifically designed and valued by the business community and the IT group to detect real security incidents.
So what do you need to do, to be successful?  You need to be prepared.  You need to understand that this is a learning process for your IT people, your business people, and the SIEM itself.
The first thing you should think about is how to prioritize which alerts you switch on.  Please do not switch all of them on at once.  Think about your environment.  Think about which systems, applications, and network connections are critical to your business.  Think about what sorts of attacks and activities you want to find that will demonstrate the value of the SIEM solution.  Do not make it too complicated, go for the low hanging fruit.  Now, before you reach for the mouse, hold off.
The real challenge is that many times, it is not the people monitoring and controlling the SIEM infrastructure that are usually allowed to configure or change the systems with the security problems (and they should not, since the “fox should not be guarding the hen house”).  Therefore, you need to establish a process to transfer the problem over to the administrator of the impacted system and continue to track the issue until they have successfully fixed the problem. 
Please do not establish artificial barriers between the security people and the system administrators.  The people should work together to find a solution that mitigates the problem.  Sometimes, it is not possible to totally fix that problem and sometimes the security team needs to fine-tune the alerting process to immediately alert on a successful malicious activity on a vulnerable server.
How are you going to measure success?  Success in security is not about how many times the alarm goes off.  It is how well the security problem is resolved.  If you do not have a way to successfully fix a security issue, the business risk escalates over time as the likelihood of the system being compromised directly correlates to the amount of time of exposure.  Many times over the years, my clients have encountered the problem with a successful implementation of a security program that the number of security issues and problems increase.  They have joked that they were better off before since they were blissfully unaware of the risks.  [My (in)famous saying is: “Ignorance is not bliss for a security person; awareness and fear are.”]  So, you need to handle the expectations and messages that result from all of these new security problems.  You need to demonstrate not only the detection, but also the resolution and associated benefits resulting from the reduced number of IT incidents, in general.  And this goes back to the issue of choosing the low hanging fruit.
The next challenge is when the “rubber hits the road” and the alerts start being generated.  You need to make sure that you are managing the number of alerts being generated to ensure that you do not overload the system administrators.  It sounds like a carefree approach, but think about it.  They did not know about the problems before, so you need to make sure that the real business critical issues are addressed first and then take on the others as loading permits.  So, monitor the number of alerts being generated; have a process to track the “open tickets,” and work with the system administrators to help them understand the security alert and find the solution.  Remember, many security people talk in a different language from other IT people and if you want to be successful, you have to talk in their words, not yours.
Also, establish a committee that meets at least once every two weeks to review the alerts, the use cases and determine what actions should be taken, such as refining a rule or switching on another rule, etc. This committee should not just be the security team; it should include representatives from the IT organization as a whole (who have a technical background) and representation from the affected businesses.  As I say (yes, another Paul saying), “Security people should provide advice.  We are not in a position to make a business decision; that’s the business owners’ job.”
So in summary, what should you have in place before activating the SIEM and start sending alerts?:
1) A prioritized list of rules to switch on in order of business value and success
2) A process to notify and work with the impacted system administrators to resolve the security problems
3) A committee to review and determine alert modification, deletions and additions
4) A way to track and measure success through the detection AND successful closure of security issues
5) Determine metrics that show that the increased vigilance resulting from the SIEM delivers results in reduced outages as a result of security incidents, and a more proactive security approach that leverages your IT resources in a more effective and efficient manner
In my opinion, this process and the demands of these people can last for many months, but it will result in success.