They Accept Negotiation as Part of the Job and Prepare/Perform Accordingly
Yesterday I showed you the blind spot: most cybersecurity work is negotiation, but you don't recognize it that way.
When you avoid these conversations about half the time (which 95% of people do), you're not just limiting your influence—you're letting security decisions get made without security input.
So here's the question: If 95% of people exhibit this avoidance pattern, how do you become part of the 5% who don't? Or better yet, how do you reduce your avoidance rate from 50% to 30% to 20%?
The same research that documented the problem also found what works.
The Intervention That Actually Worked
Change Your Perception of What "Normal" is for Cybersecurity work and engagement
After proving that showing people 22x economic benefit didn't change behavior, the researchers from Indiana University, Cornell, and Leuphana University tested something different.
They told participants one sentence:
"80% of Americans negotiate when purchasing items on Craigslist."
That's it. No economic arguments. No skill training. Just information about what other people do.
Result: 34% increase in negotiation likelihood.
Why did this work when the 22x wage increase didn't?
Because it changed what people believed was normal. Participants went from thinking "negotiation is unusual/aggressive/inappropriate" to "negotiation is what most people do—it's normal and socially acceptable."
Negotiation is normal. It is part of the job and you should prepare for those interactions accordingly.
What Robert Cialdini's 40+ Years of Research Tells Us
This finding validates what Robert Cialdini demonstrated through decades of research on influence: Social Proof is one of the most powerful forces shaping human behavior.
His principle: People look to what others do to determine appropriate behavior, especially in uncertain situations. When you believe "people like me do this," you do it. When you think it's exceptional, you avoid it.
For security professionals, this means: The barrier isn't skill—it's perception of what's normal.
The Three Shifts That Change Everything
Shift 1: Reframe Negotiation as Expected, Not Exceptional
Current mindset: "I shouldn't have to negotiate about security. People should understand it's important. Pushing back makes me seem difficult or not collaborative."
Effective mindset: "Negotiating for what security needs is standard practice. Every effective security professional I respect does this regularly. This is how security work gets implemented in organizational contexts."
This isn't about becoming aggressive. It's about recognizing that influence is part of the job description at every level—analyst, engineer, architect, manager. When you see it as expected rather than exceptional, your discomfort drops.
Shift 2: Find Where Others Model This Behavior
The research shows that seeing others negotiate makes you more likely to negotiate. This is Social Proof in action.
Where to find this:
- Security meetups and conferences where influence is discussed openly
- CISO roundtables and peer forums where leaders share what worked
- Mentors who demonstrate systematic influence
- Online communities where security professionals discuss stakeholder management
When you consistently see "people like me do this," the social barrier dissolves. You're not the exception—you're part of the norm.
Shift 3: Use Systematic Methods, Not Improvised Arguments
Here's where behavioral science becomes practical. Instead of hoping your technical explanation will be enough, use proven frameworks:
Cialdini's Social Proof: "Most organizations at our maturity level have implemented this control. It's becoming industry standard practice."
Cialdini's Reciprocity: "I helped accelerate the last release by pre-approving the low-risk changes. I need support on this high-risk item."
Cialdini's Consistency: "We agreed in the architecture review that authentication would be required. This implementation delivers on that commitment."
Voss's Calibrated Questions: "How am I supposed to meet the compliance requirements with the current timeline?" (Not accusatory—genuinely curious, which puts them in problem-solving mode with you.)
Voss's Tactical Empathy: "It sounds like you're concerned this will delay the release. Help me understand what 'on time' means for this project." (Acknowledge their concern before presenting your solution.)
Covey's Trust Equation: Trust = Character × Competence. Demonstrate both consistently. Show up with integrity, follow through on commitments, deliver results. High trust speeds every conversation.
When you have systematic frameworks, negotiation isn't an uncomfortable confrontation you improvise through—it's a process you execute.
The Key Takeaway: Prepare for Negotiations Differently. Not just facts, figures, risk and metrics. If you don't already know them, learn the frameworks of Negotiation
What This Looks Like in Practice
Before your next security conversation, instead of thinking:
"I don't want to seem difficult or like I don't understand the business."
Try thinking:
"Negotiating for what security needs is expected behavior. Effective security professionals do this regularly. This is how the job gets done."
In the conversation, instead of just presenting technical arguments:
"I know other teams we work with were initially concerned about implementation timeline for MFA. What they found was that phasing it by user group actually accelerated adoption. Would that approach work here?"
(Social Proof + opening for collaboration instead of confrontation)
The Path Forward
The research is clear: You don't need better arguments. You need to change what you believe is normal.
When security professionals believe negotiation is:
- Expected (not exceptional)
- What their peers do (not unusual)
- Part of standard practice (not "being political")
...they engage 34% more often.
Same skills. Different perception. Completely different outcomes.
This isn't soft skills training. This is behavioral science applied to technical leadership. The frameworks from Cialdini, Voss, and Covey work because they address the actual psychological barriers—not the imagined logical ones.
Start this week: Notice when you're in a negotiation moment. Recognize it. Reframe it as normal. Use one systematic method. Track what happens.
You don't need to fix everything at once. You just need to reduce your avoidance rate from 50% to 40%. Then 30%. Progress, not perfection.
This two-article series on negotiation avoidance barely scratches the surface of how behavioral science applies to cybersecurity leadership. In my work with security professionals, we build systematic influence capabilities using these research-backed frameworks—designed specifically for technical professionals who need to drive organizational change.
If you're ready to approach influence systematically rather than hoping technical merit will be enough, let's schedule a conversation about what that looks like for your role and organization.
Or subscribe to my newsletter for weekly insights on applying Cialdini, Voss, and Covey's frameworks to the daily negotiations embedded in security work.