Let us begin by defining what this means in the world of security operations. In our practice, it is the process of observing someone's behaviour and analyzing it for indicators of adversarial modes of operations. 

In addition, especially trained officers would look at appearance, accompanying people, documents (if possible), verbal and other non-verbal cues, and conduct a security-driven interview (if allowed by regulations). All of the information thus assembled in a course of 5 sec to 1:30 min is analyzed relative to the operational environment or context in which the process is occurring. In the end, a qualified security officer will reach a simple decision: threat or no threat. Wait, you can ask, where does the racial / ethnic / religious profiling come into play? It does not.

In our practice, we often encounter situations when clients ask questions about measuring 'security value' or whether this or that security solution works. How does one evaluate the effectiveness and efficiency of security operations? How does one determine which solutions to choose from? 

In our answers, or when we design and implement security solutions, we base our approach  on the Outcome-Based model -- almost everything can be supported by data or evidence if you know what questions to ask and how to engineer performance measurements.

In a rapidly changing operational environment when new threats emerge on a regular basis, the existing prescriptive models can no longer provide the expected security answers. In an outcome-based approach to security, while the established objectives remain the same a security program has enough flexibility and adaptability to deal with most of emerging challenges.
  
CHI Security Senior Associate, Peter Stewart, has prepared a short overview of what an Outcome-Based Approach is all about (see pdf below). Feel free to contact us if you have more questions.

One of the biggest challenges facing any organization with a security department is: How to Explain (read: Justify) Utility of Security Operations? What Value do these operations bring to the overall bottom line? 

While senior managers, board members and general public accept the notional need for having security procedures and personnel in place since 9/11, most of those who run these operations have difficulty with providing answers beyond the mere "That's just it, we need it!" The situation is prevalent in many countries, but in Canada it is compounded by a simple fact that we have not (thankfully) experienced serious security incidents. Bad things just do not happen here.