Both. Let me explain using a concrete example of how it happens using the elites from my own field, military computer security.
First, a problem is pointed out. Usually because an adversary pearl harbors something (like a base network goes down.).
A commander (usually general level, this is really all they do besides give speeches) picks someone recommended by their staff and their staff’s friends. The person picked is usually one of the few very competent people in the military.
This person is given absolute dictator-level power and responsibility over the subject area wherever it does not interact with subject areas controlled by a higher-ranking person.
This person’s first task is to pick people to make a training program for more people in the field (the ‘single point of failure’ policy). They pick their friends, who are also likely among the few very competent people, and they get together and actually consult with training experts, have complete authority to make training programs (SERE training includes torturing/beating people and forcing them to eat live animal parts to prepare them for being captured and living in the wild, as an example.)
The person’s second task is to requisition people for the field as a ‘special duty.’ In order to be eligible for special duties you always require basic competence (if your pt scores are bad or you have any poor marks on your record, no go), but you can also require advanced competence (pararescue has a swim test, cybersecurity requires S+ and is moving toward CISSP certifications.)
The third task is to remove the threat using the people and the training program, and they are personally responsible and accountable for making sure the threat is removed. There are no excuses, not even reasonable ones like ‘no human being knew that was possible!’ or ‘there is not enough money in the world to solve this.’ The commander comes up with an effective, efficient way of addressing the threat, or they are removed from command.
So, you have training programs which are effective at improving competence (domain-specific competence), and you have personnel entering them who already display a modicum of this DScompetence and a basic level of generalized competence (they have followed the basic military rules like pt, get to work on time, do what you’re trained to do, don’t break the law.). You get your pick of the applicants, including for training and the people who make regulations.
Over time this urgency fades and you’re left with enforcing the (however outdated) legacy of those effective people from whenever the last pearl harbor incident was.
Both. Let me explain using a concrete example of how it happens using the elites from my own field, military computer security.
First, a problem is pointed out. Usually because an adversary pearl harbors something (like a base network goes down.). A commander (usually general level, this is really all they do besides give speeches) picks someone recommended by their staff and their staff’s friends. The person picked is usually one of the few very competent people in the military. This person is given absolute dictator-level power and responsibility over the subject area wherever it does not interact with subject areas controlled by a higher-ranking person.
This person’s first task is to pick people to make a training program for more people in the field (the ‘single point of failure’ policy). They pick their friends, who are also likely among the few very competent people, and they get together and actually consult with training experts, have complete authority to make training programs (SERE training includes torturing/beating people and forcing them to eat live animal parts to prepare them for being captured and living in the wild, as an example.)
The person’s second task is to requisition people for the field as a ‘special duty.’ In order to be eligible for special duties you always require basic competence (if your pt scores are bad or you have any poor marks on your record, no go), but you can also require advanced competence (pararescue has a swim test, cybersecurity requires S+ and is moving toward CISSP certifications.)
The third task is to remove the threat using the people and the training program, and they are personally responsible and accountable for making sure the threat is removed. There are no excuses, not even reasonable ones like ‘no human being knew that was possible!’ or ‘there is not enough money in the world to solve this.’ The commander comes up with an effective, efficient way of addressing the threat, or they are removed from command.
So, you have training programs which are effective at improving competence (domain-specific competence), and you have personnel entering them who already display a modicum of this DScompetence and a basic level of generalized competence (they have followed the basic military rules like pt, get to work on time, do what you’re trained to do, don’t break the law.). You get your pick of the applicants, including for training and the people who make regulations.
Over time this urgency fades and you’re left with enforcing the (however outdated) legacy of those effective people from whenever the last pearl harbor incident was.