Episode 26 — Overcome resistance empathetically while defending non-negotiable standards
In this episode, we take on a leadership problem that shows up everywhere in security and reliability work: people resist change, and you still have to protect the organization. The hard part is that you cannot bulldoze resistance without paying a long-term price, but you also cannot negotiate away protections that exist for a reason. Real progress comes from holding two truths at once, empathy for the human reality in front of you, and backbone around standards that keep systems and data safe. When you get this right, you earn cooperation without watering down what matters. When you get it wrong, you either create a compliance theater that fails under pressure, or you create resentment that quietly erodes adoption. The goal is to navigate resistance in a way that feels fair, calm, and firm, so standards become normal behavior rather than an ongoing fight.
Before we continue, a quick note: this audio course is a companion to our course companion books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.
Resistance rarely appears out of nowhere, so the first move is diagnosis rather than debate. Most resistance sources fall into a few repeatable patterns, even if the surface story is different each time. Fear is common, fear of being blamed, fear of losing autonomy, fear of extra work, or fear that change will expose weaknesses in a team’s delivery. Overload is equally common, because when capacity is tight, any new requirement feels like an impossible addition rather than a sensible improvement. Misalignment also shows up when a standard is framed as important by one group but irrelevant by another, usually because the groups are measured on different outcomes. Incentives can be the hidden engine behind resistance, because people follow what their performance systems reward, not what a policy says. If you name the real source, you can solve the right problem instead of arguing about symptoms.
Diagnosis works best when you avoid assuming bad intent, even when the resistance is loud. People often resist because they are protecting something they value, such as delivery speed, uptime, or team reputation, and they do not see how the standard protects those same values. Your job is to learn what they think they are defending, because that reveals the lever you can use. If the resistance is fear, you may need to reduce threat by clarifying how accountability will work and by removing blame language from the conversation. If the resistance is overload, you may need to address capacity, sequencing, or scope so the standard is feasible. If the resistance is misalignment, you may need to connect the standard to outcomes they own rather than outcomes they do not. If incentives are the root, you may need a sponsor to adjust expectations or measures. When you treat diagnosis as a professional responsibility, you avoid the trap of making the conflict personal.
Listening actively is the practical skill that turns diagnosis into trust. Active listening is not passive agreement, and it is not a performance where you wait for your turn to talk. It is a structured way to gather real information and reduce defensiveness so the other person stops posturing and starts being honest. One of the simplest techniques is reflecting concerns in your own words, because it proves you heard the substance rather than only the emotion. Another is asking clarifying questions that focus on facts, impact, and constraints, because those questions move the conversation away from accusations. You also want to watch for the moment when someone repeats the same point with increased intensity, because repetition usually signals that they do not feel understood. When you reflect without judgment, you lower the temperature and you gain access to the real blockers. That access is what allows you to respond with precision instead of force.
Reflection must be done carefully, because the goal is to validate the experience, not to validate a conclusion that would weaken protections. You can reflect that someone feels overloaded without agreeing that the standard should be dropped. You can reflect that someone worries about delivery timelines without accepting that security can be postponed indefinitely. This is where many leaders stumble, because they believe empathy means giving in, and they fear it will be interpreted as weakness. In reality, empathy is a way to keep the conversation grounded in reality, which is what makes firm boundaries possible without escalation. When you reflect concerns, you should keep your language neutral and specific, describing what you heard rather than diagnosing motives. That neutrality helps the other person save face, which is a practical benefit in organizations where people must continue working together after the disagreement. Once the concerns are reflected, you can transition to what is negotiable and what is not, without the conversation feeling like a sudden shutdown.
Separating negotiable preferences from non-negotiable standards is the hinge point of the entire approach. Negotiable preferences are choices about how the work is done, which tools are used, what sequencing makes sense, or what documentation format is acceptable. Non-negotiable standards are the protections that must exist to reduce unacceptable risk, meet contractual obligations, or maintain safety and reliability. The mistake is treating everything as non-negotiable, because that creates needless conflict and drives people to work around you. The opposite mistake is treating core protections as flexible, which creates drift and eventually produces incidents that everyone regrets. A disciplined leader is explicit about the boundary, and they can explain it without dramatic language. You can say that the outcome is mandatory while the implementation path has options, which restores autonomy without reducing protection. This separation also makes negotiation productive, because people can invest their energy in solving the how instead of fighting the whether.
Once you draw the line, clarify the why behind the required standards in terms that match the audience’s responsibilities. Standards feel arbitrary when people do not understand the harm they prevent or the obligations they satisfy. The why should be framed as a risk and outcome story, not as a policy citation or a power move. For example, a requirement might exist because it reduces exposure time, prevents a known failure mode, or preserves evidence quality during investigations. It might also exist because the organization has made commitments to customers or regulators that must be honored consistently. When you explain why, avoid overloading people with technical detail that does not change the decision, but do include enough specificity that the standard feels connected to reality. If people can see the causal link between the standard and the harm it prevents, they are more likely to comply willingly rather than grudgingly. This is also where your educator mindset matters, because teaching the why is how you transform compliance into competence.
Offering options within boundaries is the next step, because autonomy is one of the fastest ways to reduce resistance while keeping standards intact. When people feel they have zero control, they often resist simply to reclaim agency, even if the standard is reasonable. Options can include different implementation approaches, different timelines within an acceptable window, or different ways to prove the control is operating. Options should be real, not cosmetic, because fake choice increases cynicism. The options also need to preserve the non-negotiable outcome, so you are not trading safety for harmony. A useful way to frame this is to state the boundary clearly, then ask which of the acceptable paths the team prefers and why. This invites collaboration and surfaces practical constraints you might not know about. When the team chooses the path, they become psychologically invested in making it work, which increases follow-through.
Examples of harm when standards drift are important because many teams have not personally experienced the downside yet, or they have normalized near misses. A standard can feel like overhead until it is the only thing that prevents a bad day from becoming a catastrophic one. The example does not need to be sensational, and it should not be used as a threat, but it should be concrete enough to show the chain of cause and effect. Standards drift often starts small, a skipped review, an exception that becomes permanent, a monitoring gap that seems harmless until a real incident happens. Over time, small drift accumulates into systemic fragility, where failures cascade and teams cannot explain why the system behaved the way it did. When you show harm, keep the focus on operational reality, such as increased outage duration, delayed detection, or loss of trustworthy audit evidence. The point is to make the risk visible, because invisible risk is easy to dismiss. Once people see the pattern, they are more willing to treat standards as guardrails rather than as obstacles.
Co-creating small experiments is a powerful bridge between resistance and adoption, because experiments turn opinions into evidence. A small experiment is not a permanent exception, and it is not a way to avoid the standard, it is a structured test of how to meet the standard with less friction. The experiment should have a clear hypothesis, a short timebox, and a defined measure of success that relates to both protection and team workflow. For example, you might test a lighter-weight approval workflow while still preserving accountability, or you might trial a new way to capture evidence that reduces manual effort. Co-creation matters because it signals respect for the team’s expertise and day-to-day constraints. It also helps you avoid designing controls in isolation, which is a common reason controls become ignored. When the experiment ends, you review the results together and decide what to keep, refine, or discard. This keeps the relationship collaborative while still moving toward consistent standards.
Sponsors can be essential when adoption stalls, especially when the true blocker is incentive conflict or cross-team dependency. The sponsor’s role is not to punish the resisting team, but to make the organizational tradeoffs explicit and to remove barriers that the team cannot remove alone. If a team is overloaded, a sponsor can help reprioritize work so the standard becomes feasible. If the team is measured primarily on speed, the sponsor can adjust expectations so compliance is not treated as a tax on performance. If dependencies are unclear, the sponsor can clarify decision rights and align owners across functions. The key is to engage sponsors respectfully, with a clear problem statement and a specific ask, rather than escalating emotionally. When a sponsor participates constructively, it reduces the feeling that the security team is imposing unilateral demands. It signals that the standard is an organizational commitment, not a personal preference. That shared ownership is often what turns stalemate into movement.
