Mohammed Atif Shehzad (MS) recently sat down with Brendan Howard (BH), host of Security Management Highlights Podcast from ASIS International, to discuss why resistance to change remains one of the biggest threats to effective security programs and what leaders can do about it.
The real challenge isn’t technology. It’s the human response to change. When teams don’t understand the “why” behind new systems or aren’t included in the process, resistance becomes inevitable.
In their conversation, they explored:
- Why security programs deteriorate without a proper change management framework
- The core components: people, processes, technology, and their interdependencies
- How to shift from reactive firefighting to proactive change leadership
- Real examples of what goes wrong and how to avoid those pitfalls
Key Takeaways:
Effective change management isn’t about thick binders or rigid procedures. It’s about developing a mindset that considers stakeholder impact, communicates the “why,” and builds trust through engagement.
Exploring a technology or process transformation? Learn how to guide change with clarity and confidence in Mohammed Shehzad’s article in Security Management.
🎧 Listen to the full conversation (14 min) on Security Management Highlights or click below.
This transcript has been lightly edited for clarity and length.
Welcome to the latest episode of the Security Management Highlights Podcast from ASIS International. Every month we focus on the trends and topics the world needs to know about your world, keeping information and people safe. I’m your host, Brendan Howard, and in today’s episode we talked to Mohamed Shehzad about one of his favorite topics as a security consultant – change management.
Let’s dig into how you don’t have to just react to change at work. You can proactively manage it and develop procedures and a mindset that helps manage it well. Mohammed Shehzad, Managing Director at Atriade, says long-term planning and strategy gets him excited. You get to study, you set up the parameters, and then you start, but you know what happens next?
People change, turnover happens, acquisitions, mergers, companies, business practices change, they buy new locations, they sell old locations. Technology changes. Cameras and access control and credentialing technologies change. Network and infrastructure going on-prem to SaaS. So if you’re thinking long-term strategic planning, and yes, most security master plans are going to be three to five years, But when we’re thinking through them, we’re thinking the life cycle of the plans are far longer. It refreshes, but the program life cycle is 10, 20 years.
So what do we anticipate happening? And we don’t know what changes will happen, but we know that there will be things that will be dynamic, and people will have to react to them, people will have to shift to them.
Are the problems of change management primarily, or the big ones happen at the beginning, where something needs to change and people are resistant to it, or is the problem that changes come along and derail the plan, or both? Does one get the most emphasis?
It’s both and it’s cyclical. People are reluctant to change because they’re comfortable, it’s working, it may not be perfect but it’s working, or they’ve tried it, and they’ve met resistance or they have met roadblocks. So that’s the first resistance.
The second resistance is they don’t understand it. How would it benefit them? Or why would it benefit the security program at large or initiative at large? So that’s the typical initial resistance or reluctance.
Once you get through to that, now you have deployed this, executed the program, you’re managing it, and now there’s actually things that are changing with it. So if you put very rigid controls, if you didn’t have a good change management process that was fluid and flexible and dynamic, you’re not going to know how to address those changes. So typically when that starts to happen, if you don’t have good principles in place, now things are going to start happening ad hoc. People are going to start improvising, your program now starts to fray at the edges, and ten years later, you are back at square one where things are not working and everybody’s resistant to the new program.
So when we say 10 to 20 years, obviously we’re not developing a 20-year program. What we’re trying to do is put a framework of best practices in place for end users who are now able to follow that framework to say, okay, as technology is changing or whatever environment is changing within my organization, I know who the roles and responsibilities are. I know what the process is to get in front of it to become proactive about it. And that’s the 10-year longevity that we look at and talk about – how to give them the tools to basically keep refreshing their security program and keep staying ahead of it as opposed to reacting to it.
What are the basic components of a change management mindset? So you come in and they haven’t done it before, they haven’t heard about it. Here are the things we’re going to implement for you, and when you experience a change, because this thing is going to change, you should go through these three steps, these four steps, these five steps…
It is identifying people, process, and technology and the interdependencies that exist. That’s really in one sentence is what I’ll put it as. Who is doing what, why they’re doing it, what processes they’re using to control it, and what technologies they are implementing, and who are the affected stakeholders, which goes back to the people.
