Security Operations – Atriade

How to Build Physical Security Programs That Scale Successfully

admin_atriade — Thu, 26 Feb 2026 17:45:04 +0000

How to Build Physical Security Programs That Scale Successfully

The security industry is at a crossroads. Cloud platforms are replacing legacy systems, AI is reshaping situational awareness, and the line between physical and cybersecurity continues to blur.

In a recent Security Systems News interview, Saif Nomani, Atriade’s Director of Design and Technology, sat down with Cory Harris to share a ground-level view of these shifts. Drawing on two decades of project experience across K-12 schools, universities, hospitals, and Fortune 500 companies, Nomani reveals what it really takes to build security programs that work in the real world.

The following is an exclusive Q&A with Saif Nomani and Security Systems News

SSN: What kinds of systems do you design/specify and what services does the company provide?

Nomani: We design and specify physical security and safety systems, including electronic access control, video surveillance/VMS, intrusion detection, identity and credential management, intercoms and communications, and mass notification/emergency communications.

We also routinely account for the supporting layers that make those systems effective in practice, like alarm monitoring workflows, system integrations, and enterprise architecture considerations so the technology aligns with operations instead of fighting them.

On the program development side, we help clients evaluate their current state and build a security program that’s operational – not just theoretical – often producing a security master plan/road-map aligned to business and operational goals.

Our professional services focus on execution and sustainment, operational work-flow development, program administration, and customized configuration of software applications to fit the client’s environment.

Finally, we deliver end-to-end project management, providing technical and operational oversight from inception through closeout, with structured quality control along the way.

SSN: What vertical markets does the company specialize in? Any interesting projects that you can mention?

Nomani: We specialize in K-12 schools, higher education, corporate and Fortune 500 companies, pharmaceuticals, utilities, and hospitals. What’s consistent across those markets is our approach: we focus on delivering customized security solutions by first understanding the client’s business and operational needs, then designing the program and technology around that reality.

Case Studies

Some interesting projects we have recently been engaged with include:

Global Financial Institution (Americas)

Running an end-of-life/end-of-support access control and video management platforms that couldn’t meet enterprise needs across 30+ offices. Key gaps included an aging platform, limited integrations, and inconsistent identity/credentialing workflows.

Atriade’s Role

We conducted a detailed assessment of the access control and video environment through stakeholder workshops, application reviews, and on-site surveys. We documented the current state topology, technical and network requirements, cloud vs. on-prem considerations, mobile and frictionless credentialing needs, and integration requirements with employee records.

We then managed a structured technical RFI to validate solutions in writing, supported selection of a cloud-based platform, and developed an enterprise design framework to guide future deployments. We also provided system programming/configuration, Level 1 technical support, project management, and lifecycle management.

Higher Education Institution In The Northeast

The institution had multiple separate access control systems spread across two campuses – different vendors, different ages, and no central management for credentialing, access management, or alarm management. They needed a path to consolidate everything into a single enterprise platform without disrupting day-to-day operations.

Atriade’s Role

We led the effort by conducting a detailed requirements workshop to establish desired outcomes for credentialing and access management. We then produced the technical design and program management documentation needed to execute a full consolidation and designed and managed the data integration between the new access control platform and their existing identity management infrastructure.

Large School District In Northeast

The district had over 10,000 analog and IP cameras on disparate end-of-life systems over aging infrastructure with no central management or monitoring.

Atriade’s Role

The scale of this assessment encompassed over 200 schools and additional administrative buildings. The Atriade team has been onsite in every school conducting extensive assessments of the school’s cameras, network infrastructure, conduits, cabling routes and installation details. Our scope has included inventorying every device, mapping out pathways, identifying locations, and creating coverages.

To ensure an effective and efficient delivery, we developed a three-year roadmap to replace all existing analog cameras and add over 5,000 new cameras on a single enterprise video management system with centralized administration and monitoring, with best practices on camera coverages, system operation and management.

SSN: How did you get started in security and designing/specifying?

