Shaping Security Work

How to define resilient security initiatives at the right level of abstraction to enable successful implementation

Introduction

Security initiatives fail for many reasons, but often there is a common pattern: they’re either too vague or too specific before implementation begins. Traditional approaches oscillate between these extremes:

Too abstract: “Implement zero trust architecture” or “Improve our security posture” lack clear boundaries and direction
Too concrete: Detailed specifications that over-constrain implementation teams and can’t adapt to discoveries made during implementation

Shaping security work is the critical process that bridges this gap. It creates just enough structure to enable teams to deliver meaningful security improvements within fixed time constraints, while leaving room for adaptation and expertise.

Security shaping inherently crosses organizational boundaries. Unlike purely technical security work, well-shaped security initiatives must consider impacts on and contributions from various business functions. This integrated approach ensures security work delivers value while remaining implementable within organizational constraints.

This chapter explains how organizations of different sizes and maturity levels can effectively shape security initiatives, ensuring they’re:

Appropriately scoped for available resources
Well-defined but not over-specified
Designed for resilience in line with our core principles
Implementable within the organization’s capabilities
Coordinated across functions to avoid silos and ensure business alignment

Maturity Level Framework

Shaping security work evolves as organizations grow in size and capability. The table below illustrates how key characteristics change across maturity levels:

Characteristic	Level 1: Startup	Level 2: Scale-up	Level 3: Enterprise
Formality	Lightweight, conversational	Structured but flexible	Comprehensive, documented
Participants	Founder/CTO + key team members	Security lead + stakeholders	Security architects + specialized teams
Timeframe	Hours to days	Days to a week	1-2 weeks
Documentation	Brief, focused scope pitch	Detailed scope pitch with visuals	Formal document with supporting materials
Risk Analysis	Key risks only	Systematic risk review	Comprehensive risk and resilience analysis
Tooling	Simple, accessible tools	Purpose-built templates	Specialized platforms
Cross-Functional Integration	Direct collaboration with founders/leaders	Structured touchpoints with department heads	Formal governance across organizational functions
Boundary Objects	Simple scope pitch visible to all teams	Security problem-solution templates with department touchpoints	Enterprise architecture with security components

Progression Indicators

When to move from Level 1 to Level 2:

Security initiatives regularly exceed their appetites or scope
Multiple teams need to collaborate on security implementations
The organization has dedicated security personnel
Security initiatives affect significant portions of the business
Cross-functional dependencies become more complex
Security constraints need documentation for external partners
Product development requires earlier security involvement

When to move from Level 3 to Level 3:

Complex, organization-wide security initiatives are common
Multiple specialized security teams exist
Regulatory compliance requires formal documentation
Enterprise architecture governance is established
Security roadmaps span multiple quarters or years
Cross-functional security processes span multiple departments
Security architecture affects enterprise-wide systems

Shaping Across Planning Horizons

Security shaping doesn’t exist in isolation—it operates within the context of the planning horizons that structure security work across different timescales. As organizations mature, they need to consider how shaping applies across these different horizons.

How Shaping Differs Across Horizons

Horizon	Shaping Focus	Outputs	Maturity Relevance	Cross-Functional Considerations
Lifetime (Years)	Security principles, architectural patterns, and strategic approach	Reference architectures, security principles, strategic boundaries	Critical for Level 3, emerging at Level 2, often implicit at Level 1	Business strategy alignment, legal/regulatory frameworks, technology strategy integration
Yearly (12 Months)	Major security capabilities and program-level initiatives	Security roadmaps, capability definitions, resource planning	Formalized at Level 3, simplified at Level 2, often combined with quarterly at Level 1	Resource allocation across departments, compliance coordination, technology investment alignment
Quarterly (3 Months)	Specific security initiatives and projects	Shaped pitches for betting consideration, project portfolios	Primary focus of shaping at all maturity levels	Product roadmap integration, engineering coordination, operational impact analysis
Cycle (6 Weeks)	Execution-level scoping and adaptation	Scope maps, implementation plans	Where shaped work is implemented rather than shaped	Development team collaboration, release coordination, operational handoffs

This matrix helps organizations understand how shaping evolves across both planning horizons and organizational maturity levels.

Horizon Integration in Practice

Level 1: Horizon Collapse for Startups

For startups and small organizations, planning horizons often collapse together:

Practical Approach: Startups typically combine yearly and quarterly horizons into a single planning timeframe, with minimal lifetime-horizon work
Shaping Focus: Focus shaping efforts at the quarterly horizon—identifying specific, high-impact security improvements
Key Technique: Ensure scoped work connects to the organization’s highest security priorities, even without formal horizon planning
Cross-Functional Integration: Shape security work in direct collaboration with founders and team leads to ensure alignment with product and business priorities

Example: A startup might shape a “Secure Authentication Implementation” initiative directly without placing it in a broader capability roadmap or architectural framework. The shaping process would involve the CTO working directly with the product lead to ensure the authentication solution meets both security and user experience requirements.

