In the second installment of his exclusive series, Tim Wenzel, CPP, Co-Founder and President of The Kindness Games, explores why changing the mindset of security professionals is the key to truly fulfilling their role in an organization.

The competency trap

Have you ever wondered, “How did that person get that role? They don’t seem to get it.”

“Why is the company so resistant to new ideas?”

Have you ever lamented that despite having great people, great training, etc., you find yourself in the same rut, fighting the same battles, with the same people?

A competency trap can be defined as the belief that your legacy efforts, thought processes, tools, teams, etc.; will continue to produce successes and even improve results in the future.

Practice makes perfect, right? Not in security apparently.

The first time I heard about the “competency trap” I was a Paramedic at an EMS conference.

The speaker, long forgotten, began discussing the evolution of processes, bodies of knowledge and even careers.

For a long time all current designs will be based on the same sets of assumptions, netting similar results.

When assumptions change, even a little bit, a variety of new options open quickly.

The medical field has one of the best processes for establishing a common mindset among a variety of types of professionals across the world, yet the context of this talk was complacency; turning the medical assessment, which is one of the best tools for root cause analysis ever designed, into a checklist.

Providers slowly become unaware of their biases, fail to thoughtfully question inputs, producing poor outputs – and poor clinical outcomes.

Everything is going well, we’re not in trouble…

The security industry is a giant competency trap.

We see programs full of “highly qualified people” producing security outcomes with the goal of “not being in trouble.” 

Not being “in trouble” is not a metric for success. 

I will challenge you to try to become the rarest thing of all in this industry: a security leader, professional, guard, analyst, program manager; who does not ever consider “being in trouble” as an feasible outcome.

Instead thoughtfully approach your role to define new assumptions so you can create new outcomes.

Our nexus to government service has provided our industry with very concrete assumptions which no longer serve us.

Law enforcement, fire & EMS and the military exist as functions of law.

When your role is enshrined in law, nothing can jeopardize your job unless you step outside the law and find yourself… in trouble. 

In the private sector, tomorrow is not promised to anyone.

The companies we serve may dissolve tomorrow. High performers are let go every day. 

Staying out of trouble is the mindset of bureaucrats who are charged with maintaining never-changing entities.

The security industry is too reactive, too focused on action – too preoccupied with doing security.

Often the practitioners working so hard at doing security don’t really understand why they do the things they do.

It’s what we’ve been taught. It’s what security is. Motion should not be confused with progress.

We are so busy investing time and resources into processes and tactics we are so sure of yet we don’t have a mechanism to measure success, failure or even return on investment…

The activities of security mean little if there’s not a clear rationale on how we got here, what we’re solving for and why that’s important.

A good security professional inevitably works their way out of a job…

You’ve heard this before… because nothing happens. You can’t prove a negative.

Ironically – it’s the metric of choice for staying out of trouble…

Have you ever heard a lawyer tell you they’re worried about keeping their job because they haven’t been involved in enough lawsuits? 

If you’ve entered the business world, you need to adopt business metrics.

You are not the only department that is actively working toward mitigating risk… yet you’re the only one who proudly tells the company, we have no value here whatsoever…

“We’re a cost center at the end of the day.”

Most corporate legal departments are more expensive than their security counterparts yet they’ve never considered themselves a cost center.

If you suggested they had a shaky value proposition, they would laugh in your face…

Yet their role is to manage legal risk on behalf of the organization. They understand why they do it and the consequences of not doing it.

This praise for mediocrity has no value in our industry. Let’s banish it once and for all.

I can’t get a seat at the table…

What would you do with it if you accidentally got it?

The fact of the matter is the people “at the table” do not spend their year busily doing things, working through their checklist.

They oversee strategy, forecast results and measure outcomes.

This is why when most of us get invited to “the table” for a special occasion, we’re not invited back because we sound like plumbers while billing ourselves as city planners.

The other side of this coin is hoarder of information. “They need me because of what I know…”

To be clear, this is malicious behavior. In my opinion, a fireable offense on the first occurrence.

This leader is so insecure that they are using their role to hold an organization hostage.

The fact of the matter is, the business doesn’t know what it doesn’t know and these antics will grow old and the first real leader who sees this will depose the offender in short order, losing nothing in the process.

In our business, the scarcity mindset is always self and organizational limiting.

Security only gains prominence and trust when they are collaborative, open and transparent across the business.

This is how we should showcase our value.

What is your purpose right now?

If your answer is to protect… anything – you need to re-evaluate your assumptions. 

Most of us enter the security industry out of some inner sense of duty.

A calling to stabilize the world around us. It’s very noble. It requires a special kind of person, but protecting any asset is not the goal. 

It’s an incomplete definition of one’s role. A plumber’s view of a cityscape.

As an industry. As a guard. As an analyst, GSOC manager or CSO; we need to lift our eyes and set our gaze on a “higher purpose”.

We need to understand why we do the things we do.

Why does this organization invest in protecting… whatever it is we are trying to protect. How are we contributing to the bottom line?

What are the needs of this organization? Who knows what they are? Who sees value in what security does?

These are questions that need answering.

It’s time to challenge our assumptions and begin to ask new questions while thoughtfully evaluating the answers we receive – wondering where the line of logic leads.

We need to embrace program management, governance and risk management to develop our business acumen, so we can start to understand the business of security and to understand our work the same way the general counsel understands theirs.

By the end of 2024, you should be enjoying coffee on a regular basis with your HR, finance, legal and compliance partners; engaging in thoughtful conversation, using the same language to describe the role you play in each other’s business.

The Insecurity in Security should be a more distant memory as you strive towards a higher purpose.

Read the first installment Tim’ series here and keep an eye out for the next article, coming out 27 March 2024!