From Principles to Practice: How Time Horizons Transform Security Planning

Planning can be super helpful or just annoying overhead – it all depends on whether you hit the right balance. This is true for pretty much everything, not just security. Finding this balance is key to getting the right velocity – not about being fast or slow in absolute terms, but moving forward steadily without rushing and creating more problems than you solve.

I going to share where we’ve found the sweet spot in planning for information security, and how this approach can help teams stop spinning their wheels and start making tangible progress.

Symptoms of Security Planning Not Working

Sound familiar?

• Your team is constantly putting out security fires with no time for the bigger stuff
• Those big security goals you set last year still sitting on the shelf
• Security projects start with a bang and end with a whimper (usually way over budget)
• Sales, engineering, and operations all have different ideas about security priorities
• Security work feels disconnected from what the business actually needs

We’ve seen this mess in all sorts of organizations. There are many factors at play, but I’ve noticed that often, most teams struggle without a practical way to organize security work across different time horizons. Without some structure, security projects end up competing instead of complementing each other. The planning gap isn’t the only issue, but fixing it creates a foundation for tackling many other problems.

Why Traditional Planning Methods Fall Short

Often organizations fall into two common traps:

The “Big Plan” Fallacy: So many teams spend weeks or even months creating these ambitious multi-year security roadmaps. They’re impressive documents with fancy diagrams – and almost always gathering dust within three to six months. Technology changes, threats evolve, and business priorities shift way too quickly for rigid long-term plans to stay relevant.

The “Sprint Treadmill”: Then there’s the flip side – trying to cram all security work into a few-week sprints. This can work great for certain smaller tasks but falls apart for complex security initiatives.Teams can get good at checking off small stuff, but their overall security is lacking simply because there are too many moving parts and dependencies to keep track of during a short sprint.

Both approaches miss something important: (security) work happens at different speeds. Some things need long-term thinking while others need immediate action – and you need to handle both at the same time.

The Four Horizons Framework

Here is a more practical approach to planning that spans four different time horizons:

Lifetime Horizon (Years)

This horizon covers your foundational security principles and long-term vision. It answers: “What security capabilities do we need for the long haul?”

Example: A company established some basic data protection principles like “customer data must be encrypted wherever it lives” and “sensitive data access requires multi-factor authentication.” These weren’t specific projects – they were guardrails that shaped everything else.

At this horizon, you’re setting direction, not details. It’s about creating boundaries and guides for the more concrete work that comes later.

Yearly Horizon (12 Months)

This horizon turns your principles into yearly goals and major initiatives. It answers: “What big security improvements do we need to tackle this year?”

Example: Based on their principles, a company picked three security priorities for the year: sorting out their data classification, upgrading authentication, and improving threat detection. Each was big enough to need months of work but specific enough to finish within a year.

The yearly horizon gives context to your shorter-term work, making sure those quick wins add up to something meaningful.

Quarterly Horizon (3 Months)

Here’s where you focus on specific, shapeable security projects. This answers: “What concrete security projects should we tackle next?”

Example: The security team shaped a project to implement multi-factor authentication for their main customer facing application. They defined what was in and out of scope, spotted potential problems early, and created a pitch explaining why this mattered and how they’d approach it.

A pitch (sometimes called a business case) is your tool to validate ideas and get buy-in. A good pitch clearly explains the problem, your solution, how much time you’ll need (the “appetite”), and any risks you see coming.

This is also where “shaped work” happens. Shaping means defining a project at the right level – specific enough to provide direction but flexible enough to let the team solve problems creatively. Well-shaped work has clear boundaries, identifies risks, and describes the core solution without micromanaging the details.

The quarterly horizon is for shaping work, making prioritization decisions, and tracking progress.

Cycle Horizon (6 Weeks)

This is where the rubber meets the road. It answers: “What are we building right now?”

Example: With the MFA project approved, a team took a six-week cycle to implement it. They broke the work into manageable chunks, tracked their progress, and made smart trade-offs to deliver on time. Six weeks later, they had a working MFA solution ready to go.

This horizon is all about execution – turning shaped ideas into real security improvements.

A note for smaller teams: If you’re in a startup or small organization, you don’t necessarily need all four horizons. It’s totally fine to collapse some of these together. Maybe your lifetime and yearly horizons are just one document, and your cycles might be shorter than six weeks. What matters is that you’re thinking at different time scales, not the exact structure you use.

Real-World Case: Before and After

Let’s look at how this approach transformed security planning for a company with about 75 employees.

Before: Planning Dysfunction

Lifetime Horizon: The company had some security principles written down, but they were scattered across different documents, mostly outdated, and each department had their own take on them.

Yearly Horizon: Their annual security “plan” was basically a wish list with vague goals like “improve our security posture” and “enhance compliance capabilities.” No specific initiatives or resource plans.

Quarterly Horizon: Projects popped up randomly, usually because a customer demanded something or an incident forced their hand. Very little planning or risk assessment.

Cycle Horizon: Teams juggled multiple security projects at once, constantly interrupted by the crisis of the day and shifting priorities.

Result: Despite having smart, capable people, they struggled with missed deadlines, scope creep, and security improvements that didn’t actually address their biggest risks.

After: Alignment

Lifetime Horizon: The company created a unified set of core security principles that everyone agreed on.

Yearly Horizon: Leadership identified three major security initiatives for the year with ownership and resources.