Level 2: Emerging Multi-Horizon Shaping

As organizations grow to mid-size, multiple planning horizons begin to emerge:

Practical Approach: Maintain separate yearly and quarterly planning, with emerging lifetime-horizon thinking
Shaping Focus: Shape at both quarterly horizon (specific initiatives) and yearly horizon (capability development)
Key Technique: Ensure shaped quarterly work explicitly connects to yearly security objectives
Cross-Functional Integration: Establish structured touchpoints with department heads during the shaping process to identify dependencies and constraints

Example: A scale-up organization shapes both a yearly “Identity Management Enhancement” capability initiative and several quarterly projects that support it, like “MFA Implementation” and “SSO Integration.” The security lead works with engineering managers to understand technical constraints and with product management to align with product roadmaps.

Level 3: Comprehensive Horizon Planning

Enterprise organizations maintain clear separation between planning horizons:

Practical Approach: Formal processes for each planning horizon with clear governance
Shaping Focus: Different shaping approaches for different horizons, with specialized teams
Key Technique: Maintain traceability between shaped work at different horizons
Cross-Functional Integration: Formalized governance processes ensure cross-functional alignment at each horizon level

Example: An enterprise shapes security architecture patterns at the lifetime horizon, defines “Zero Trust Implementation” at the yearly horizon, shapes “User Authentication Modernization” at the quarterly horizon, and implements specific components in each six-week cycle. Cross-functional governance ensures alignment with enterprise architecture, compliance requirements, and product roadmaps.

Aligning Shaped Work Across Horizons

Regardless of maturity level, organizations need mechanisms to ensure shaped work aligns across relevant planning horizons:

Level 1: Simple Alignment

Documentation: Brief notes on how shaped initiatives support key security priorities
Verification: Informal check with founders/leadership before betting on shaped work
Adaptation: Fast pivots when business or security priorities change
Cross-Functional Coordination: Shared visibility through simple artefacts like roadmap board or shared documents

Level 2: Structured Alignment

Documentation: Explicit mapping of shaped initiatives to yearly security objectives
Verification: Review of quarterly shaped work against yearly security roadmap
Adaptation: Quarterly reassessment of security priorities and shaped work pipeline
Cross-Functional Coordination: Security representatives participate in departmental planning and vice versa

Level 3: Governance-Driven Alignment

Documentation: Formal traceability from lifetime principles through yearly capabilities to quarterly initiatives
Verification: Stage-gate reviews to ensure alignment across horizons
Adaptation: Structured change management processes for security roadmap modifications
Cross-Functional Coordination: Formal governance with representatives from all key functions

Common Horizon Alignment Challenges

Challenge	Level 1 Solution	Level 2 Solution	Level 3 Solution	Cross-Functional Element
Disconnection between strategic vision and implementation	Frequent all-hands discussions of security priorities	Explicit mapping documents between initiatives and strategy	Formal traceability requirements in shaping process	Include product and business leads in security discussions
Shifting priorities creating wasted shaping effort	Shape smaller initiatives closer to implementation	Maintain a small portfolio of shaped work	Use rolling wave planning with horizon-appropriate detail	Coordinate priority changes across affected departments
Inconsistent approach across horizons	Designate a single person responsible for security direction	Create lightweight templates for different horizons	Establish formal governance across planning horizons	Ensure consistent representation of key functions at each horizon

Practical Tips for Horizon-Aligned Shaping

Start where you are: Focus shaping at the planning horizon most relevant to your organization’s maturity
Create visible connections: Even with informal processes, document how shaped work connects to longer-term security needs
Shape appropriately for the horizon: Use less detail at longer horizons, more specificity at shorter ones
Validate downward: Ensure longer-horizon shaping creates legitimate space for shorter-horizon work
Validate upward: Confirm shorter-horizon shaped work supports longer-term security objectives
Include the right people: Ensure appropriate cross-functional representation at each horizon level

By understanding how shaping intersects with planning horizons, organizations can ensure their security initiatives remain aligned with strategic direction while still maintaining the benefits of bounded, concrete implementation work.

Level 1: Startup Foundation

Target Organization: Startups and small organizations (5-50 employees)
People Required: Founder/CTO time + key team members

At the startup level, security shaping must be lightweight yet effective. The goal is to create enough structure to guide implementation without bureaucracy that would slow down a small, agile team.

Essential Shaping Process

1. Set Boundaries (1-2 hours)

Define the security problem and appetite:

Start with the security need - What specific risk or customer concern are we addressing?
Set a time constraint - How much time can we afford to spend on this? For startups, typical appetites are:
- Small security improvement: 2-3 days
- Significant security feature: 1-2 weeks
Narrow the scope - What specific aspects of the problem will we address now vs. later?
Identify key stakeholders - Which teams or functions will be affected by this security initiative?

