Security Operations – Atriade

Turning Resistance into Readiness with Change Management

admin_atriade — Mon, 17 Nov 2025 13:29:24 +0000

Turning Resistance into Readiness with Change Management

Mohammed Atif Shehzad (MS) recently sat down with Brendan Howard (BH), host of Security Management Highlights Podcast from ASIS International, to discuss why resistance to change remains one of the biggest threats to effective security programs and what leaders can do about it.

The real challenge isn’t technology. It’s the human response to change. When teams don’t understand the “why” behind new systems or aren’t included in the process, resistance becomes inevitable.

In their conversation, they explored:

Why security programs deteriorate without a proper change management framework
The core components: people, processes, technology, and their interdependencies
How to shift from reactive firefighting to proactive change leadership
Real examples of what goes wrong and how to avoid those pitfalls

Key Takeaways:

Effective change management isn’t about thick binders or rigid procedures. It’s about developing a mindset that considers stakeholder impact, communicates the “why,” and builds trust through engagement.

Exploring a technology or process transformation? Learn how to guide change with clarity and confidence in Mohammed Shehzad’s article in Security Management.

Listen to the full conversation (14 min) on Security Management Highlights or click below.

Transcript of Interview

This transcript has been lightly edited for clarity and length.

Welcome to the latest episode of the Security Management Highlights Podcast from ASIS International. Every month we focus on the trends and topics the world needs to know about your world, keeping information and people safe. I’m your host, Brendan Howard, and in today’s episode we talked to Mohamed Shehzad about one of his favorite topics as a security consultant – change management.
Let’s dig into how you don’t have to just react to change at work. You can proactively manage it and develop procedures and a mindset that helps manage it well. Mohammed Shehzad, Managing Director at Atriade, says long-term planning and strategy gets him excited. You get to study, you set up the parameters, and then you start, but you know what happens next?

People change, turnover happens, acquisitions, mergers, companies, business practices change, they buy new locations, they sell old locations. Technology changes. Cameras and access control and credentialing technologies change. Network and infrastructure going on-prem to SaaS. So if you’re thinking long-term strategic planning, and yes, most security master plans are going to be three to five years, But when we’re thinking through them, we’re thinking the life cycle of the plans are far longer. It refreshes, but the program life cycle is 10, 20 years.

So what do we anticipate happening? And we don’t know what changes will happen, but we know that there will be things that will be dynamic, and people will have to react to them, people will have to shift to them.

Are the problems of change management primarily, or the big ones happen at the beginning, where something needs to change and people are resistant to it, or is the problem that changes come along and derail the plan, or both? Does one get the most emphasis?

It’s both and it’s cyclical. People are reluctant to change because they’re comfortable, it’s working, it may not be perfect but it’s working, or they’ve tried it, and they’ve met resistance or they have met roadblocks. So that’s the first resistance.

The second resistance is they don’t understand it. How would it benefit them? Or why would it benefit the security program at large or initiative at large? So that’s the typical initial resistance or reluctance.

Once you get through to that, now you have deployed this, executed the program, you’re managing it, and now there’s actually things that are changing with it. So if you put very rigid controls, if you didn’t have a good change management process that was fluid and flexible and dynamic, you’re not going to know how to address those changes. So typically when that starts to happen, if you don’t have good principles in place, now things are going to start happening ad hoc. People are going to start improvising, your program now starts to fray at the edges, and ten years later, you are back at square one where things are not working and everybody’s resistant to the new program.

So when we say 10 to 20 years, obviously we’re not developing a 20-year program. What we’re trying to do is put a framework of best practices in place for end users who are now able to follow that framework to say, okay, as technology is changing or whatever environment is changing within my organization, I know who the roles and responsibilities are. I know what the process is to get in front of it to become proactive about it. And that’s the 10-year longevity that we look at and talk about – how to give them the tools to basically keep refreshing their security program and keep staying ahead of it as opposed to reacting to it.

What are the basic components of a change management mindset? So you come in and they haven’t done it before, they haven’t heard about it. Here are the things we’re going to implement for you, and when you experience a change, because this thing is going to change, you should go through these three steps, these four steps, these five steps…

It is identifying people, process, and technology and the interdependencies that exist. That’s really in one sentence is what I’ll put it as. Who is doing what, why they’re doing it, what processes they’re using to control it, and what technologies they are implementing, and who are the affected stakeholders, which goes back to the people.
Once you have that identification, you can now take it step-by-step. Each time you execute something different, you can ask all those series of questions. Who are the people using it? Who are the people benefiting from it? Who are the people that are running it and managing it? And how all those intersect and what are the interdependencies that basically make sure that they’re impacted by it, negatively or positively.

