Some organisations simply do not have the resources to operate a software-based solution. Appliance-based solutions generally are not very extensible and do not offer all of the enterprise feature sets such as workflow, customisation and extensive threat identification capabilities.

Does it meet your compliance initiative?
By leveraging a SIEM, you can build more automation into your compliance program, increase your productivity in monitoring, responding and maintaining compliance, and substantially reduce the operational costs of building and supporting a comprehensive compliance methodology. Some SIEMs have built-in compliance features that are available as part of the base product, while others charge for it as an additional module.
There is also a considerable difference between the compliance features of the different SIEM products on the market. Some simply add some basic compliance-specific reports and call it 'compliance ready', while others invest substantial development resources in defining compliance-specific correlation rules, dashboards, notifications, reports and much more. If this is the reason why you're deploying a SIEM, then be certain to ask the vendor to demonstrate their full compliance features and include these in the POC.
In summary, decisions should be driven by organisation-specific requirements in areas such as the relative importance of SIM vs. SEM capabilities, ease and speed of deployment, cost, the IT organisation's support capabilities, and integration with system and application infrastructures.
Carlo Minassian is the founder and CEO of earthwave, an Australian provider of security services.