Cross-Functional Considerations:

Include at least one person from product or engineering in boundary-setting to ensure technical feasibility
Consider customer-facing implications by consulting with sales or support if relevant
Ensure founders are aware of security work that might affect product roadmap

Example:

“We need to implement MFA for customer accounts before our enterprise customer signs. We can dedicate one developer for one week. We’ll focus only on email-based verification for this phase. This will affect our authentication flow, so we need input from our product designer.”

2. Outline the Solution (2-3 hours)

Identify key components - What are the main parts of the solution?
Sketch critical user or system flows - How will the security measure work?
Define success criteria - How will we know it’s working correctly?
Map cross-functional touchpoints - Where will this security initiative intersect with other functions?

Use simple tools like:

Whiteboard sketches
Flowcharts (can be even drawn on paper)
Brief written descriptions
Simple interface mockups

Cross-Functional Boundary Objects:

User flow sketches that show security-UX tradeoffs
Simple technical diagrams showing integration points
One-page overview visible to the whole team

Example Cross-Functional Touchpoint Map:

MFA Implementation
Product Design: Authentication flow changes (Joe)
Engineering: API changes for verification (Sarah)
Customer Support: User guidance needed (Tina)
Sales: Enterprise customer update (Miguel)

3. Address Key Risks (1-2 hours)

List 3-5 top risks that could derail the project
Define simple mitigation approaches for each risk
Identify minimum viable resilience measures:
- How will we know if this security control fails?
- What’s our simplest recovery approach?
Consider cross-functional risks:
- User experience friction
- Development timeline conflicts
- Customer support implications
- Sales or compliance commitments

Example Risk Analysis:

“Risk: Users won’t complete the MFA setup process”
“Mitigation: Make MFA optional initially, but show security benefit clearly”
“Resilience: Track setup completion rates and add reminders if below 50%”
“Cross-functional risk: Support team needs to handle account recovery cases” “Mitigation: Create simple account recovery process for locked-out users” “Resilience: Monitor support ticket volume for MFA issues, adjust process if needed”

4. Create a Simple Pitch (1-2 hours)

Document the shaped work in a brief format that can be shared with the implementation team:

MFA Implementation

Problem: Enterprise customers require MFA for compliance.

Appetite: 1 developer, 1 week

Solution:

Email-based verification code
Optional enrollment for existing users
Required for new users
Simple setup flow with clear instructions

Risks:

Low adoption: Track rates, add reminders if < 50%
Performance impact: Ensure verification emails send asynchronously
Recovery: Allow account recovery via support for locked-out users

Cross-Functional Requirements:

Product: Need design review of auth flow (1-2 hours)
Support: Create account recovery process (half-day)
Sales: Update enterprise customer on timeline (brief email)

Not included:

SMS verification
Hardware token support
Admin MFA enforcement options

Cross-Functional Coordination

For small organizations, cross-functional coordination happens through direct collaboration:

Joint Shaping Sessions
- Include at least one person from affected functions in shaping
- Use simple shared documents that all stakeholders can access
- Focus on key touchpoints rather than comprehensive documentation
Shared Visibility
- Post shaped security work where all team members can see it
- Use existing team communication channels for updates
- Review security work in regular company-wide meetings
Direct Handoffs
- Clear person-to-person communication about requirements
- Immediate feedback loops during implementation
- Joint problem-solving for cross-functional challenges

Example Boundary Object:

The “Security Initiative One-Pager” - a simple document showing:

Problem statement and business impact
Proposed solution with key components
Timeline and resource needs
Cross-team dependencies and touchpoints
Success criteria that matter to different functions

Implementation Guidance

For small organizations, the implementation approach should be:

Informal kick-off - Discuss the pitch directly with implementers
Regular check-ins - Brief daily updates to catch issues early
Flexible adaptation - Allow the team to adjust the approach as they learn
Ship and learn - Get the security improvement to users quickly, then iterate
Cross-functional coordination - Maintain direct communication with affected teams

Common Challenges and Solutions

Challenge	Solution	Cross-Functional Element
Too many competing priorities	Set explicit security time budgets (e.g., 10% of developer time)	Align with product roadmap priorities
Limited security expertise	Focus on high-impact controls; use security-as-a-service where possible	Leverage domain knowledge from different teams
Scope expansion during implementation	Ruthlessly defer nice-to-haves to future phases	Communicate scope decisions to affected teams
Balancing security and speed	Implement minimum viable security controls with quick feedback loops	Involve UX early to minimize friction
Security slowing product development	Shape security work to align with product development cycles	Include product lead in security shaping sessions

Signs You’ve Outgrown Level 1

Security shaping consistently takes more than a day
Multiple teams need to collaborate on security implementations
Security initiatives regularly affect your entire product or infrastructure
You have dedicated security personnel who need to be involved in shaping
Cross-functional impacts become hard to manage through direct communication
External security requirements require more formal documentation
Product timeline conflicts with security needs become more frequent

Level 2: Scale-up Enhancement

Target Organization: Growing organizations (50-500 employees)
People Required: Security lead + relevant stakeholders

As organizations grow, security initiatives become more complex and touch more parts of the business. Scale-ups need a more structured approach to shaping while maintaining reasonable speed and flexibility.

Enhanced Shaping Process

1. Set Boundaries (1-2 days)

Define the security problem and appetite more thoroughly:

Research the security need:
- Gather data on security incidents or near-misses
- Interview key stakeholders to understand business impact
- Review customer or compliance requirements
- Map cross-functional implications
Set a strategic appetite:
- Small security initiative: 1-2 weeks
- Medium security initiative: 3-4 weeks
- Large security initiative: 6-week cycle
Define specific scope boundaries:
- Document in-scope and out-of-scope elements
- Identify affected systems and teams
- Define explicit success criteria
- Document cross-functional dependencies

Cross-Functional Considerations:

Conduct structured interviews with key function representatives
Create a draft boundary document for stakeholder review before finalizing
Map affected business processes across departments
Identify potential compliance or legal implications early

Example:

“We need to implement session security improvements to address findings from our recent penetration test. This is worth a 3-week effort with one security engineer and one developer. The scope includes session timeout, device fingerprinting, and suspicious activity detection. It excludes changes to the authentication system itself. We’ll need input from product, legal compliance, and customer success teams.”

2. Design the Solution (2-3 days)

Conduct lightweight threat modeling:
- Identify key assets and data flows
- Map relevant threat actors and attack vectors
- Prioritize security controls based on risk
- Include cross-functional perspectives
Create solution sketches:
- Flow diagrams of security processes
- Key security interfaces and interactions
- System component diagrams
- User experience considerations
Map existing vs new components:
- Identify which systems need modification
- Document integration points
- Define clear boundaries between components
- Highlight cross-functional requirements

Cross-Functional Boundary Objects:

Security requirements templates for product and engineering
Responsibility matrix for the initiative
%% Integration point diagrams showing handoffs between teams %%
%% User journey maps showing security touchpoints %%

Example Cross-Functional Design Session: Conduct a 2-hour workshop with key representatives from:

Security: Lead and define security requirements
Engineering: Assess technical feasibility
Product: Evaluate user experience impact
Legal: Review compliance implications
Customer Success: Consider support implications

Use a shared template to capture:

Core security requirements
Technical constraints
User experience considerations
Compliance requirements
Support and operational needs

3. Conduct Risk and Resilience Analysis (1-2 days)

Identify implementation risks:
- Technical uncertainties
- Integration challenges
- User experience impacts
- Timeline risks
- Cross-functional challenges
Define resilience requirements:
- Detection mechanisms for security control failures
- Response procedures for when controls fail
- Recovery approaches for affected systems
- Adaptation mechanisms to improve over time
Develop explicit mitigations:
- Specific approaches for each significant risk
- Clear definitions of acceptable risk
- Contingency options if primary approach fails
- Cross-functional escalation paths

Example Cross-Functional Risk Assessment:

Risk: New session controls may disrupt legitimate user sessions Impact: High (customer frustration, support load, potential lost sales) Cross-Functional Owners: Security, Product, Customer Support Mitigation:

Phased rollout with monitoring metrics (Engineering)
Clear user messaging about security changes (Product)
Prepare support team with FAQ and resolution paths (Customer Success) Resilience Measure: Monitor session termination rates and user complaints Escalation: If disruption exceeds 2% of sessions, reconvene cross-functional team

4. Create a Detailed Pitch (1-2 days)

Document the shaped work in a structured format:

Session Security Improvements Pitch

Problem Statement

Recent penetration testing revealed several session management vulnerabilities:

No automatic session timeout
No validation of session origin
No detection of suspicious session activities

This creates risk of session hijacking and unauthorized access to customer data.

Appetite

This initiative is worth a 3-week effort with:

1 security engineer (full-time)
1 developer (full-time)
QA support (part-time)

Solution

Key Components

Session Timeout System
- Configurable idle timeout (default 30 minutes)
- Automatic termination after 24 hours
- User notification before timeout
Device Fingerprinting
- Capture device characteristics on login
- Validate characteristics on each request
- Flag significant changes for verification
Suspicious Activity Detection
- Monitor for abnormal session behavior
- Flag geographic location changes
- Detect unusual access patterns

Integration Points

Authentication service: Session creation hooks
API gateway: Request validation middleware
User preferences: Timeout settings storage

User Experience Considerations

Clear timeout warnings to prevent data loss
Minimally intrusive reverification process
Clear explanations for security challenges

Cross-Functional Requirements

Product Team

Review session timeout UX design (2 days)
Update product documentation (1 day)
Define user messaging for security challenges (2 days)