Once you have that identification, you can now take it step-by-step. Each time you execute something different, you can ask all those series of questions. Who are the people using it? Who are the people benefiting from it? Who are the people that are running it and managing it? And how all those intersect and what are the interdependencies that basically make sure that they’re impacted by it, negatively or positively.
Give us an “in the trenches” example of what happens when people don’t take the time to conduct a change management assessment? Such as I just got to this site. I can’t tell you what’s wrong with the security or what we should change. I have to fully assess what are people doing, how are they doing it, when are they here, who’s here, all that stuff. So you’re telling people you got to do that for your plan too. So what’s an example of how that can go wrong and then how it can go right with change management?
An example could be if you haven’t done proper change management, and let’s say you started on a technical deployment project. And you haven’t identified that your information security group requires a 10-step process to evaluate technology before you even select it. And that process can take an average of three months all the way up to six to seven months. And we have run into this. If you haven’t identified that interdependency, you have now introduced technology. And you’re anticipating it to get deployed in a certain period of time. But now there’s a six month delay to it.
Also within there are further additional interdependencies. You have to get the vendor engaged to answer questions. You have to get the people engaged in how it’s going to work, how the data is going to be transferred, where it’s going to be stored. Sometimes you don’t know those answers, so now you’re reacting in that environment. Sometimes that six months can become nine months, eight months, ten months. That is an example of where things can go wrong.
Another example would be that you are implementing a new process.
But that process impacts office managers in foreign locations, international, like you’re a multinational company. But they don’t have the same risks or they don’t understand the same risks that happen in the corporate headquarters in the United States.
If you haven’t effectively communicated the actual new process through an effective change management process, you are going to meet with resistance, or confusion, or unavailability, and it’s going to impact the overall progression of the task that you told your leadership, hey, I’m going to go and execute this, and it’s going to be done in this time. Now, suddenly, there are people coming to the same leadership saying, I don’t understand this. Why am I being told to do this? This is another example that we have come across.
Those are some of the negative consequences. It actually costs you money. It’s always taken in the lens of, well, okay, I have to do all these steps because it actually is operationally more inefficient and financially more expensive to not have change management in place because now you’re actually going back and trying to reactively fix all those things that didn’t get addressed in the beginning.
In a 2023 report about change management, and they talked about the reasons that 37% of employees resist organizational change management efforts. The top reasons, so I want to talk about two, three, and four, which kind of, you already hinted at, lack of awareness about why change is happening.
So you gave that example of Why are you changing this? Our building isn’t like this. Our site isn’t like this. Fear of the unknown – haven’t done this before. Don’t know what I’m supposed to be doing. Insufficient information – you can explain this to me. I’m not sure. But the number one in that survey was a bummer – 41% had a lack of trust in the organization. Is there anything security can do about the fact that there’s a lack of trust in the overall organization?
Lack of trust because of all the following factors. Because… If you are not telling them why, if you don’t have them engaged in the process, you didn’t ask them what their input is or what their day-to-day lives look like in their work environment. Then they believe that they’re not part of the process. They’re not interested in the process. So they inherently don’t think that you have their trust or their interests in mind. That is a big issue.
It’s not just limited to security. Other organizations within a company also can suffer from this because you just have very large ecosystems and everybody’s trying to do the right thing, but these are large ecosystems. When you don’t have that framework in mind, which a lot of organizations don’t because they’re reacting, they’re doing the day-to-day lives, it can build up because, hey, they don’t listen to me or they don’t include me in any of this process. So what they’re telling me, I don’t really trust because I don’t understand it, and those are all the reasons that feed up to that lack of trust in the organization.
How do you get around that is through a proper governance framework, where I’m not saying you’re engaging them on a weekly, daily basis all the time, but changing the mindset of security to your stakeholders to basically be able to explain the simple “whys”.
And if you are going to embark upon a major initiative or even a semi-major initiative that impacts, change management has to identify the impacted stakeholders. That’s one of the very important principles of it, because if all you’re doing is replacing a back-end technology, you don’t need to go tell the office managers if it doesn’t impact, but if it impacts them, you want to engage with them. You don’t want to assume that they will just come along because it’s an access control system that they don’t own, because they’re affected by it.
So if they’re impacted, you want to take their input in. You want to explain to them “the why”. You want to explain to them how it would work. Even if it’s awareness, they may say, “It doesn’t matter, you go do whatever you need, and when it’s time for training, I’ll get involved.” then starts to build a level of trust, these guys are including me, they are incorporating me into some aspect of awareness or decision-making process. So therefore, I have a stake, and I have a say in this, and that builds trust. From there, I know why the change is happening. I have enough information. I do not have the fear for it, so they all flow together.
If I’m a highly successful security professional, I get along with people. The bosses like me, my peers like me, but then I hear this, I do think I’ve had problems. I want to learn about this. What’s the first thing I should do?
It’s mostly around awareness. How do I communicate? That’s the first thing that comes to people’s minds. How do I communicate what the gaps are or what I’m looking to do? Or what are the concerns from other people? I think communication and awareness is going to be the first thing. How do I communicate my desire or my goal or my plan to others? So that’s probably what they will look at first.
So that sounds much more attainable. Does this mean I’m going to have some giant multi-tab binder with a lot of worksheets and checklists and I’m going to have to work through this every time I want to change something?
You know, it’s surprising because change management sounds very structured. There’s a framework to it and all the principles. But at the end of the day, it’s really a little bit of organized planning and a lot of communication and awareness and that’s really the two main principles that sit behind it. Binders are never going to help anyway. They never have, they never will.
OK, so not 1,000-page binders of change management procedures, but just changing your mindset over time to always think about the people, the processes, and the technology in any change, and then the interdependencies that exist between them.
You need to plan first, communicate effectively to all those people about how the change will affect them, then monitor how things unfold over time. You’ll need to gather data and use it.
Listen to the interview here [13:45 minutes]:
Read more from Mohammed Shehzad about managing that process here: https://www.asisonline.org/security-management-magazine/articles/2025/09/change-management/resistance-into-readiness/
Explore the 2023 study about Change Management and the reasons people resist change here: https://www.oak.com/media/c5llwb4v/oak-change-report-digital.pdf
Image Source: Security Management Podcast
About Atriade
Atriade is a trusted security consulting firm with decades of experience delivering tailored security solutions. We specialize in security system design for access control, perimeter protection, video surveillance, visitor management, and other advanced physical security technologies.
Our expertise also extends beyond system design to include security master planning, program development, risk assessments, professional services, and end-to-end project management.
For more than 20 years, we have partnered with Fortune 50 companies, Ivy League universities, and leading technology firms in Silicon Valley to help them navigate complex security challenges with a strategic, forward-thinking approach.
Visit us online at Atriade.com
Connect with us on LinkedIn
Subscribe to our LinkedIn Newsletter Take A Risk
What are the core components of change management for security?
The core components are people, processes, technology, and their interdependencies—identifying who is doing what, what processes control the work, what technologies are being implemented, and how these elements intersect. A change management plan empowers teams by proactively identifying affected individuals and tailoring training and communication to their specific roles.
Related reading: 8 Red Flags of Security Project Management
How can security leaders reduce resistance to change?
Leaders reduce resistance by explaining the “why” behind changes, engaging stakeholders in the process, and asking for their input so people feel they have a stake in the outcome. According to research, 41% of employees resist organizational change due to lack of trust in the organization, which stems from not being included in decisions that affect them.
Related reading: Understanding the Critical Role of Professional Services and Their Providers (see section on “Effective Stakeholder Engagement”)
- Categories:
- Security Operations
- Professional Services