Give us an “in the trenches” example of what happens when people don’t take the time to conduct a change management assessment? Such as I just got to this site. I can’t tell you what’s wrong with the security or what we should change. I have to fully assess what are people doing, how are they doing it, when are they here, who’s here, all that stuff. So you’re telling people you got to do that for your plan too. So what’s an example of how that can go wrong and then how it can go right with change management?

An example could be if you haven’t done proper change management, and let’s say you started on a technical deployment project. And you haven’t identified that your information security group requires a 10-step process to evaluate technology before you even select it. And that process can take an average of three months all the way up to six to seven months. And we have run into this. If you haven’t identified that interdependency, you have now introduced technology. And you’re anticipating it to get deployed in a certain period of time. But now there’s a six month delay to it.

Also within there are further additional interdependencies. You have to get the vendor engaged to answer questions. You have to get the people engaged in how it’s going to work, how the data is going to be transferred, where it’s going to be stored. Sometimes you don’t know those answers, so now you’re reacting in that environment. Sometimes that six months can become nine months, eight months, ten months. That is an example of where things can go wrong.

Another example would be that you are implementing a new process.

But that process impacts office managers in foreign locations, international, like you’re a multinational company. But they don’t have the same risks or they don’t understand the same risks that happen in the corporate headquarters in the United States.

If you haven’t effectively communicated the actual new process through an effective change management process, you are going to meet with resistance, or confusion, or unavailability, and it’s going to impact the overall progression of the task that you told your leadership, hey, I’m going to go and execute this, and it’s going to be done in this time. Now, suddenly, there are people coming to the same leadership saying, I don’t understand this. Why am I being told to do this? This is another example that we have come across.

Those are some of the negative consequences. It actually costs you money. It’s always taken in the lens of, well, okay, I have to do all these steps because it actually is operationally more inefficient and financially more expensive to not have change management in place because now you’re actually going back and trying to reactively fix all those things that didn’t get addressed in the beginning.

In a 2023 report about change management, and they talked about the reasons that 37% of employees resist organizational change management efforts. The top reasons, so I want to talk about two, three, and four, which kind of, you already hinted at, lack of awareness about why change is happening.

So you gave that example of Why are you changing this? Our building isn’t like this. Our site isn’t like this. Fear of the unknown – haven’t done this before. Don’t know what I’m supposed to be doing. Insufficient information – you can explain this to me. I’m not sure. But the number one in that survey was a bummer – 41% had a lack of trust in the organization. Is there anything security can do about the fact that there’s a lack of trust in the overall organization?

Lack of trust because of all the following factors. Because… If you are not telling them why, if you don’t have them engaged in the process, you didn’t ask them what their input is or what their day-to-day lives look like in their work environment. Then they believe that they’re not part of the process. They’re not interested in the process. So they inherently don’t think that you have their trust or their interests in mind. That is a big issue.
It’s not just limited to security. Other organizations within a company also can suffer from this because you just have very large ecosystems and everybody’s trying to do the right thing, but these are large ecosystems. When you don’t have that framework in mind, which a lot of organizations don’t because they’re reacting, they’re doing the day-to-day lives, it can build up because, hey, they don’t listen to me or they don’t include me in any of this process. So what they’re telling me, I don’t really trust because I don’t understand it, and those are all the reasons that feed up to that lack of trust in the organization.
How do you get around that is through a proper governance framework, where I’m not saying you’re engaging them on a weekly, daily basis all the time, but changing the mindset of security to your stakeholders to basically be able to explain the simple “whys”.
And if you are going to embark upon a major initiative or even a semi-major initiative that impacts, change management has to identify the impacted stakeholders. That’s one of the very important principles of it, because if all you’re doing is replacing a back-end technology, you don’t need to go tell the office managers if it doesn’t impact, but if it impacts them, you want to engage with them. You don’t want to assume that they will just come along because it’s an access control system that they don’t own, because they’re affected by it.
So if they’re impacted, you want to take their input in. You want to explain to them “the why”. You want to explain to them how it would work. Even if it’s awareness, they may say, “It doesn’t matter, you go do whatever you need, and when it’s time for training, I’ll get involved.” then starts to build a level of trust, these guys are including me, they are incorporating me into some aspect of awareness or decision-making process. So therefore, I have a stake, and I have a say in this, and that builds trust. From there, I know why the change is happening. I have enough information. I do not have the fear for it, so they all flow together.

If I’m a highly successful security professional, I get along with people. The bosses like me, my peers like me, but then I hear this, I do think I’ve had problems. I want to learn about this. What’s the first thing I should do?

It’s mostly around awareness. How do I communicate? That’s the first thing that comes to people’s minds. How do I communicate what the gaps are or what I’m looking to do? Or what are the concerns from other people? I think communication and awareness is going to be the first thing. How do I communicate my desire or my goal or my plan to others? So that’s probably what they will look at first.