Engineering

Integration with authentication service (1 week)
Performance testing of request validation (3 days)
Update API documentation (1 day)

Customer Success

Update security FAQ documentation (1 day)
Train support team on new security features (2 hours)
Create troubleshooting guide for common issues (1 day)

Legal/Compliance

Review changes against compliance requirements (1 day)
Update relevant security documentation (half day)

Risks and Resilience

Key Risks

Performance impact of per-request validation
- Mitigation: Implement caching layer for device fingerprints
- Fallback: Reduce validation frequency if performance issues emerge
False positives disrupting legitimate users
- Mitigation: Phased rollout with monitoring of challenge rates
- Adaptation: Tune detection algorithms based on actual usage patterns
Integration complexity with legacy systems
- Mitigation: Create middleware adapter for legacy integration
- Contingency: Phase implementation starting with newest services
Customer frustration with new security measures
- Mitigation: Clear explanations and user education
- Response: Dedicated support process for security-related issues
- Measurement: Monitor user feedback and abandonment rates

Resilience Mechanisms

Comprehensive logging of all session security decisions
Monitoring dashboard for security control effectiveness
Manual override process for support team
Killswitch capability to disable new controls if critical issues emerge

Out of Scope

Authentication system changes
Password policy modifications
Admin session management
Mobile app session handling (separate initiative)

Cross-Functional Coordination

For scale-up organizations, more structured cross-functional coordination becomes necessary:

Security Representatives Model
- Designate security champions or liaisons in key departments
- Establish structured touchpoints during shaping process
- Create clear handoff processes between functions
Structured Boundary Objects
- Security requirements templates tailored to different functions
- RACI matrices for security initiatives
- Documented integration points and dependencies
- Clear success criteria for different stakeholders
Role-Specific Artefacts
- Product: User experience considerations and wireframes
- Engineering: Integration requirements and technical constraints
- Legal/Compliance: Regulatory implications and requirements
- Operations: Deployment considerations and runbooks
- Support: User guidance and troubleshooting procedures

Example Boundary Object: The “Security Initiative Brief” - a structured document with sections for:

Executive summary for leadership
Detailed technical requirements for engineering
User experience considerations for product
Implementation timeline for project management
Support guidelines for customer success
Compliance implications for legal

Implementation Approach

For scale-up organizations, the implementation approach should include:

Formal kick-off meeting - Review the pitch with the entire implementation team
Scope mapping - Break the work into clear, trackable scopes
Regular review cadence - Twice-weekly status reviews with hill chart updates
Structured testing - Dedicated QA for security controls
Post-implementation review - Capture lessons for future security initiatives
Cross-function handoffs - Formal transition of deliverables between teams

Common Challenges and Solutions

Challenge	Solution	Cross-Functional Element
Cross-team dependencies	Identify dependencies early and establish clear interfaces	Create dependency maps with timelines and owners
Security vs usability tensions	Involve product design in the shaping process	Conduct joint usability-security workshops
Technical debt complications	Explicitly factor remediation time into the appetite	Coordinate with engineering on technical constraints
Completing security work on time	Visualize progress through unknowns	Communicate status to stakeholders with visual tools
Unclear security-business alignment	Link security initiatives to business objectives	Include business stakeholders in shaping process
Compliance requirements complicating security design	Engage legal/compliance early in shaping	Create compliance-security translation guides

Signs You’ve Outgrown Level 2

Security initiatives regularly span multiple teams and systems
Regulatory requirements demand more formal documentation
You have multiple specialized security teams (AppSec, InfraSec, etc.)
Enterprise architecture governance is established
Security roadmaps span multiple quarters or years
Compliance requirements drive significant security work
Multiple business units have different security needs

Level 3: Enterprise Optimization

Target Organization: Large organizations (500+ employees)
Resources Required: Security architects + specialized teams + key stakeholders

Enterprise organizations deal with complex, interconnected systems and often have regulatory requirements that demand more comprehensive shaping processes. At this level, shaping becomes more formal while still preserving the core benefits of appropriate abstraction and bounded scope.

Comprehensive Shaping Process

1. Set Strategic Boundaries (3-5 days)

Define the security initiative with strategic context:

Conduct systematic research:
- Analyze security incident data and trends
- Review regulatory and compliance requirements
- Gather stakeholder requirements across business units
- Assess alignment with security strategy and roadmap
- Map cross-functional impacts and requirements
Establish strategic appetite:
- Consider total cost of ownership, not just implementation
- Factor in long-term maintenance requirements
- Align with quarterly or annual security planning
- Set appropriate team composition and timeframe
- Account for cross-functional resource needs
Define comprehensive scope boundaries:
- Map affected systems and data flows
- Document integration with enterprise architecture
- Define success metrics aligned with security KPIs
- Establish clear stage gates for implementation
- Document cross-functional dependencies and requirements