Nomani: Honestly, it started with a bit of good timing and an unexpected opportunity. Shortly after graduating from college, I met my current manager through a mutual friend at a social event. About a month later, he brought me on as a security design consultant at a low-voltage design consulting firm focused on corporate relocations – and that role became my entry point into designing and specifying security systems.

SSN: Can you talk about what new or emerging technologies you are seeing or specifying today?

Nomani: We’re seeing increased interest in a few technology areas that are reshaping how organizations approach security programs and system architecture. On the technology side, that includes touchless and mobile credentialing, cloud-based and hybrid deployments, and more demand for integrated platforms that unify access control, video, identity, and incident work-flows.

We’re also seeing growing adoption of AI and machine learning capabilities – primarily to improve situational awareness and operational efficiency – as well as emerging use cases for drones in perimeter awareness, large-area monitoring, and rapid assessment.

SSN: What is your view on the industry moving forward?

Nomani: Looking forward, I think the industry will continue to shift toward data-driven security operations – with more organizations consolidating inputs from access control, video, identity, and other systems into centralized data environments (often “data lakes”) to improve analytics, reporting, and decision-making. At the same time, the distributed work-force is changing the perimeter – security programs have to support remote and hybrid users without sacrificing control or user experience.

I also expect continued acceleration in cybersecurity and physical security convergence, especially as more security platforms move to cloud or hybrid architectures and as identity becomes the common thread across both domains.

Meet Saif Nomani

Saif Nomani is Director of Design and Technology at Atriade. He has expertise in physical security system design, project management, construction administration and commissioning services. Saif also oversees all of Atriade’s design projects and deliverables. His experience includes corporate relocation, higher education and pharmaceuticals. He also has technical expertise in access control, video management, biometric and other electronic security systems. Saif creates benchmarking and risk analysis metrics based on historical client data and current state. He holds a Bachelors in Computer Engineering from Rutgers University. Passionate for wildlife conservation, he also holds a Masters in Wildlife Ecology.

______________________________________________________________________________________________________________________________________________________________

This article was originally published in the January 2026 edition of Specifically Speaking, a Security Systems News monthly column, featuring Q-and-A with a security consultant provided to SSN by Security Specifiers.

About Atriade

Atriade is a trusted security consulting firm with decades of experience delivering tailored security solutions. We specialize in security system design for access control, perimeter protection, video surveillance, visitor management, and other advanced physical security technologies.

Our expertise also extends beyond system design to include security master planning, program development, risk assessments, professional services, and end-to-end project management.

For more than 20 years, we have partnered with Fortune 50 companies, Ivy League universities, and leading technology firms in Silicon Valley to help them navigate complex security challenges with a strategic, forward-thinking approach.

Visit us online at Atriade.com

Connect with us on LinkedIn

Subscribe to our LinkedIn Newsletter Take A Risk

Frequently Asked Questions

What makes a physical security program scalable instead of just functional?

A scalable program is built around operations, integrations, and long-term architecture rather than individual devices. It allows new sites, users, and capabilities to be added without redesigning the system each time.

Why do legacy access control and video systems limit growth?

Legacy systems often lack integration, centralized management, and consistent credentialing. This creates fragmented operations that are difficult to maintain or expand across multiple locations.

How do operational workflows affect physical security effectiveness?

Workflows such as alarm monitoring, credentialing, and incident response determine how usable a system is day to day. When workflows are designed alongside the technology, security programs are easier to operate and sustain.

How do cloud and hybrid platforms support modern security programs?

Cloud and hybrid platforms enable centralized management, better integrations, and support for distributed workforces while maintaining control and visibility across the organization.

Why is identity central to the future of physical security?

Identity connects access control, video, and other security systems, enabling centralized data, improved analytics, and more informed decision-making as physical and cyber security continue to converge.

The post How to Build Physical Security Programs That Scale Successfully appeared first on Atriade.

The Virtual SOC Isn’t Dead — It Just Grew Up

admin_atriade — Thu, 15 Jan 2026 13:55:48 +0000

The Virtual SOC Isn’t Dead — It Just Grew Up

Whatever happened to the Virtual Security Operations Center?