So that sounds much more attainable. Does this mean I’m going to have some giant multi-tab binder with a lot of worksheets and checklists and I’m going to have to work through this every time I want to change something?

You know, it’s surprising because change management sounds very structured. There’s a framework to it and all the principles. But at the end of the day, it’s really a little bit of organized planning and a lot of communication and awareness and that’s really the two main principles that sit behind it. Binders are never going to help anyway. They never have, they never will.

OK, so not 1,000-page binders of change management procedures, but just changing your mindset over time to always think about the people, the processes, and the technology in any change, and then the interdependencies that exist between them.
You need to plan first, communicate effectively to all those people about how the change will affect them, then monitor how things unfold over time. You’ll need to gather data and use it.

Resources

Listen to the interview here [13:45 minutes]:

https://soundcloud.com/security-management/how-to-proactively-manage-change-in-security-technology-implementations

Read more from Mohammed Shehzad about managing that process here: https://www.asisonline.org/security-management-magazine/articles/2025/09/change-management/resistance-into-readiness/

Explore the 2023 study about Change Management and the reasons people resist change here: https://www.oak.com/media/c5llwb4v/oak-change-report-digital.pdf

Image Source: Security Management Podcast

About Atriade

Atriade is a trusted security consulting firm with decades of experience delivering tailored security solutions. We specialize in security system design for access control, perimeter protection, video surveillance, visitor management, and other advanced physical security technologies.

Our expertise also extends beyond system design to include security master planning, program development, risk assessments, professional services, and end-to-end project management.

For more than 20 years, we have partnered with Fortune 50 companies, Ivy League universities, and leading technology firms in Silicon Valley to help them navigate complex security challenges with a strategic, forward-thinking approach.

Visit us online at Atriade.com

Connect with us on LinkedIn

Subscribe to our LinkedIn Newsletter Take A Risk

Frequently Asked Questions

What are the main reasons security technology implementations fail?

Security programs often fail because people, technology, and business environments constantly change without proper change management in place. Without a flexible framework to manage these changes, programs deteriorate over time and organizations end up reacting rather than proactively managing change.

What are the core components of change management for security?

The core components are people, processes, technology, and their interdependencies—identifying who is doing what, what processes control the work, what technologies are being implemented, and how these elements intersect. A change management plan empowers teams by proactively identifying affected individuals and tailoring training and communication to their specific roles.

Related reading: 8 Red Flags of Security Project Management

How can security leaders reduce resistance to change?

Leaders reduce resistance by explaining the “why” behind changes, engaging stakeholders in the process, and asking for their input so people feel they have a stake in the outcome. According to research, 41% of employees resist organizational change due to lack of trust in the organization, which stems from not being included in decisions that affect them.

Related reading: Understanding the Critical Role of Professional Services and Their Providers (see section on “Effective Stakeholder Engagement”)

The post Turning Resistance into Readiness with Change Management appeared first on Atriade.

Designing and Building an Effective SOC That Meets Your Unique Needs

admin_atriade — Mon, 01 Nov 2021 11:22:40 +0000

Designing and Building an Effective SOC That Meets Your Unique Needs

All SOCs are not created the same.

There is no specific blueprint for an effective Security Operation Center (SOC); one size does not fit all. When you do the appropriate homework before you begin the design process—looking at your organization’s specific needs, holistically—you will be able to produce a space that works best to meet them.

Whether you are designing a sophisticated space for a large team, or a small space for just a couple of people, that appropriate homework is going to be the same. What is it? Let’s take a look.

Focus on Culture

The unique culture of your organization must have a significant influence on the design of your SOC. Most importantly, how do different roles and functions communicate with each other? Whether your style is collaborative, linear, hierarchical, or a hybrid, it will go a long way in determining the right design for your SOC.

For instance, SOCs for organizations that value collaboration should be designed to ensure maximum visibility among operators, analysts, supervisors, and managers. Their ability to have consistent engagement will be key.

Consider Non-Traditional Layouts

The design of your SOC is as open as your imagination, and again, it all starts with how your organization communicates. A non-traditional layout may end up producing the best environment for your needs.

For collaborative organizations, hub and spoke models, huddle spaces and conference spaces are good options. These allow the space to facilitate visual and verbal communication as well as account for interactive technologies—maximizing collaboration.
For organizations that follow a chain of command, function-based focus areas are a perfect option, so information can be effectively gathered and moved up for quick decision-making. Designs that emphasize content sharing and movement are also ideal.

Determine Location

Infrastructure resiliency and redundancy are the highest possible—and a risk profile is created if optimal resiliency can’t be realized
Location can effectively engage with management and leadership during critical incident command

Additionally, multinational organizations should consider regional centers that provide language support. These SOCs need to have access to resources who are fluent in local languages to be able to communicate with local authorities.