Cross-Functional Considerations:

Formal requirements gathering from business units
Compliance and legal review of proposed boundaries
Enterprise architecture alignment review
Business impact analysis across affected units
Risk assessment with cross-functional evaluation

Example Cross-Functional Boundary Setting:

The security architecture team conducts a series of structured workshops with:

Business Unit Representatives
Enterprise Architecture Team
Legal and Compliance Teams
Infrastructure and Operations Teams
Application Development Teams
Data Governance Teams

Each session follows a structured template to capture:

Business requirements and constraints
Technical integration requirements
Compliance and regulatory needs
Operational considerations
Data protection requirements

2. Architect the Solution (5-7 days)

Conduct formal threat modeling:
- Use structured methodologies (STRIDE, PASTA, etc.)
- Create data flow diagrams with trust boundaries
- Perform attack surface analysis
- Map controls to security requirements
- Include multi-function perspectives
Develop architectural designs:
- Create architectural decision records (ADRs)
- Design system integration models
- Document security control specifications
- Define technology standards and constraints
- Map cross-functional interfaces
Validate with specialized teams:
- Review with enterprise architecture
- Validate with security operations
- Confirm with infrastructure teams
- Check compliance with security standards
- Verify with business unit representatives

Cross-Functional Boundary Objects:

Enterprise architecture diagrams with security components
Business process maps with security controls highlighted
Security interaction models showing cross-function touchpoints
Control framework matrices mapping regulations to controls
Service-level agreements between security and other functions

Example Cross-Functional Design Artifact: A comprehensive solution architecture document with dedicated sections for:

Technical security architecture (for security and IT teams)
Business process impact (for business units)
User experience design (for product teams)
Implementation approach (for development teams)
Operational requirements (for operations teams)
Compliance mappings (for legal and compliance teams)

3. Perform Comprehensive Risk Analysis (3-5 days)

Conduct structured risk assessment:
- Identify risks across multiple dimensions
- Assess likelihood and impact systematically
- Calculate risk scores based on established methodology
- Align with enterprise risk management framework
- Include cross-functional risk perspectives
Design resilience architecture:
- Map control failure scenarios and impacts
- Design layered detection capabilities
- Develop graduated response mechanisms
- Create recovery and continuity plans
- Define continuous improvement processes
- Include cross-functional response requirements
Develop risk treatment plan:
- Document risk acceptance decisions
- Create detailed mitigation strategies
- Define risk transfer mechanisms where appropriate
- Establish residual risk monitoring
- Assign cross-functional risk ownership

Example Cross-Functional Risk Management:

Create a comprehensive risk register that includes:

Technical security risks (owned by security team)
Business impact risks (owned by business units)
Operational risks (owned by operations team)
Compliance risks (owned by legal team)
Project delivery risks (owned by project management)

For each risk, document:

Cross-functional impacts
Primary and supporting owners
Mitigation strategies with responsible teams
Acceptance criteria for each affected function
Monitoring and reporting requirements

4. Create Formal Security Initiative Work Package (3-5 days)

Enterprise-level shaping produces a comprehensive package that includes:

Executive summary:
- Strategic alignment and business case
- Key risks addressed and expected outcomes
- Resource requirements and timeline
- Critical success factors
- Cross-functional impacts and benefits
Detailed initiative definition:
- Problem statement and scope
- Solution architecture and design
- Implementation approach and timeline
- Integration requirements
- Cross-functional requirements and dependencies
Risk and compliance documentation:
- Risk assessment and treatment plan
- Compliance impact analysis
- Security control mapping
- Resilience architecture
- Cross-functional risk ownership
Implementation governance:
- Team structure and responsibilities
- Phasing and milestone definitions
- Success criteria and metrics
- Acceptance criteria and testing approach
- Cross-functional coordination framework

Cross-Functional Integration:

Dedicated sections addressing each affected business function
Function-specific requirements and success criteria
Clear RACI matrix across organizational boundaries
Structured handoff procedures between functions
Governance framework for cross-functional decisions

Example Cross-Functional Implementation Package Section:

Cross-Functional Implementation Plan

Business Unit: Finance

Requirements

PCI-DSS compliance maintained throughout implementation
No disruption to payment processing workflows
Fraud detection capabilities preserved and enhanced

Responsibilities

Provide subject matter expertise on financial workflows (Finance Director)
Review technical designs for payment impact (Finance Systems Analyst)
Validate compliance controls (Compliance Manager)
Test payment workflows (Finance QA Team)

Timeline Integration

Design review: Week 1
Control validation: Week 2
Integration testing: Week 4
Final sign-off: Week 6

Success Criteria

Zero payment processing disruptions
Maintain or improve fraud detection rates
Full PCI-DSS compliance validation

Business Unit:

Customer Service

Requirements

Clear user messaging for security events
Support tools for assisting affected customers
Training on new security controls

