Spoiler Alert: It's Because You Actively Avoid It!!
A 2025 study by researchers at Indiana University and Cornell University found that almost every single one of us avoid "negotiation" 50% of the time — not because they lack skill, but because negotiation triggers the same psychological discomfort as public speaking or direct conflict.
So, what does this mean for Cybersecurity?
Because most cybersecurity work IS negotiation—but you don't recognize it that way, so you don't approach it systematically. Every conversation about priorities, timelines, controls, or resources is a negotiation. And when you avoid half of those conversations, you're not just limiting your influence—you're letting security decisions get made without security input.
There's a blind spot in how security professionals perceive their work. Let me show you what you're not seeing.
The Recognition: These Are All Negotiations
When you hear "negotiation," you probably think of buying a car, discussing salary, or hammering out vendor contracts. But the research reveals something more fundamental: negotiation is any interaction where you need someone to do something they're not currently doing, stop doing something they are doing, or give you something they control.
The timeline conversation where you "accept what you're given"—you're negotiating priorities and resource allocation.
The stakeholder who "won't prioritize the security fix"—you're negotiating risk acceptance versus business timelines.
The developer who "doesn't want to change their code"—you're negotiating security practices versus convenience.
The project that "doesn't have budget for security reviews"—you're negotiating scope and quality standards.
But here's the problem: if you don't label these moments as negotiations, you don't prepare for them systematically. You don't use proven influence frameworks. You don't learn from each attempt. And you don't get better over time.
Easy Win Today: Agree that much of our Cybersecurity profession is negotiating
Why the Blind Spot Exists
The research team—Hunsaker, Zhang, and Lee—identified three categories of barriers that create this blind spot:
Cognitive barriers: We reserve the word "negotiation" for specific, formal contexts. Daily influence doesn't feel like "real" negotiation, so we don't approach it with the same intentionality.
Emotional barriers: Calling something a "negotiation" makes it feel adversarial and uncomfortable. So we use softer words: "discussion," "conversation," "coordination." The relabeling protects us from the anxiety, but it also prevents us from using systematic methods.
Social barriers: In many organizations, "negotiating" with colleagues or managers feels inappropriate—like you're being difficult or not a team player.
The result? You tell yourself: "I'm just explaining the technical issue" or "I'm just making a request" or "I'm just documenting the risk." But what you're actually doing is avoiding a negotiation.
Behavioral Science can help us fix this. When we make the mental shift to accepting that "This is a Negotiation" then we can make personal and professional progress.
What Robert Cialdini's Research Tells Us
Here's the finding from the study that should change everything: People who believe negotiation is normal, common, and expected negotiate 34% more often than those who don't.
This validates what Robert Cialdini has demonstrated through decades of research on influence: people look to social norms to determine appropriate behavior, especially in uncertain situations. His principle of Social Proof shows that when we believe "people like me do this," we do it. When we think it's exceptional or inappropriate, we avoid it.
For cybersecurity professionals, this means the barrier isn't skill—it's perception. When you think influence is exceptional, you avoid it. When you see it as expected, you engage.
The Implication
When you avoid the negotiations embedded in your daily work, you're not just leaving personal influence on the table—you're adding a trust tax to every security initiative.
Every avoided conversation about priorities teaches the organization that security will always "understand" and accommodate.
Every unspoken concern about timelines signals that security's input is optional. Every accepted "no" without follow-up reinforces that security doesn't really need what it's asking for.
The research is clear: This avoidance isn't a character flaw. It's documented human behavior affecting 95% of professionals. But awareness is the foundation of change.
What to Notice This Week
Start paying attention to these moments: When you need someone to change their behavior, shift their priorities, or allocate resources differently—recognize it. That's a negotiation.
The question isn't whether to engage in these conversations. The question is whether you'll approach them systematically, using proven frameworks, or hope that technical merit and goodwill are enough.
Tomorrow, I'll show you why your current approach to these conversations isn't working—and what the research reveals about the real barriers you're facing.
If you're starting to recognize how often these moments occur in your work, that awareness is the foundation for building systematic influence capabilities. In my work with cybersecurity professionals, we translate behavioral science research into practical frameworks designed specifically for technical professionals who need to drive organizational change. Subscribe to my newsletter for weekly insights on the science of influence for cybersecurity professionals.