Managing change in complex security deployments 

We speak to expert Glenn Lucas about the complexities of access management and tech adoption. 

There’s a very real need to consider security projects not just from the physical perspective, but from an all-of-company perspective, says Managing Director at Transformational Change Glenn Lucas. He joined us to chat about the hot topic of cyber–physical convergence, transformational change and delivering positive outcomes for security projects. 


What is transformational change?  

Transformational change is really around the human side of change. So what typically happens with a technological solution is there’s a high-level design, low-level design, and very technical specifics around features that need to be delivered.  

With transformational change, it’s really about helping the end user achieve the outcome that was originally intended for them, which often ends up being lost by the end of a project. For example, “We’ve got a solution that we’ve given our customers, but no one uses it or it’s not exactly what was specified or what they thought they wanted.” 

Transformational change takes a more systematic approach to the people side of things. At the entry level, it really starts to understand the requirements of the customer. Why are they doing this? What’s the endgame? What are they trying to achieve? You want to be able to overlay that with the criteria that was put forward to actually get project approval – that’s critical from a leadership perspective. If you’re going to deliver some results based on a high-value investment, then you want to see those results that were transformational. Change helps map the outcomes throughout the course of the project. 

The other key element is really understanding the people and their capabilities. Are they change-ready? Do they need assistance in preparing for the change? Certain organisations are very change-ready. They’re used to it because they change all the time. Others have not changed for a very long time so there’s a lot of resistance. And it’s really about understanding what the root cause of that resistance is and uncovering how you can actually get them to change it. Typically, if you understand the root cause, it’s usually some form of cognitive bias that you can help people move away from. You can follow their thought process and actually show them the benefits. So it’s really about mapping that to every individual user and saying, “This is what you’re going to achieve.” 

Then the final stage of transformational change is the reinforcement, or the sustainability of that change. So making sure the systems are in place so you can track and review, give training to people who haven’t adopted the change, and be able to identify that the adoption has happened and it will continue to happen post-project closure. 


The IT industry has generally been a proponent of transformational change, but when it comes to electronic access control systems, that hasn’t really been baked into their thinking. Why is that the case?

Electronic security has come from a more construction-style project-management focus. Over the years, the installations have been conducted through builders on large installations. So they’ve been more focused on getting the project done on time, rather than looking at some of the higher-level project-management methodologies and change-management services due to the complexity of the changes. 

What we’ve seen more recently is the access control systems are far more complex. They integrate with multiple systems; more users are using them. Traditionally there were only a few doors that you’d have to take care of, whereas now it’s the entire building. We’re seeing integration with ID management systems, which have high-level private data on them that now need to be protected by more secure methods than what was previously the case. 

We’re starting to see this convergence between the two industries as a result of that. 


Looking at the digital access management space versus the physical access management space, how have we ended up in this situation where they are so siloed?  

The silo approach is probably because of the evolution of both industries – they started off very separately. One was an IT business that came up with a logical approach to manage ID management within their organisations. It was adopted very early by many organisations, but many others didn’t have it at all. 

If you look at the organisations that are well down the track in digital security – such as universities, prisons, critical infrastructure-type industries – what we’re starting to see now is they have the requirement to manage both digital and physical security. Because if someone can get in your door, no matter how strong your cybersecurity procedures are, your physical security is obviously compromised. 

Risk managers are starting to identify that we need to bring these solutions together. So that’s where we’re starting to see organisations saying, “How do we manage ID management at the top of the chain and then integrate the systems so that we’re moving away from the inconvenience of having multiple passwords and multiple systems that further compromise people’s security?” 


So who leads this from an organisational standpoint – is it the risk manager?

Yes, driving a lot of the change within organisations would be the risk managers. There’s a number of reasons why people need to get the changes within the physical and digital security spaces – we’re seeing changes in legislation around types of security protections that need to be on-site. And that starts to cover the physical security side of things. 

I’m starting to see that with some of the new work and strategies coming out from the Department of Home Affairs. I think the government is pushing that and I think the risk manager will drive a lot of it. They are probably the owner of the process. Organisationally, leaders at the top are obviously focused on protecting their information. You’ve probably seen in the news over the past 12 months occurrences of data escaping. The Garmin breach is recent example of the impact it can have on not just the cost to your business, but reputational damage. 


You were previously Managing Director at Chubb and you sat on the technology-supplier side. One of the things you’ve spoken about is the impact of poor technology adoption from a vendor perspective. What is the impact on the market when that happens?

The impact is: whatever the people can see, that’s who they blame. So whatever the name of the product they can see on the keypad or on the wall, they’re the guys who delivered a poor outcome. I’ve worked with vendors and integrators who have had that negative experience despite delivering 100% to the technical specification. Hence why I’ve been working with a lot of the integrators to help them to go to the end users and say, “We’re actually evolving within our industry and we’re now focused on the outcomes to the individuals within the organisations we’re servicing – as opposed to delivering a technical specification that was written by a consultant.” 

Probably one of the biggest mistakes a lot of organisations make is that they’re not ready for a certain technology. Sometimes it doesn’t take much to prepare for it, but if you don’t do that preparation then it just doesn’t work. People won’t use it. It’s confusing and it fails. 

For me, I’m trying to help vendors and the industry as a whole to get a better reputation for delivering solutions. They’re not delivering the traditional alarm system with two detectors anymore – they’re very sophisticated, complex, highly integrated solutions with multiple systems. Large organisations now have their ERPs integrated with the systems. The level of integration is so sophisticated now that the industry can’t afford not to evolve, because if they don’t, the end users are going to look elsewhere for the suppliers of these types of services. 


Want more insight into the world of security, identity access management, biometrics and more? Get your weekly fix with the Identity Today podcast, hosted by Daltrey MD Blair Crawford. You can start on Episode 1 here or listen via Apple Podcasts, Spotify or your favourite podcast app.