Responsibilities

Provide input on customer impact (CS Director)
Develop support documentation (Knowledge Base Team)
Create training materials (Training Team)
Update support scripts (Support Manager)

Timeline Integration

Initial requirements input: Week 1
Documentation development: Weeks 3-4
Support team training: Week 5
Final readiness check: Week 6

Success Criteria

Support team scores 90%+ on readiness assessment
Support documentation completed and approved
No increase in average handle time for security-related issues

Cross-Functional Coordination

For enterprise organizations, cross-functional coordination requires sophisticated governance:

Federated Security Model
- Security representatives embedded in key business units
- Formal security working groups with cross-functional membership
- Security councils at executive and operational levels
- Structured interfaces between security and other domains
Enterprise Boundary Objects
- Security control framework with cross-functional responsibilities
- Enterprise architecture with security components
- Business capability models with security elements
- Cross-functional security service catalogs
- RACI matrices for security capabilities
Governance Integration
- Security requirements integrated into enterprise governance
- Formal stage gates with security validation
- Cross-functional change advisory boards
- Joint risk acceptance frameworks
- Integrated metrics and reporting

Example Boundary Object:

The “Enterprise Security Control Framework” - a comprehensive system showing:

Security controls mapped to business processes
Implementation owners across business units
Verification and validation requirements
Evidence collection responsibilities
Regulatory mapping and compliance requirements
Operational monitoring and metrics

Implementation Governance

For enterprise organizations, implementation requires structured governance:

Formal initiative launch - Enterprise project management procedures
Structured work breakdown - Comprehensive scope mapping with dependencies
Regular governance reviews - Status reporting to security leadership
Stage gate validation - Formal approval at key milestones
Acceptance testing - Comprehensive security testing and validation
Transition to operations - Formal handover to operational teams
Cross-functional coordination - Structured processes for managing dependencies

Common Challenges and Solutions

Challenge	Solution	Cross-Functional Element
Bureaucracy slowing implementation	Create security-specific fast tracks for critical initiatives	Establish cross-functional rapid response teams
Balancing enterprise standards with agility	Use pre-approved patterns and reference architectures	Create reusable security components for business units
Complex stakeholder landscape	Establish a RACI matrix for security initiatives	Implement stakeholder management framework
Integration with legacy systems	Create dedicated integration teams for security implementations	Partner with system owners across business units
Maintaining momentum on long initiatives	Break into smaller, independently valuable deliverables	Demonstrate value to each affected function incrementally
Cross-functional priority conflicts	Establish executive-level governance for resource conflicts	Transparent prioritization framework across functions
Compliance requirements challenging implementation	Create compliance-by-design patterns and templates	Embed compliance specialists in security teams

Continuous Improvement

At the enterprise level, each security initiative should contribute to ongoing capability development:

Capture lessons learned - Formal retrospectives and documentation
Update reference architectures - Incorporate successful patterns
Refine shaping process - Continuously improve based on outcomes
Measure security improvement - Track security metrics before and after
Share knowledge - Document case studies for future initiatives
Cross-functional feedback - Gather input from all affected functions

Cross-Functional Shaping Challenges

Communication Challenges

Challenge	Level 1 Solution	Level 2 Solution	Level 3 Solution
Security terminology barriers	Use simple, business-focused language	Create function-specific security guides	Develop enterprise taxonomy with shared definitions
Misaligned incentives	Focus on mutual benefits in shaped work	Shared success criteria across functions	Integrated performance objectives for security
Timing disconnects	Align security work with product cycles	Coordinate planning across departments	Implement enterprise planning framework
Knowledge silos	Joint shaping sessions with key functions	Cross-functional security working groups	Federated security model with embedded experts

Function-Specific Shaping Techniques

Product/Engineering Alignment

Technique	Level 1 Implementation	Level 2 Implementation	Level 3 Implementation
Security User Stories	Simple security requirements in product language	Security story templates for product teams	Security requirements integrated into product lifecycle
Developer-Friendly Controls	Basic security patterns with code examples	Language-specific security implementation guides	Enterprise security libraries and components
UX-Security Balancing	Simple UX guidelines for security features	Security-UX workshops for key initiatives	Dedicated security UX specialists
Technical Constraint Mapping	Identify major technical limitations early	Document integration points and technical constraints	Enterprise architecture integration patterns

Legal/Compliance Alignment

Technique	Level 1 Implementation	Level 2 Implementation	Level 3 Implementation
Compliance Translation	Map basic compliance needs to technical controls	Compliance requirements templates for security initiatives	Enterprise control framework with compliance mapping
Evidence Planning	Simple evidence collection checklist	Evidence collection protocols for key controls	Automated compliance evidence collection
Risk Acceptance Framework	Basic sign-off process for residual risks	Structured risk acceptance process with legal review	Enterprise risk management integration
Security-Legal Collaboration	Direct conversations with legal counsel	Security-legal coordination meetings	Embedded legal experts in security teams

