In our practice, we often encounter situations when clients ask questions about measuring 'security value' or whether this or that security solution works. How does one evaluate the effectiveness and efficiency of security operations? How does one determine which solutions to choose from? 

In our answers, or when we design and implement security solutions, we base our approach  on the Outcome-Based model -- almost everything can be supported by data or evidence if you know what questions to ask and how to engineer performance measurements.

In a rapidly changing operational environment when new threats emerge on a regular basis, the existing prescriptive models can no longer provide the expected security answers. In an outcome-based approach to security, while the established objectives remain the same a security program has enough flexibility and adaptability to deal with most of emerging challenges.
  
CHI Security Senior Associate, Peter Stewart, has prepared a short overview of what an Outcome-Based Approach is all about (see pdf below). Feel free to contact us if you have more questions.

This philosophical question continues to occupy the minds of many security professionals and interested commentators. The answer, in most cases, is somewhere in the middle but this team believes that in a truly proactive security system Human Factor should-be the determining element.

While there are many security threats and risks outside, the reality is that we mostly fear those coming from other humans. In simple terms, this inherent mistrust in other humans, whether as risk factors or performers, is what causes us to look for technology as a solution. The problem of course is that humans in general (and evil-doers in particular) are quite inventive in circumventing various static barriers put in their way, be it a sensor-wired wall, a sophisticated X-ray machine or biometric devices (not to mention another apparent problem -- these 'solutions' have humans attached to operate them, oops). In reality, most security systems we witness today are passive and inefficient. They perform 'law enforcement' duties (e.g. CCTVs -- a post-event information collection), are not flexible to deal with evolving threats and in many cases contribute to the 'security theatre' perception.

One of the biggest challenges facing any organization with a security department is: How to Explain (read: Justify) Utility of Security Operations? What Value do these operations bring to the overall bottom line? 

While senior managers, board members and general public accept the notional need for having security procedures and personnel in place since 9/11, most of those who run these operations have difficulty with providing answers beyond the mere "That's just it, we need it!" The situation is prevalent in many countries, but in Canada it is compounded by a simple fact that we have not (thankfully) experienced serious security incidents. Bad things just do not happen here.

Generally speaking, security operations are human/technology systems designed to protect installations or people from natural or man-engineered threats. The real concerns, of course, are always with people who possess malicious intent and means/skills allowing them to execute an attack. 

High-risk assets in transportation industry, such as air/ports and public transit hubs, present a particular problem for security operatives often due to larger territories to protect, multiple entry points, high passenger/cargo traffic and more. After conducting regular TRAs and identifying vulnerabilities, target hardening often ensues through the addition of infrastructure and/or technological 'barriers' and training of personnel to follow strict protocols. Apart from serious budget expenditures which continue to build-up as threats evolve and tech solutions are added (space allocation!), such typical responses often create a very rigid operational environment. Over time this vicious cycle leads to several outcomes: