Certified: The GIAC GSTRT Audio Course

In this episode, we treat negotiation as the operational skill that keeps cross-functional work moving when priorities collide and pressure is high. Security programs live at the intersection of delivery, operations, compliance, finance, and leadership, which means alignment is rarely automatic. When alignment fails, you get stalemates where decisions never land, turf wars where teams defend territory instead of outcomes, and churn where priorities reset so often that progress evaporates. The solution is not to push harder or escalate constantly; the solution is to negotiate with structure so that shared goals are explicit, constraints are acknowledged, and tradeoffs are made consciously. This kind of negotiation is not about winning arguments, because in complex systems, a victory that creates resentment often becomes a future failure through workarounds and passive resistance. The goal is to create agreements that teams will actually execute, even when the sponsor is not in the room. When you can negotiate this way, you protect momentum, reduce repeated re-litigation, and keep the program coherent. That is what cross-functional alignment looks like in practice.

Before we continue, a quick note: this audio course is a companion to our course companion books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.

A strong negotiation begins with shared goals and constraints stated openly, because hidden constraints are the root of many conflicts. Shared goals might include protecting revenue-critical services, meeting compliance obligations, reducing incident disruption, and sustaining delivery velocity without sacrificing trust. Constraints might include staffing limitations, release deadlines, legacy architecture, tooling maturity, and contractual obligations, and they must be spoken plainly rather than implied. When constraints are unspoken, teams assume others are being unreasonable, when in reality they are operating within different limits. Stating constraints early also reduces moralizing, because the conversation shifts from who is right to what is possible. The leader’s role is to frame the negotiation as a joint effort to achieve shared outcomes under real constraints, not as a battle between security and delivery. This framing changes behavior because people stop defending their identity and start working the problem. It also reduces surprise, which is one of the main drivers of turf wars, because teams often react aggressively when they feel blindsided. If you can create a shared view of goals and constraints in the first part of the conversation, you have already removed a large fraction of the friction. The conversation becomes about design choices rather than about motives.

Once goals and constraints are visible, map the non-negotiables, the tradeoffs, and the acceptable risks, because alignment depends on knowing what cannot move and what can. Non-negotiables are the boundaries tied to mission-critical outcomes, regulatory obligations, safety, or explicit leadership commitments, and they must be stated clearly so teams do not waste time trying to negotiate something that cannot change. Tradeoffs are the areas where choices are possible, such as sequencing, scope, depth of controls, timing of implementation, and operational friction tolerance. Acceptable risks are the risks the organization is willing to carry temporarily or permanently in exchange for other outcomes, and those risks must be owned through clear decision rights. Mapping these elements reduces churn because it prevents endless reopening of settled boundaries, and it prevents stalemates because it shows where negotiation can actually produce movement. It also creates fairness, because teams can see that security is not arbitrarily blocking progress, but enforcing defined boundaries while being flexible within them. In security work, non-negotiables often include protecting sensitive data access paths, maintaining minimal logging for critical services, and ensuring recovery capability for core systems. Tradeoffs might include whether controls are deployed as a gate or as continuous monitoring, or whether mitigation is phased versus all-at-once. The moment you map these clearly, the negotiation becomes more efficient because the space of possible agreement is defined.

A key technique for avoiding stalemates is using interests rather than positions, because positions are often incompatible while interests are often compatible. A position is a declared solution, such as security must require full testing before release, or delivery must ship by a certain date without extra steps. An interest is the underlying need, such as preventing production outages, meeting customer commitments, preserving team capacity, or reducing incident risk. When you focus on interests, you can generate options that satisfy multiple needs at once, whereas positions tend to force zero-sum choices. For example, a delivery team’s interest might be predictable release cadence and minimal friction, while security’s interest might be reducing exposure to known high-impact failure modes. Those interests can be satisfied together through automation, targeted gating on high-risk changes, and rapid rollback capability, even if the original positions looked incompatible. Interest-based negotiation also reduces ego conflict because people are not forced to abandon their identity as someone who ships or someone who protects; they are simply clarifying what they need. The leader’s job is to keep the conversation at the interest level long enough to explore options before evaluating them. When you move too quickly to evaluating positions, you freeze creativity and trigger defensiveness. Interests keep the problem solvable.

A practical example is integrating security testing without blocking releases, because this is a classic friction point where positions often collide. Delivery teams may fear that security testing will become a gate that creates unpredictable delays, while security teams may fear that without testing, vulnerabilities and misconfigurations will reach production and create incidents. The interests on the delivery side include predictable cadence, fast feedback, and clear criteria for what blocks a release. The interests on the security side include reducing high-impact risk, improving detection of regressions, and ensuring critical controls are not bypassed. A workable approach is to integrate testing earlier in the pipeline so feedback arrives quickly, and to use risk-based rules so that only certain classes of changes trigger stricter checks. Another approach is to treat some tests as required evidence for high-risk releases while allowing lower-risk changes to proceed with post-release monitoring and rapid rollback readiness. The key is to design the process so that security testing improves reliability rather than acting as a late-stage surprise. When testing is predictable, automated where possible, and tied to clear decision criteria, teams stop treating it as a political weapon and start treating it as an engineering practice. This is how negotiation converts conflict into design.

Before evaluating proposals, create decision criteria, because criteria are what prevent negotiations from becoming personal debates. Decision criteria are the standards you will use to judge options, such as impact on revenue-critical flows, reduction of a specific high-ranked risk, effect on release cadence, required effort relative to capacity, and compliance implications. Criteria should be agreed jointly so that teams share the yardstick, and they should be stated in plain language so no one can reinterpret them later to fit a preferred solution. When criteria exist, the conversation becomes a comparison of options against agreed standards rather than a contest of persuasion. Criteria also reduce churn because when a decision is made, you can explain the decision in terms of the criteria, and that explanation remains stable even when stakeholders change. In security, criteria should include operational resilience because controls that create fragility can harm the business even if they reduce certain threat pathways. Criteria should also include time sensitivity, because some risks are rising quickly due to active exploitation or upcoming audits. When criteria are clear, you can move faster because evaluation is structured, and you can avoid stalemates because the criteria create a path to a decision. Over time, using criteria regularly builds trust because stakeholders see that decisions are not arbitrary.

One pitfall that creates turf wars is letting unresolved issues fester quietly, because silence often looks like agreement until the moment a decision must be executed. When issues are not resolved, teams proceed with different assumptions, and those assumptions collide later when changes are costly. Quiet festering also creates resentment because people feel ignored or overruled without being heard, and resentment tends to surface as passive resistance rather than as open disagreement. The remedy is to surface issues early, name them, and either resolve them or explicitly park them with a clear plan for decision and escalation. Parking is not avoidance; it is a conscious decision to defer a topic because information is missing or because a decision owner is not present. The important part is that parking includes a next step and a date, because otherwise it becomes drift. Another remedy is to summarize points of agreement and points of disagreement explicitly, so teams leave with the same understanding of what is still open. This prevents later arguments about what was decided and what was implied. In security programs, unresolved issues often involve risk acceptance boundaries, ownership of operational burden, and the true cost of certain controls in delivery velocity. If those issues are not resolved, the program will churn because it will repeatedly revisit the same conflict in different forms. Surfacing and resolving early is therefore a momentum protection strategy.

A quick win that reduces surprises and stalls is pre-briefing stakeholders before a cross-functional decision meeting, because pre-briefs remove the shock factor that triggers defensive behavior. A pre-brief is a short conversation where you share the goal, the constraints, the decision needed, and the proposed criteria, and you ask for concerns in advance. This allows stakeholders to process privately, ask clarifying questions, and surface hidden constraints without performing in front of a group. It also helps you adjust framing and options before the main meeting, making the main meeting more likely to end in a decision. Pre-briefing is not backroom politics; it is a way to respect that people need time to think, especially when decisions affect their teams and their commitments. It also reduces the chance that someone brings a surprise veto late, because you have already surfaced their concerns. In high-stakes environments, pre-briefing can be the difference between a calm decision meeting and an explosive one. It also demonstrates professionalism because it signals you care about alignment, not about ambushing people into agreement. Over time, teams begin to trust leaders who pre-brief because they experience fewer surprises and fewer public conflicts. That trust makes future negotiations easier.

When discussions become tense, neutral facilitators can help, because a facilitator can hold process steady while stakeholders focus on content. A neutral facilitator does not need to be an external consultant; it can be a respected leader from another function, a program manager, or someone trained in facilitation who is not directly invested in the outcome. The facilitator’s job is to keep the conversation aligned to goals, constraints, and decision criteria, to ensure each party is heard, and to prevent the meeting from devolving into personal conflict. Facilitation is particularly useful when trust is low or when past conflicts have created emotional residue, because the presence of a neutral process owner can reduce defensiveness. A facilitator can also enforce time discipline, ensuring that the conversation moves from framing to options to decision rather than looping. In complex negotiations, the process often matters as much as the content because poor process amplifies conflict. A facilitator can also capture agreements and open issues in real time, preventing later misunderstandings. This is not about controlling the conversation; it is about creating a container where negotiation can be productive. When facilitation is used thoughtfully, it increases the likelihood of a clean decision and reduces churn afterward.

A common scenario is a budget deadlock, and incremental pilots can resolve it by converting argument into evidence. Budget deadlocks often occur when teams agree a problem exists but disagree on the best investment, or when leadership wants proof before committing funds. A pilot is a limited-scope implementation designed to test a hypothesis, such as whether a control improvement reduces incident likelihood, reduces delivery friction, or improves audit readiness. The pilot should have clear success measures tied to business outcomes, such as reduced rework, faster evidence retrieval, reduced exposure on a critical path, or improved detection of a specific threat scenario. By running a pilot, you reduce uncertainty and shift the conversation from opinions to observed results. Pilots also lower political risk because leaders can fund a smaller experiment without committing to a large program immediately. If the pilot succeeds, it creates momentum and makes larger funding easier because the value is visible and credible. If it fails, the organization learns without having spent full budget, and the negotiation can pivot to alternatives with better information. The key is to keep pilots aligned to agreed decision criteria so that success is meaningful to all parties. In this way, pilots become a negotiation tool that preserves momentum and reduces churn.

A practical step that improves alignment quickly is crafting a joint problem statement today, because it anchors negotiation in shared reality rather than in competing narratives. A joint problem statement describes the issue in outcome terms, names the constraints, and specifies why the problem matters to the mission. It should avoid blaming any team, and it should avoid prescribing a solution, because prescribing a solution too early turns the statement into a position. Instead, it should define what must be true for the problem to be considered solved, such as maintaining release cadence while reducing a defined risk exposure, or meeting audit requirements while reducing operational disruption. Writing it jointly ensures that each team sees its concerns represented, which increases willingness to cooperate. It also creates a reference point that prevents the conversation from drifting into unrelated grievances. A joint statement is especially useful when past conflict exists, because it provides a neutral starting point for rebuilding cooperation. It also improves communication upward because leadership can understand the problem without decoding internal politics. When teams can agree on the problem statement, they are far closer to agreement on solutions than they often realize. This is one of the simplest alignment moves with one of the highest returns.

A phrase to keep available in memory is alignment beats victory in complex systems, because it captures why negotiation must optimize for execution, not for winning. In complex organizations, you cannot force compliance through argument alone, because the work must be carried out by people who have their own constraints and incentives. A victory that humiliates another team often creates long-term costs through slow cooperation, workarounds, and future resistance. Alignment, by contrast, creates shared ownership, and shared ownership is what sustains execution after the meeting ends. The phrase also helps you stay calm when tension rises, because it reminds you that the real objective is a functional system, not a rhetorical win. It encourages you to seek solutions that satisfy underlying interests and protect mission outcomes rather than solutions that prove one side correct. It also supports long-term leadership credibility because leaders are remembered for how they resolve conflicts, not just for what they demand. When you prioritize alignment, you protect momentum and reduce churn because decisions are more likely to stick. This is why negotiation is a leadership skill, not just a meeting skill.

As a mini review, keep goals, interests, criteria, pilots, and pre-briefs connected because they form a repeatable negotiation method. Goals and constraints define the shared outcome and the reality you must operate within, preventing moral debates. Interests replace positions to keep the problem solvable and to generate options that satisfy multiple needs. Criteria provide an agreed yardstick so evaluation is structured and decisions feel fair rather than political. Pilots convert disagreement into evidence, reducing uncertainty and unlocking budget and commitment through observable results. Pre-briefs reduce surprises and defensiveness, making decision meetings more likely to end cleanly and reducing the risk of later reversals. When you apply this method consistently, negotiations become faster because teams know the process and trust the fairness. It also reduces turf wars because the conversation is anchored in mission outcomes and structured decision-making rather than in identity and territory. Over time, this method becomes part of your organizational operating system, which is how you prevent repeated churn around the same unresolved issues. The review matters because negotiation is often treated as improvisation, and improvisation increases variability and conflict. A method reduces both.

We will conclude by turning negotiation into immediate action, because alignment improves only when a tradeoff is proposed and a decision is booked. Propose one tradeoff that respects non-negotiables while creating movement, such as a phased control rollout that protects the critical path first while preserving delivery capacity. State the decision criteria you intend to use so stakeholders know how the option will be evaluated, and pre-brief key stakeholders to surface constraints before the main meeting. Then book a decision meeting with the right decision owner present, so the negotiation ends in a commitment rather than in another discussion. This is the last paragraph and the conclusion, and it is the last required bullet: propose one tradeoff and book the decision meeting, because momentum is protected when alignment is turned into a clear choice that the organization can commit to and execute.