Change in security organisations¶

A cluttered workshop with tools on pegboards, half-assembled projects on benches, and hand-drawn charts on the walls. A small group examines a model of interconnected gears and levers. One gear is labelled "policy", another "culture", a third "habit".

ChangeShop, developed by Gerald and Daniel Weinberg, is an experiential workshop in which participants bring real problems and work on them live. Within hours, three things tend to become clear: the problem is not what you thought it was, you are part of it, and your organisation is quietly structured to resist the solution.

That last point is the one worth sitting with. Organisations are homeostatic systems. They resist change to remain stable. This is not incompetence or obstruction; it is system behaviour. When a security team discovers that their most important recommendations are reliably not acted upon, the ChangeShop diagnosis is usually accurate: you cannot implement change from the outside. You can only alter the conditions under which change becomes possible.

Applied to security, this reframes the question. Instead of asking how to roll out a control, you ask who benefits from the current state, what behaviour the system is actually rewarding, and what makes the safe path harder than the unsafe one. Resistance is not noise. It is a map.

Working with organisations as they are, not as you wish they were:

Build change that sticks