The concept popped up around 2019, promoting a fully digital alternative to traditional, on-site security operations centers (SOCs). VSOCs promised a future where physical security command centers existed entirely in the cloud. No physical command center. No video walls. No operators on shift. Just AI and automated workflows handling every event in real time.

It was a bold vision that made sense at the time. Digital transformation was accelerating, cloud-first strategies were taking off, and the rise of AI hinted at a new era of efficiency. But if VSOCs were the future, why isn’t everyone running one today?

The short answer: They are, just not in the way it was perhaps originally intended.

When the Virtual SOC Met Reality

The fully virtual SOC was built on the idea that human operators were no longer necessary. Sold as highly futuristic and fully autonomous, it was this vision by a few that would eventually power the many.

But promoting a lack of people ignores a simple truth about physical security response. It’s as much about context as it is about technology.

Even the most advanced analytics tools can’t interpret intent, nuance, or consequence the way a human can. Physical presence, whether in a room, a crisis, or the field, still matters for decision-making and accountability. And in the context of the risk-adverse security industry of the time, that was a truth the market wasn’t ready to ignore. The notion of replacing operators with an invisible platform felt too risky, which limited its adoption.

Technological limitations also played a role. Six years ago, the supporting ecosystem wasn’t mature enough. Data was siloed across proprietary platforms. Automation lacked real interoperability. And AI analytics were still largely reactive.

Ultimately, the grand vision of the fully virtual SOC never took off. But the principles behind it found new life in different forms.

Adaptation Over Abandonment

Scalability, efficiency, and flexibility drove the rise of the VSOC and it’s those same principles that exist in the evolved operational SOC models we see today. These models include:

Decentralized Operations – Monitoring teams, analysts, and incident responders are a part of the organization, but no longer co-located.
SOC-as-a-Service – Wherein SOC operations are outsourced to third-party providers.
Fractional Solutions – A sort of hybrid of SOCaaS and on-site or decentralized SOCs, wherein organizations contract specialized SOC capabilities on demand. Outsourced solutions could be fractional based on hours, location, or specific function, including:

1- Alerting – Outsourced alert monitoring helps ensure potential incidents are identified in real time, eliminating the need for an in-house team to monitor dashboards.
2- Response – Targeted response capabilities can be contracted for specific locations, shifts, or high-risk scenarios.
3- Analysis – Specialized experts or AI can handle data analysis, pattern detection, and threat intelligence.

Versions of VSOCs In Practice

SOC virtualization isn’t all-or-nothing. The reality is that every organization needing a SOC will likely need some combination of the models outlined above and/or an on-prem SOC. The combination will depend on the organization’s needs and risk appetite.

For example, a global corporation might decentralize monitoring functions, outsource regional coverage in low-risk areas, and then leverage AI-powered translation tools for cross-border collaboration. Conversely, a critical infrastructure organization may keep its SOC on-site to maintain local control.

Every model is valid, but every model should still include the human element. Because the SOCs of today and tomorrow can’t be human-free, only human-optimized. Technology is not yet at the stage where it can be used to make judgment calls related to personal safety.

In Conclusion

So while the “Minority Report” style interfaces of early VSOC marketing may have never materialized, they did inspire a new way of thinking about how SOCs operate. Instead of “How do we avoid complexity?”, the question became, “How do we manage that complexity well?”

Today’s VSOCs are already complex in their design, deployment, and operation. Working with experienced industry resources can eliminate some of that complexity, helping organizations determine where and how to focus their efforts.

For example, consultants bridge the gap between ambitious VSOC concepts and real-world implementation. They have first-hand knowledge of where technology adds value and where people add impact. This experience allows them to create effective SOC strategies that are both applicable today and scalable for tomorrow.

Integrators then help organizations deploy those strategies. Their role is to bring SOC solutions to life, ensuring that technologies and systems work as intended. From creating fully on-site SOCs to integrating fractional SOC solutions into existing workflows, their technical expertise ensures interoperability across platforms.

Finally, vendors and technology providers serve as the foundation that makes it all possible. By advancing interoperability standards, cloud infrastructure, and open APIs, and automation frameworks, they are redefining what a ‘virtual’ SOC really looks like.

And maybe tomorrow we will reach a point where AI has the contextual awareness equivalent to a human. And where automation can make life-altering decisions with reliability and nuance. But until then, long live the VSOCs of today.

About Atriade

Our expertise also extends beyond system design to include security master planning, program development, risk assessments, professional services, and end-to-end project management.

Frequently Asked Questions

What does a modern virtual SOC actually look like today?

Today’s VSOCs aren’t fully autonomous digital command centers. Instead, organizations use a blend of decentralized teams, SOC-as-a-Service providers, and fractional solutions for alerting, response, or analysis. These models reduce the need for a single on-premise SOC without removing the human element. The result is a more adaptable, scalable approach that reflects real operational requirements rather than a futuristic ideal.

Why is the human element still essential in a virtual SOC?

Even with advanced analytics and automation, technology still struggles with context, nuance, and decision making involving personal safety. Humans bring situational interpretation and accountability that AI cannot yet match. Current VSOC models aim to be human-optimized rather than human-free, pairing automation with the judgment required in real-world incidents.

Who plays the key roles in bringing a VSOC strategy to life?

Consultants help organizations translate concepts into practical strategies by understanding where technology provides value and where people make the biggest impact. Integrators then build and deploy those solutions, ensuring systems work together as intended. Vendors supply the technologies and standards that make modern SOC models possible, from cloud infrastructure to open APIs. Together, they shape the evolution of the VSOC.

How do organizations decide whether to use decentralized, outsourced, or on-site SOC models?

It depends on their risk posture, operational complexity, and geographic footprint. A global company may decentralize its monitoring while outsourcing lower-risk regional coverage. A critical infrastructure operator might keep everything on-site to maintain tighter control. Most organizations end up with a hybrid model tailored to their needs, because SOC virtualization is never all or nothing.

The post The Virtual SOC Isn’t Dead — It Just Grew Up appeared first on Atriade.

Turning Resistance into Readiness with Change Management

admin_atriade — Mon, 17 Nov 2025 13:29:24 +0000

Turning Resistance into Readiness with Change Management

Mohammed Atif Shehzad (MS) recently sat down with Brendan Howard (BH), host of Security Management Highlights Podcast from ASIS International, to discuss why resistance to change remains one of the biggest threats to effective security programs and what leaders can do about it.

The real challenge isn’t technology. It’s the human response to change. When teams don’t understand the “why” behind new systems or aren’t included in the process, resistance becomes inevitable.

In their conversation, they explored:

Why security programs deteriorate without a proper change management framework
The core components: people, processes, technology, and their interdependencies
How to shift from reactive firefighting to proactive change leadership
Real examples of what goes wrong and how to avoid those pitfalls

Key Takeaways:

Effective change management isn’t about thick binders or rigid procedures. It’s about developing a mindset that considers stakeholder impact, communicates the “why,” and builds trust through engagement.

Exploring a technology or process transformation? Learn how to guide change with clarity and confidence in Mohammed Shehzad’s article in Security Management.

Listen to the full conversation (14 min) on Security Management Highlights or click below.

Transcript of Interview

This transcript has been lightly edited for clarity and length.

Welcome to the latest episode of the Security Management Highlights Podcast from ASIS International. Every month we focus on the trends and topics the world needs to know about your world, keeping information and people safe. I’m your host, Brendan Howard, and in today’s episode we talked to Mohamed Shehzad about one of his favorite topics as a security consultant – change management.
Let’s dig into how you don’t have to just react to change at work. You can proactively manage it and develop procedures and a mindset that helps manage it well. Mohammed Shehzad, Managing Director at Atriade, says long-term planning and strategy gets him excited. You get to study, you set up the parameters, and then you start, but you know what happens next?

People change, turnover happens, acquisitions, mergers, companies, business practices change, they buy new locations, they sell old locations. Technology changes. Cameras and access control and credentialing technologies change. Network and infrastructure going on-prem to SaaS. So if you’re thinking long-term strategic planning, and yes, most security master plans are going to be three to five years, But when we’re thinking through them, we’re thinking the life cycle of the plans are far longer. It refreshes, but the program life cycle is 10, 20 years.

So what do we anticipate happening? And we don’t know what changes will happen, but we know that there will be things that will be dynamic, and people will have to react to them, people will have to shift to them.

Are the problems of change management primarily, or the big ones happen at the beginning, where something needs to change and people are resistant to it, or is the problem that changes come along and derail the plan, or both? Does one get the most emphasis?

It’s both and it’s cyclical. People are reluctant to change because they’re comfortable, it’s working, it may not be perfect but it’s working, or they’ve tried it, and they’ve met resistance or they have met roadblocks. So that’s the first resistance.

The second resistance is they don’t understand it. How would it benefit them? Or why would it benefit the security program at large or initiative at large? So that’s the typical initial resistance or reluctance.

Once you get through to that, now you have deployed this, executed the program, you’re managing it, and now there’s actually things that are changing with it. So if you put very rigid controls, if you didn’t have a good change management process that was fluid and flexible and dynamic, you’re not going to know how to address those changes. So typically when that starts to happen, if you don’t have good principles in place, now things are going to start happening ad hoc. People are going to start improvising, your program now starts to fray at the edges, and ten years later, you are back at square one where things are not working and everybody’s resistant to the new program.

So when we say 10 to 20 years, obviously we’re not developing a 20-year program. What we’re trying to do is put a framework of best practices in place for end users who are now able to follow that framework to say, okay, as technology is changing or whatever environment is changing within my organization, I know who the roles and responsibilities are. I know what the process is to get in front of it to become proactive about it. And that’s the 10-year longevity that we look at and talk about – how to give them the tools to basically keep refreshing their security program and keep staying ahead of it as opposed to reacting to it.

What are the basic components of a change management mindset? So you come in and they haven’t done it before, they haven’t heard about it. Here are the things we’re going to implement for you, and when you experience a change, because this thing is going to change, you should go through these three steps, these four steps, these five steps…

It is identifying people, process, and technology and the interdependencies that exist. That’s really in one sentence is what I’ll put it as. Who is doing what, why they’re doing it, what processes they’re using to control it, and what technologies they are implementing, and who are the affected stakeholders, which goes back to the people.
Once you have that identification, you can now take it step-by-step. Each time you execute something different, you can ask all those series of questions. Who are the people using it? Who are the people benefiting from it? Who are the people that are running it and managing it? And how all those intersect and what are the interdependencies that basically make sure that they’re impacted by it, negatively or positively.

Give us an “in the trenches” example of what happens when people don’t take the time to conduct a change management assessment? Such as I just got to this site. I can’t tell you what’s wrong with the security or what we should change. I have to fully assess what are people doing, how are they doing it, when are they here, who’s here, all that stuff. So you’re telling people you got to do that for your plan too. So what’s an example of how that can go wrong and then how it can go right with change management?

An example could be if you haven’t done proper change management, and let’s say you started on a technical deployment project. And you haven’t identified that your information security group requires a 10-step process to evaluate technology before you even select it. And that process can take an average of three months all the way up to six to seven months. And we have run into this. If you haven’t identified that interdependency, you have now introduced technology. And you’re anticipating it to get deployed in a certain period of time. But now there’s a six month delay to it.

Also within there are further additional interdependencies. You have to get the vendor engaged to answer questions. You have to get the people engaged in how it’s going to work, how the data is going to be transferred, where it’s going to be stored. Sometimes you don’t know those answers, so now you’re reacting in that environment. Sometimes that six months can become nine months, eight months, ten months. That is an example of where things can go wrong.

Another example would be that you are implementing a new process.

But that process impacts office managers in foreign locations, international, like you’re a multinational company. But they don’t have the same risks or they don’t understand the same risks that happen in the corporate headquarters in the United States.

If you haven’t effectively communicated the actual new process through an effective change management process, you are going to meet with resistance, or confusion, or unavailability, and it’s going to impact the overall progression of the task that you told your leadership, hey, I’m going to go and execute this, and it’s going to be done in this time. Now, suddenly, there are people coming to the same leadership saying, I don’t understand this. Why am I being told to do this? This is another example that we have come across.

Those are some of the negative consequences. It actually costs you money. It’s always taken in the lens of, well, okay, I have to do all these steps because it actually is operationally more inefficient and financially more expensive to not have change management in place because now you’re actually going back and trying to reactively fix all those things that didn’t get addressed in the beginning.

In a 2023 report about change management, and they talked about the reasons that 37% of employees resist organizational change management efforts. The top reasons, so I want to talk about two, three, and four, which kind of, you already hinted at, lack of awareness about why change is happening.

So you gave that example of Why are you changing this? Our building isn’t like this. Our site isn’t like this. Fear of the unknown – haven’t done this before. Don’t know what I’m supposed to be doing. Insufficient information – you can explain this to me. I’m not sure. But the number one in that survey was a bummer – 41% had a lack of trust in the organization. Is there anything security can do about the fact that there’s a lack of trust in the overall organization?

Lack of trust because of all the following factors. Because… If you are not telling them why, if you don’t have them engaged in the process, you didn’t ask them what their input is or what their day-to-day lives look like in their work environment. Then they believe that they’re not part of the process. They’re not interested in the process. So they inherently don’t think that you have their trust or their interests in mind. That is a big issue.
It’s not just limited to security. Other organizations within a company also can suffer from this because you just have very large ecosystems and everybody’s trying to do the right thing, but these are large ecosystems. When you don’t have that framework in mind, which a lot of organizations don’t because they’re reacting, they’re doing the day-to-day lives, it can build up because, hey, they don’t listen to me or they don’t include me in any of this process. So what they’re telling me, I don’t really trust because I don’t understand it, and those are all the reasons that feed up to that lack of trust in the organization.
How do you get around that is through a proper governance framework, where I’m not saying you’re engaging them on a weekly, daily basis all the time, but changing the mindset of security to your stakeholders to basically be able to explain the simple “whys”.
And if you are going to embark upon a major initiative or even a semi-major initiative that impacts, change management has to identify the impacted stakeholders. That’s one of the very important principles of it, because if all you’re doing is replacing a back-end technology, you don’t need to go tell the office managers if it doesn’t impact, but if it impacts them, you want to engage with them. You don’t want to assume that they will just come along because it’s an access control system that they don’t own, because they’re affected by it.
So if they’re impacted, you want to take their input in. You want to explain to them “the why”. You want to explain to them how it would work. Even if it’s awareness, they may say, “It doesn’t matter, you go do whatever you need, and when it’s time for training, I’ll get involved.” then starts to build a level of trust, these guys are including me, they are incorporating me into some aspect of awareness or decision-making process. So therefore, I have a stake, and I have a say in this, and that builds trust. From there, I know why the change is happening. I have enough information. I do not have the fear for it, so they all flow together.

If I’m a highly successful security professional, I get along with people. The bosses like me, my peers like me, but then I hear this, I do think I’ve had problems. I want to learn about this. What’s the first thing I should do?

It’s mostly around awareness. How do I communicate? That’s the first thing that comes to people’s minds. How do I communicate what the gaps are or what I’m looking to do? Or what are the concerns from other people? I think communication and awareness is going to be the first thing. How do I communicate my desire or my goal or my plan to others? So that’s probably what they will look at first.

So that sounds much more attainable. Does this mean I’m going to have some giant multi-tab binder with a lot of worksheets and checklists and I’m going to have to work through this every time I want to change something?

You know, it’s surprising because change management sounds very structured. There’s a framework to it and all the principles. But at the end of the day, it’s really a little bit of organized planning and a lot of communication and awareness and that’s really the two main principles that sit behind it. Binders are never going to help anyway. They never have, they never will.

OK, so not 1,000-page binders of change management procedures, but just changing your mindset over time to always think about the people, the processes, and the technology in any change, and then the interdependencies that exist between them.
You need to plan first, communicate effectively to all those people about how the change will affect them, then monitor how things unfold over time. You’ll need to gather data and use it.

Resources

Listen to the interview here [13:45 minutes]:

https://soundcloud.com/security-management/how-to-proactively-manage-change-in-security-technology-implementations

Read more from Mohammed Shehzad about managing that process here: https://www.asisonline.org/security-management-magazine/articles/2025/09/change-management/resistance-into-readiness/

Explore the 2023 study about Change Management and the reasons people resist change here: https://www.oak.com/media/c5llwb4v/oak-change-report-digital.pdf

Image Source: Security Management Podcast

About Atriade

Our expertise also extends beyond system design to include security master planning, program development, risk assessments, professional services, and end-to-end project management.

Visit us online at Atriade.com

Connect with us on LinkedIn

Subscribe to our LinkedIn Newsletter Take A Risk

Frequently Asked Questions

What are the main reasons security technology implementations fail?

Security programs often fail because people, technology, and business environments constantly change without proper change management in place. Without a flexible framework to manage these changes, programs deteriorate over time and organizations end up reacting rather than proactively managing change.

What are the core components of change management for security?

The core components are people, processes, technology, and their interdependencies—identifying who is doing what, what processes control the work, what technologies are being implemented, and how these elements intersect. A change management plan empowers teams by proactively identifying affected individuals and tailoring training and communication to their specific roles.

Related reading: 8 Red Flags of Security Project Management

How can security leaders reduce resistance to change?

Leaders reduce resistance by explaining the “why” behind changes, engaging stakeholders in the process, and asking for their input so people feel they have a stake in the outcome. According to research, 41% of employees resist organizational change due to lack of trust in the organization, which stems from not being included in decisions that affect them.

Related reading: Understanding the Critical Role of Professional Services and Their Providers (see section on “Effective Stakeholder Engagement”)

The post Turning Resistance into Readiness with Change Management appeared first on Atriade.

Designing and Building an Effective SOC That Meets Your Unique Needs

admin_atriade — Mon, 01 Nov 2021 11:22:40 +0000

Designing and Building an Effective SOC That Meets Your Unique Needs

All SOCs are not created the same.

There is no specific blueprint for an effective Security Operation Center (SOC); one size does not fit all. When you do the appropriate homework before you begin the design process—looking at your organization’s specific needs, holistically—you will be able to produce a space that works best to meet them.

Whether you are designing a sophisticated space for a large team, or a small space for just a couple of people, that appropriate homework is going to be the same. What is it? Let’s take a look.

Focus on Culture

The unique culture of your organization must have a significant influence on the design of your SOC. Most importantly, how do different roles and functions communicate with each other? Whether your style is collaborative, linear, hierarchical, or a hybrid, it will go a long way in determining the right design for your SOC.

For instance, SOCs for organizations that value collaboration should be designed to ensure maximum visibility among operators, analysts, supervisors, and managers. Their ability to have consistent engagement will be key.

Consider Non-Traditional Layouts

The design of your SOC is as open as your imagination, and again, it all starts with how your organization communicates. A non-traditional layout may end up producing the best environment for your needs.

For collaborative organizations, hub and spoke models, huddle spaces and conference spaces are good options. These allow the space to facilitate visual and verbal communication as well as account for interactive technologies—maximizing collaboration.
For organizations that follow a chain of command, function-based focus areas are a perfect option, so information can be effectively gathered and moved up for quick decision-making. Designs that emphasize content sharing and movement are also ideal.

Determine Location

Infrastructure resiliency and redundancy are the highest possible—and a risk profile is created if optimal resiliency can’t be realized
Location can effectively engage with management and leadership during critical incident command

Additionally, multinational organizations should consider regional centers that provide language support. These SOCs need to have access to resources who are fluent in local languages to be able to communicate with local authorities.

Incorporate Virtual Access

As businesses transition to distributed and regional workforce models, it is essential to have virtual access to SOCs. During the design process, it is important to:

Identify specific business needs that will be more conducive to a virtual operation
Develop a risk profile for virtual locations that includes factors such as privacy, compliance, hardening, and resiliency
Plan for infrastructure, network, and bandwidth use
Develop operational and technical contingencies to ensure business continuity
For multinational organizations, it will also be valuable to create a follow-the-sun model

Make the Video Wall Decision

Many people believe a video wall must be a standard feature of any SOC, but today, its function in modern SOCs needs to be reimagined. The wall shouldn’t necessarily be designed as the prime source of all data; it should instead display essential intelligence content and alarm data for incident management and response. Consider:

Focusing on providing incident management and response capability at work surfaces
Designing work surfaces to be interoperable and interchangeable to allow maximum flexibility in the space
Providing the ability to push media and content to the wall

Never Forget Health and Wellness

No matter how many bells and whistles you incorporate into your SOC—investing in an expensive, technologically advanced facility—if you ignore the critical element of employee health and wellness, you can render it ineffective. Health and wellness are perhaps the most important elements of the space.

