Sign in Subscribe

Breaking the Inertia: Overcoming Resistance to Change in Fast-Growth Companies

Chris Martorella

6 min read
Breaking the Inertia: Overcoming Resistance to Change in Fast-Growth Companies

Have you ever been in an organization where it is very difficult to change the way things are done, due to the speed at what the organization is moving?  Many times these changes are  supposed to improve how things works but still it is very difficult to get the organisation to understand that is for the common benefit to change or adopt a new process, as they may fear that new processes will disrupt their workflow or introduce complexity without clear short term benefits.

Another typical reason is "if it works, don't fix it". This is a tendency to stick to existing processes and strategies assuming that they will continue working as the company scales, which is usually tied to lack of expertise and awareness, as employees that joined the company early never solved certain problems or processes the way the company needs, and stick to what they thought it was the right process at first. Finally the siloed departments and poor communication across them makes difficult to align on strategic changes and decision making. 

All this could be summarised as "Organisational Inertia", being in this situation is very challenging and often frustrating if you need to introduce new security processes, and establish a Security Culture.

What is Inertia?

Inertia is the natural tendency of objects in motion to stay in motion and objects at rest to stay at rest, unless a force causes the velocity to change. (Wikipedia)

So how can we describe Organisational Inertia

Organisational inertia is the tendency of a company to resist change, even when external circumstances or internal growth demand adaptation. It occurs when established processes, cultural norms, and decision-making patterns become deeply embedded, making it difficult to introduce new strategies, technologies, or security processes.

The paradox of speed and resistance:

The paradox of speed and resistance arises when fast-growing companies prioritize rapid expansion and innovation while simultaneously resisting structural or process changes necessary to sustain that growth securely. Speed often becomes the driving force, with leadership focusing on market capture, product releases, and customer acquisition. However, this pace can create friction when introducing critical security controls, process improvements, or governance frameworks perceived as slowing down progress. The very agility that drives success can lead to shortcuts, technical debt, and unmanaged risks if unchecked. 

It's very difficult to convince people that the new processes or changes will make their life easier in the long run, usually in this environments everything is short sighted and focusing on the now, and perceive security as a blocker to productivity. And this becomes a problem later as the rapid growth will bring overlooked risks in the future, heavy security debt and compliance unreadiness which will become a business priority when the company struggle to sign new key customers due to lack of compliance.

Security resources ratios are very low in these phases, making the work much more challenging as resources allocated to security are very limited compared to growth-driven priorities.

Hiring sprees outpacing culture

Rapid influx of new talent often outpaces the organisation’s ability to instil and consolidate security best practices and enforce standardised processes. 

When onboarding is rushed or inconsistent, new hires may lack clarity on critical security protocols, increasing the risk of accidental data mishandling, weak access controls, or non-compliance with company policies. 

Also this rapid expansion can dilute the company culture, making it difficult to maintain a shared understanding of security values and expectations. Without a strong cultural foundation, introducing new processes or driving change becomes even harder, as teams may default to varying practices based on their previous experiences rather than aligning with the company’s evolving security posture, you are lucky if the person comes from a more security mature company, but you struggle if they come from the opposite. 

What can you do to success in this environment?

Don't get demotivated, overcoming organisational inertia requires a spark of activation energy — the initial surge of effort needed to break free from the status quo and ignite meaningful change. Just like in chemistry, where a reaction needs a certain energy input to break molecular bonds and form new ones, organisations must invest focused effort upfront to challenge deeply embedded habits, processes, and mindsets.

This activation energy might come in the form of:

    • Top-down initiatives can overcome resistance, such as executive sponsorship of security programs. A classic security Top down initiative is the Bill Gates Security Memo of 2012, where Security was put at the center of everything Microsoft was doing, and prioritised over other attributes, and the recent Memo by Satya Nadella "Prioritising Security above all else"
    • Balancing speed with resilience requires leadership commitment, aligning security as an enabler of growth rather than a blocker, and embedding safeguards without compromising momentum.
    • Slipstreaming: Identify the key projects and initiatives in the company, and team up with those teams to embed security as part of those project. This generates little friction and the efforts are much lower than starting your own projects across the org.  If you have enabling teams or platform teams, these are great teams to work with as they usually creates processes and tooling centrally for all the organization. I have many examples, like embedding security libraries, and secure base OS images in Microservices templates or cookiecutters in my early times in Skyscanner, or the EC2 Golden images. Adding security checklist and controls in the new Engineering Design review process. Adding Security training to new onboarding processes. Including Vulnerability metrics in QA existing dashboards. Even if it is a little change, and improvement will be easier to expand later. The less friction we add with new processes the better adoption will have.
    • scalable onboarding framework and ongoing security education are essential to preserve cultural integrity while supporting secure growth. This sounds easy but it is not when things are moving fast and people join the company on a weekly base.  
    • Clear communication and change management can make a huge difference in these environments, communicating wide and clear the "Why" behind the new processes or changes. Again leadership sponsorship of these messages will make all the difference. For this I recommend to watch Simon Sinek Ted talk, "Start with Why".
    • Security Champions network, is a good channel to introduce processes across the organization, if you can set up such network and run the program, which requires resources to launch it and run it. This could be very helpful to deal with the Siloed situation that most organizations phase during fast growth. This will bridge the central communication to the teams, making it easier for the communication to flow. 

Once the momentum for change builds, it can become self-sustaining, with cultural shifts and process improvements reinforcing themselves over time. By recognizing and committing to this early energy investment, companies can break free from inertia and build resilience, particularly in areas like cybersecurity, where proactive change is essential for long-term success.

Organizational Inertia and Enterprise, is that a thing? 

Organizational inertia is often associated with fast-growing startups or scale-ups,  but large enterprises can also face similar challenges, but in slightly different ways. In big organisations, inertia typically manifests as bureaucratic bottlenecks, where established processes and layers of decision-making slow down innovation and adaptation. This takes me back 25 years when I worked in a Government agency in Argentina, being the new guy that wanted to improve things was very frustrating in such bureaucratic environment.

In enterprises, the challenge isn’t necessarily the speed of the organization,  but the size and complexity of the organization. Systems, procedures, and silos can become so ingrained that making even small changes feels like trying to turn a massive ship through narrow canal.

Finally I want to make sure that you understand when you are in this situation, as sustained periods of organisational inertia can be particularly stressful for small security teams, especially when progress feels slow despite constant effort. The overwhelming volume of unresolved issues and growing risks, process roadblocks, and resistance to change can create a sense of stagnation, leading to frustration and ultimately burnout. When teams feel like they’re constantly firefighting without meaningful improvements or recognition, motivation can decline, compromising both morale and performance, I have been there, and it's not a place you want to be. Make a pause and reassess the situation and identify where can you find the spark for change that could work for you (activation energy).

 It’s crucial for leaders to acknowledge these challenges, celebrate small wins, and create space for reflection on progress made — even incremental improvements matter. We tend to focus on what is missing and the gaps, and pay little attention on everything we achieved so far. Prioritising team well-being, open communication, and shared accountability can help maintain resilience during long-term transformations. Remember, sustainable security isn’t just about protecting the business; it’s about protecting the people driving that success.

Break the Inertia, don't let the inertia break you 🙂

 

Sign up for more like this.

Enter your email
Subscribe