There are times when resistance crosses a line into unacceptable behavior, and handling that calmly is part of defending standards. Unacceptable behavior might include personal attacks, intimidation, deliberate sabotage, repeated refusal to comply with mandatory controls, or actions that put systems and data at known risk. The response should be specific and behavior-focused, not character-focused, because moralizing escalates conflict and reduces the chance of correction. Calmly name what happened, why it is a problem, and what must change, while keeping your tone measured. If you need to enforce a boundary, enforce it consistently, because inconsistent enforcement destroys credibility faster than almost anything else. This is where documentation and escalation pathways matter, because you are not relying on persuasion alone, you are relying on clear expectations and organizational support. Even when you are firm, keep the door open for constructive participation, because the goal is behavior change, not humiliation. Backbone with professionalism is what maintains safety without poisoning relationships.
Documentation turns agreements into durable reality, and it is especially important when there has been resistance. Document what was agreed, what the non-negotiables are, what options were selected, and what the timelines and responsibilities will be. Documentation should also include consequences for noncompliance when appropriate, not as a threat, but as clarity about what will happen if the organization’s standards are not met. Review checkpoints are equally important because they provide a moment to verify progress and adjust before deadlines are missed. Without checkpoints, people often assume someone else is tracking, and tracking becomes vague, which is how drift returns. Documentation also protects both sides, because it reduces the chance of later disagreement about what was decided. It creates institutional memory so the same debate does not restart when staffing changes. In high-stakes environments, written clarity is a safety mechanism, because it prevents misunderstanding from becoming a risk event. When documentation is consistent, standards become part of the operating system, not part of a negotiation.
Recognizing progress publicly is a subtle but powerful reinforcement tool, because people repeat behavior that is noticed and valued. Recognition should focus on the behavior you want to see, such as meeting a standard consistently, closing the loop on evidence, or improving a workflow to reduce friction while preserving protections. Public recognition also helps shift the narrative away from security as the team that blocks, and toward security as the team that enables reliable delivery. The recognition does not have to be extravagant, and it should not feel political, but it should be timely and specific. When a previously resistant team makes progress, recognizing that progress is especially valuable, because it lowers the social cost of changing their mind. It tells others that it is safe to adopt without losing status. Reinforcement also helps standards stick after the initial push, because people learn that the organization notices sustained behavior, not just one-time compliance. Over time, recognition becomes part of culture change, which is how non-negotiables become normal.
Maintaining empathy without compromising core protections is the long game, and it requires consistency in how you show up. Empathy means you continue to treat people as partners even when they disagree, and you stay curious about constraints rather than assuming laziness or incompetence. It also means you design for human reality, acknowledging that friction, overload, and competing priorities are normal. At the same time, you do not move the boundary on what must be protected, because moving the boundary teaches the organization that standards are negotiable under enough pressure. The balance is to be flexible in implementation while being firm on outcomes, and to be transparent about why the outcomes matter. When you consistently apply this approach, people stop treating standards as arbitrary rules and start treating them as shared commitments that can be met in sensible ways. That shift reduces resistance over time because the conversation becomes about how to succeed, not about whether to comply. Empathy and backbone together are what create durable trust in your leadership.
To conclude, choose one active resistance case you are dealing with right now and apply boundaries with both respect and firmness. Start by diagnosing the likely source, then listen actively and reflect the concern so the other person feels understood without you giving away the standard. Separate what is negotiable from what is non-negotiable, explain the why in outcome terms, and offer real options within the boundary so the team can regain autonomy. Use a small experiment if evidence is needed to resolve disagreement, and engage a sponsor when incentives or capacity make adoption unrealistic. If behavior crosses into unacceptable territory, address it calmly and specifically, then document the agreement, consequences, and review checkpoints so follow-through is real. Recognize progress when it happens, because reinforcement is how new behavior becomes normal. When you do this consistently, you will find that resistance becomes less of a battle and more of a signal, and you will protect the organization without losing the people you need to protect it.