Believe it or not, the biggest complaint we hear from SOC employees is that their chairs are uncomfortable. Most of them work full or extended shifts, so you must make design choices with their comfort in mind. This includes:

Planning for ergonomic desks and chairs, considering desks and spaces that make visual communication easier
Using easier-to-clean surfaces like rubber composite or tile that won’t absorb dust and dirt and create allergens in the space (carpets, for example)
Allowing for ventilation and variable temperature controls for varying changes in seasonal temperatures and day to night shifts
Planning for proper lighting, which can include dimmable and non-glare fixtures and other features that create the proper level of eye comfort for the staff
Working with lighting and workspace consultants to create the right balance of function and wellness in your space

The Takeaway

No matter what size SOC you are designing—and whether you are updating an older facility or building from scratch—start by considering what you are trying to accomplish operationally: consider non-traditional layouts, determine location, incorporate virtual access, make the right video wall decision, and prioritize health and wellness. If you can, it’s ideal to build a small team that can leverage expertise from different disciplines: security, workspace design, audiovisual, and infrastructure. That combined expertise can help you build the right space that rightfully meets all your operational needs for a Security Operations Center.

About Atriade

Atriade Atriade has worked on over 500+ projects, in 60+ industries, in 30+ countries. If you are ready to get expert assistance in creating your governance plan that will set you apart from your competitors, we are here to help. Our management team carries a lifetime of experience in all areas of Physical Security and Electronic Security that we are ready to put to work for your unique business and team.

Visit us online at Atriade.com

Connect with us on LinkedIn

Subscribe to our LinkedIn Newsletter: Take A Risk

The post Designing and Building an Effective SOC That Meets Your Unique Needs appeared first on Atriade.

How to PoC (Proof of Concept)

admin_atriade — Thu, 03 Jun 2021 07:58:07 +0000

How To PoC (Proof of Concept)

A Proof of Concept (POC) is a critical tool in successfully deploying new technologies and implementing policies. A properly executed POC will allow you to not only evaluate the viability of a technology, but also how to properly deploy it and what policies to build around it for long term use.

Identify the parameters of the operational business case for which the POC is being conducted. The POC should always be measured against these parameters.

Establish what data is needed to create the right business case. It is important to capture technical as well as operational data to measure the technology’s effectiveness as well as user experience.

Set up the POC in your environment mimicking the production setup in a test bed. Same technology will behave differently in different configurations. Therefore, it is critical to create the right environment and then measure results against it.

Observe everything and not just the core technology. Focus on all aspects that the POC impacts: infrastructure, administration, staffing, architecture, aesthetics, branding, maintenance and support.

Document the POC form beginning to end, from defined business case criteria to data points to lessons learned. Leverage that documentation into business cases, lessons learned, bases of design and SOW RFIs.

Plan for immediate, midterm and long-term deployment including soft costs such as staffing, SLAs, administrative time, supplies.

And lastly, circle back to the original parameters and establish a risk tolerance and acceptance model for a fully informed business case to leadership.

POC Execution Checklist

Identify the parameters of the operational business case
Establish what data is needed to create the right business case
Setup the POC in your environment mimicking the production setup in a test bed
Observe everything and not just the core technology

Document the POC from defined business case criteria to data points
Plan for immediate, midterm and long-term deployment
Circle back to the original parameters and establish a risk tolerance

About Atriade

Visit us online at Atriade.com

Connect with us on LinkedIn

Subscribe to our LinkedIn Newsletter: Take A Risk

The post How to PoC (Proof of Concept) appeared first on Atriade.