Incorporate Virtual Access

As businesses transition to distributed and regional workforce models, it is essential to have virtual access to SOCs. During the design process, it is important to:

Identify specific business needs that will be more conducive to a virtual operation
Develop a risk profile for virtual locations that includes factors such as privacy, compliance, hardening, and resiliency
Plan for infrastructure, network, and bandwidth use
Develop operational and technical contingencies to ensure business continuity
For multinational organizations, it will also be valuable to create a follow-the-sun model

Make the Video Wall Decision

Many people believe a video wall must be a standard feature of any SOC, but today, its function in modern SOCs needs to be reimagined. The wall shouldn’t necessarily be designed as the prime source of all data; it should instead display essential intelligence content and alarm data for incident management and response. Consider:

Focusing on providing incident management and response capability at work surfaces
Designing work surfaces to be interoperable and interchangeable to allow maximum flexibility in the space
Providing the ability to push media and content to the wall

Never Forget Health and Wellness

No matter how many bells and whistles you incorporate into your SOC—investing in an expensive, technologically advanced facility—if you ignore the critical element of employee health and wellness, you can render it ineffective. Health and wellness are perhaps the most important elements of the space.

Believe it or not, the biggest complaint we hear from SOC employees is that their chairs are uncomfortable. Most of them work full or extended shifts, so you must make design choices with their comfort in mind. This includes:

Planning for ergonomic desks and chairs, considering desks and spaces that make visual communication easier
Using easier-to-clean surfaces like rubber composite or tile that won’t absorb dust and dirt and create allergens in the space (carpets, for example)
Allowing for ventilation and variable temperature controls for varying changes in seasonal temperatures and day to night shifts
Planning for proper lighting, which can include dimmable and non-glare fixtures and other features that create the proper level of eye comfort for the staff
Working with lighting and workspace consultants to create the right balance of function and wellness in your space

The Takeaway

No matter what size SOC you are designing—and whether you are updating an older facility or building from scratch—start by considering what you are trying to accomplish operationally: consider non-traditional layouts, determine location, incorporate virtual access, make the right video wall decision, and prioritize health and wellness. If you can, it’s ideal to build a small team that can leverage expertise from different disciplines: security, workspace design, audiovisual, and infrastructure. That combined expertise can help you build the right space that rightfully meets all your operational needs for a Security Operations Center.

About Atriade

Atriade Atriade has worked on over 500+ projects, in 60+ industries, in 30+ countries. If you are ready to get expert assistance in creating your governance plan that will set you apart from your competitors, we are here to help. Our management team carries a lifetime of experience in all areas of Physical Security and Electronic Security that we are ready to put to work for your unique business and team.

Visit us online at Atriade.com

Connect with us on LinkedIn

Subscribe to our LinkedIn Newsletter: Take A Risk

The post Designing and Building an Effective SOC That Meets Your Unique Needs appeared first on Atriade.

How to PoC (Proof of Concept)

admin_atriade — Thu, 03 Jun 2021 07:58:07 +0000

How To PoC (Proof of Concept)

A Proof of Concept (POC) is a critical tool in successfully deploying new technologies and implementing policies. A properly executed POC will allow you to not only evaluate the viability of a technology, but also how to properly deploy it and what policies to build around it for long term use.

Identify the parameters of the operational business case for which the POC is being conducted. The POC should always be measured against these parameters.

Establish what data is needed to create the right business case. It is important to capture technical as well as operational data to measure the technology’s effectiveness as well as user experience.

Set up the POC in your environment mimicking the production setup in a test bed. Same technology will behave differently in different configurations. Therefore, it is critical to create the right environment and then measure results against it.

Observe everything and not just the core technology. Focus on all aspects that the POC impacts: infrastructure, administration, staffing, architecture, aesthetics, branding, maintenance and support.

Document the POC form beginning to end, from defined business case criteria to data points to lessons learned. Leverage that documentation into business cases, lessons learned, bases of design and SOW RFIs.

Plan for immediate, midterm and long-term deployment including soft costs such as staffing, SLAs, administrative time, supplies.

And lastly, circle back to the original parameters and establish a risk tolerance and acceptance model for a fully informed business case to leadership.

POC Execution Checklist

Identify the parameters of the operational business case
Establish what data is needed to create the right business case
Setup the POC in your environment mimicking the production setup in a test bed
Observe everything and not just the core technology

Document the POC from defined business case criteria to data points
Plan for immediate, midterm and long-term deployment
Circle back to the original parameters and establish a risk tolerance

About Atriade

Visit us online at Atriade.com

Connect with us on LinkedIn

Subscribe to our LinkedIn Newsletter: Take A Risk

The post How to PoC (Proof of Concept) appeared first on Atriade.