The Myth of Infrastructure-Specific Security Expertise

In conversations about physical security consulting, one question comes up again and again: “Do you have experience with this type of facility?”

It is usually asked with good intent.  Leaders want reassurance.  Boards want defensibility.  Organizations want to feel confident they are choosing someone who understands their environment.  Stadiums, schools, houses of worship, banks, and corporate campuses all feel different, and in many ways they are.

The problem is that this question, while common, is often the wrong one.

Security principles and forms do not change. Context does.

At its core, physical security is governed by a small set of foundational principles:

• Comprehensive
• Integrated
• Layered
• Redundant
• Enduring

Effective security is likewise implemented through four specific forms:

• Deter
• Detect
• Delay
• Respond

These security principles and forms apply regardless of infrastructure type.  Human behavior does not fundamentally change because a setting is a stadium instead of a school, or a warehouse instead of a convention center.  Threat decision-making does not change.  The realities of time, distance, and response do not change.

What does change are contextual variables such as crowd density, access patterns, operational tempo, and consequence management.  These factors shape the ways in which security should be designed and implemented, but they do not determine whether someone understands security itself, nor do those factors change fundamental security principles.

Confusing context with competence is one of the most common and costly mistakes organizations make when evaluating security partners.

This distinction is reflected in federal guidance as well.  The U.S. Department of Homeland Security (DHS) consistently frames physical security around layered protection, deterrence, detection, and response rather than infrastructure-specific playbooks.  The emphasis is on adaptable concepts that scale across environments, not rigid specialization by building  or infrastructure type.

Why facility-specific security specialization sounds convincing and often isn’t

Claims of infrastructure-specific specialization are easy to market and difficult to verify.  Vendors frequently describe themselves as experts in “event security,” “stadium security,” “school security,” or “corporate security” because those labels feel reassuring to buyers – they are also great keywords for Search Engine Optimization (SEO).

In practice, those claims often substitute familiarity for effectiveness.

When organizations focus too heavily on whether a vendor has worked in a similar building before, they tend to overlook more meaningful questions.  How are guards actually managed? Are post orders clear, enforced, used, or even present? Are emergency procedures operationalized or simply documented? How is decision-making handled under stress, outside of ideal conditions? What other security-related services do you offer, and how do those services integrate with the ones we are requesting?

When those questions go unasked, organizations often default to the easy button.  Underperforming vendors are retained because switching feels complicated, disruptive, or uncomfortable.  Unfortunately, that convenience quietly becomes unmanaged risk.

Professional security standards reflect this reality.  ASIS guidance emphasizes risk-based security design, threat assessment, and system integration across people, procedures, and technology, not narrow specialization tied to facility labels.  Effective security is defined by how well a system functions, not by how familiar a provider is with a particular type of building.

The real cost of choosing comfort over capability in security

Across sectors, the patterns are remarkably consistent.  Guards are placed on site without clear expectations or post orders.  Emergency procedures exist on paper but are not trained, tested, or reinforced.  Response roles are assumed rather than defined.  Leadership equates coverage with capability.

None of these failures are dramatic in isolation.  They compound slowly.  Complacency sets in.  Skills atrophy.  Gaps widen quietly until an incident exposes them all at once.

Most security failures are not caused by bad intentions or lack of effort.  They are caused by lack of design and lack of continuous improvement.

What leaders should evaluate instead when considering security partners

If you are responsible for security, safety, resilience, or risk management, a more effective evaluation lens focuses less on where a security provider has worked and more on how they think.

How do they approach threat modeling? How do they integrate people, procedures, and technology into a cohesive system? How do they manage decision-making under pressure? How do they validate that security measures will function before they are tested by reality?

Physical security is not a checklist exercise or a resume comparison.  It is a system.  Systems either function under stress or they do not.

Effective security is not defined by having “done this type of building before.”  It is defined by understanding core principles, the  designing for real-world conditions, and executing consistently over time.

The easy button often feels safe, right up until it fails.

About the author

Chris Klossner is the Director of Intelligence and Special Projects at Convoy Group, where physical security is approached as a design problem, not a branding exercise.  His work focuses on threat-informed assessments, operationally realistic recommendations, and developing holistic security systems that function under stress across a wide range of environments.