Business/Operations Alignment

Technique	Level 1 Implementation	Level 2 Implementation	Level 3 Implementation
Business Impact Analysis	Simple assessment of business process impacts	Structured business impact templates	Enterprise capability impact framework
Operational Readiness	Basic operational handover checklists	Formal operational acceptance criteria	Service transition frameworks for security
Support Preparation	Simple guidance for customer-facing teams	Support playbooks for security features	Comprehensive knowledge management for security
Security Value Articulation	Focus on immediate business benefits	Security value metrics aligned to business	Enterprise value framework for security investments

Boundary Objects for Cross-Functional Shaping

Effective cross-functional security shaping requires shared artifacts that create alignment across organizational boundaries. These boundary objects should evolve with organizational maturity:

Level 1: Essential Boundary Objects for Startups

Security Initiative One-Pager
- Simple description of the security problem and solution
- Key impacts on product, business, and customers
- Resource needs and timeline
- Visible to all team members in shared workspace
Security-UX Wireframes
- Simple sketches of security-related user interfaces
- Focus on key user journeys affected by security controls
- Highlight potential friction points
- Created jointly by technical and product team members
Cross-Team Dependency List
- Simple list of what’s needed from each function
- Clear owners and timing for each dependency
- Visible to all affected team members
- Updated as implementation progresses

Level 2: Structured Boundary Objects for Scale-ups

Security Requirements Template
- Standardized format for expressing security needs
- Sections tailored to different organizational functions
- Clear implementation criteria for development teams
- Links to relevant policies and standards
- Validation procedures for different stakeholders
Security-Business Impact Matrix
- Maps security controls to business processes
- Highlights potential business impacts of security changes
- Identifies process owners across functions
- Used in shaping to identify key stakeholders
Cross-Functional RACI Matrix
- Defines roles and responsibilities across functions
- Identifies decision rights and consultation requirements
- Clarifies accountability for different aspects of security work
- Serves as reference during implementation

Level 3: Sophisticated Boundary Objects for Enterprises

Enterprise Security Control Framework
- Comprehensive mapping of security controls
- Linked to business capabilities and processes
- Integrated with enterprise architecture
- Aligned with regulatory requirements
- Shows implementation responsibilities across functions
Security Services Catalog
- Defines security capabilities as services
- Documents interfaces between security and other functions
- Specifies service levels and performance metrics
- Clarifies consumption models for business units
Security Implementation Playbooks
- Function-specific implementation guides
- Standard patterns for common security controls
- Integration templates for enterprise systems
- Cross-functional workflows for security processes

Next Steps

After shaping security work:

Proceed to prioritizing shaped work with stakeholders
Work moves to implementation by a dedicated team
Throughout implementation track progress through unknowns
Ensure continued cross-functional coordination through implementation

If the work isn’t selected for implementation, the shaped concept remains available for consideration in future betting cycles. Remember that our core principles emphasize learning from both successes and failures – a pitch that isn’t selected still provides valuable insights for future security initiatives.

Maturity Assessment Questions

Use these questions to assess your organization’s security shaping maturity:

Do you set explicit time constraints (appetites) for security initiatives before defining solutions?
- Level 1: Sometimes, informally
- Level 2: Yes, consistently for most initiatives
- Level 3: Yes, with formal alignment to strategic planning
How do you identify and address risks in shaped security work?
- Level 1: Informal identification of major risks
- Level 2: Structured review with documented mitigations
- Level 3: Comprehensive risk assessment with formal treatment plans
How do you ensure security initiatives consider resilience, not just prevention?
- Level 1: Basic consideration of what happens if controls fail
- Level 2: Explicit resilience requirements for key controls
- Level 3: Comprehensive resilience architecture with layered capabilities
How formalized is your security shaping documentation?
- Level 1: Brief, informal pitches
- Level 2: Structured documents with visual elements
- Level 3: Comprehensive packages with multiple supporting artifacts
Who participates in shaping security initiatives?
- Level 1: Founders/CTO and key team members
- Level 2: Security lead plus relevant stakeholders
- Level 3: Security architects plus specialized teams and governance
How do you coordinate security initiatives across organizational functions?
- Level 1: Direct collaboration with key stakeholders
- Level 2: Structured touchpoints with department representatives
- Level 3: Formal governance processes with cross-functional bodies
What boundary objects do you use to create cross-functional alignment?
- Level 1: Simple, shared documents visible to all
- Level 2: Structured templates with function-specific sections
- Level 3: Enterprise frameworks integrated with business architecture
How do you manage cross-functional dependencies in security work?
- Level 1: Track key dependencies through direct communication
- Level 2: Documented dependency management with clear ownership
- Level 3: Enterprise dependency management integrated with governance

Security Roles and Responsibilities Planning Horizons