Change in security organisations¶

A cluttered workshop with tools on pegboards, half-assembled projects on benches, and hand-drawn charts on the walls. A small group examines a model of interconnected gears and levers. One gear is labelled "policy", another "culture", a third "habit".

ChangeShop, developed by Gerald and Daniel Weinberg, is an experiential workshop in which participants bring real problems and work on them live. Within hours, three things tend to become clear: the problem is not what it first seemed, the participants are part of it, and the organisation is quietly structured to resist the solution.

That last point is the one worth sitting with. Organisations are homeostatic systems. They resist change to remain stable. This is not incompetence or obstruction; it is system behaviour. When a security team discovers that their most important recommendations are reliably not acted upon, the ChangeShop diagnosis is usually accurate: change cannot be imposed from the outside. Only the conditions under which it becomes possible can be altered.

Applied to security, this reframes the question. Instead of asking how to roll out a control, the question becomes who benefits from the current state, what behaviour the system is actually rewarding, and what makes the safe path harder than the unsafe one. Resistance is not noise. It is a map.

Working with organisations as they are, not as one might wish:

Build change that sticks