Quarterly Horizon: The security team is shaping work properly and making deliberate decisions about which projects to pursue each quarter.

Cycle Horizon: Implementation teams are working in six-week cycles with protected time to focus.

Result: Within six months, they completed more meaningful security improvements than in the previous two years. Security work became predictable and visibly aligned with business goals.

Example: Cloud Migration Alignment

Here’s another example of how this approach can make a huge difference. An institution was moving their on-premises infrastructure to the cloud – a project that naturally involved both operations and security teams. Before implementing the horizons approach, these teams were working completely separately:

• Operations focused on migration speed and minimizing downtime
• Security worried about maintaining compliance and preventing new risks
• Each team had different timelines and priorities
• Progress stalled due to last-minute security concerns blocking deployments

After adopting the horizons framework:

Lifetime Horizon: They established shared cloud security principles that both teams helped create.

Yearly Horizon: They built a joint roadmap that balanced migration goals with security needs.

Quarterly Horizon: Security and operations shaped work together, ensuring migration projects included security requirements from the start.

Cycle Horizon: Mixed teams with both operations and security expertise implemented changes in coordinated six-week cycles.

This approach eliminated the friction between teams. Operations no longer saw security as an obstacle because security requirements were built into the plan from the beginning. Security didn’t have to play the “bad cop” by stopping deployments at the last minute. The coordinated horizons meant both teams were working from the same playbook.

How to Start: Practical Steps for Any Organization

You don’t need a massive overhaul to start using this approach. Here’s how to begin based on your organization’s size:

For Startups (5-50 employees)

1. Lifetime Horizon: Jot down 3-5 core security principles on a single page. Keep it simple.
2. Yearly Horizon: Pick 1-2 security priorities for the year.
3. Quarterly Horizon: Shape one concrete security project with clear boundaries.
4. Cycle Horizon: Set aside dedicated time (even just one day a week) to make progress.

Example: A small team documented three core security principles on a single page, dedicated Fridays for security work, and implemented a phishing-resistant authentication system over six weeks of Friday sessions.

And remember, for startups, it’s perfectly fine to collapse some horizons together. Maybe your lifetime and yearly planning is just one short document. The key is thinking at different time scales, not creating elaborate planning systems.

For Scaling Organizations (50-500 employees)

1. Lifetime Horizon: Create a concise security strategy.
2. Yearly Horizon: Develop a roadmap with 3-5 major initiatives.
3. Quarterly Horizon: Start shaping work and making deliberate bets on projects.
4. Cycle Horizon: Establish six-week implementation cycles with dedicated teams.

As a medium-sized company, you set up quarterly planning sessions with both the security and product teams. Shape work and implemented six-week cycles. This will give a better chance of fixing long-standing security gaps and significantly improve your security posture.

For Enterprises (500+ employees)

1. Lifetime Horizon: Integrate security principles into your enterprise architecture.
2. Yearly Horizon: Align security initiatives with business planning cycles.
3. Quarterly Horizon: Implement portfolio management for security initiatives.
4. Cycle Horizon: Scale the cycle approach across multiple teams.

As a large organization with complex compliance requirements, you organize your security planning across the four horizons and establish a formal shaping process. While, investing in coordinating cycles across multiple teams will help to deliver more security value while ensuring that everything remains aligned with regulatory needs.

Connecting to Cross-Functional Teams

One of the biggest benefits of this approach is how it helps security work with other teams:

Product/Engineering Integration

• Lifetime Horizon: Security principles shape product and technology strategy
• Yearly Horizon: Security initiatives align with product roadmaps
• Quarterly Horizon: Security and engineering collaborate on shaping work
• Cycle Horizon: Implementation teams include both security and engineering expertise

Executive/Business Integration

• Lifetime Horizon: Security principles connect to business strategy
• Yearly Horizon: Security investments align with business priorities
• Quarterly Horizon: Business leadership helps decide which projects get funded
• Cycle Horizon: Regular feedback loops show how security work impacts the business

Operations Integration

• Lifetime Horizon: Security principles consider operational realities
• Yearly Horizon: Security and operations roadmaps complement each other
• Quarterly Horizon: Teams shape work with both security and operational needs in mind
• Cycle Horizon: Security and operations collaborate on implementation

I’ve seen firsthand how this approach gives teams a common language to talk about security. People from different departments starting to see how their work connects with each other, and at different time scales.

Next Steps: Things You Can Do Today

Three quick steps you can take right now to start improving your security planning:

1. Do a 15-Minute Horizon Mapping: Grab a piece of paper and list your current security work. Then draw four columns for “Lifetime,” “Yearly,” “Quarterly,” and “Now.” time horizons Sort your work into these columns. The gaps you see will tell you a lot about where you need to focus.

2. Set One Clear Boundary: Pick one security project you’re working on right now. Take 10 minutes to write down what’s in scope, what’s definitely out of scope, and when it needs to be done. Share this with your team. You might be surprised how often people are working with completely different assumptions.

3. Schedule a Demo: Block 30 minutes on your calendar for next week where whoever is working on security can show actual progress (ideally not just talk about it). Make this a regular habit. Nothing creates accountability like showing some output of your work.

Security doesn’t have to be ad-hoc or disconnected from what the rest of the business needs. With a practical planning approach, work becomes more predictable, effective, and aligned with what matters most.

This article is based on the Peak Defence Method’s approach to security planning. For more information on implementing these concepts in your organization, head to the Peak Defence Method.