method
Introduction to the Peak Defence Method
Why This Methodology Exists
Security in today’s organizations faces a fundamental challenge: the approaches that worked in the past are failing to deliver sustainable value in increasingly complex, fast-moving environments.
This statement is likely to stay true for as long as environments we operate in keep changing, and that might always be the case, at least for most of the organizations. Despite growing security investments, many struggle with:
- Security teams isolated from the business, creating friction rather than enablement
- Security controls that focus on prevention but fail to adapt when breaches occur
- Security work that expands indefinitely without clear boundaries or completion
- Siloed approaches that prevent effective cross-functional collaboration
- Rigid methodologies that don’t scale with organizational growth
The Peak Defence Method addresses these challenges through a fundamentally different approach to security — one that prioritizes resilience over rigid prevention, balances centralized expertise with distributed responsibility, and delivers visible value through bounded, focused work.
Born from years of field experience across organizations of all sizes, this methodology isn’t theoretical — it’s a battle-tested approach that transforms how security operates and delivers value.
Core Philosophy: Designing for the Inevitable
At the heart of the Peak Defence Method lies a philosophical shift that sooner or later things will go wrong. We do not claim this is an absolute, but as a starting point for effective security.
Rather than focusing solely on preventing all possible failures, we design systems that can detect, respond, adapt, and recover.
Risk-Based Prioritization
Not all security risks are created equal. The Peak Defence Method emphasizes identifying and addressing the most significant risks first, rather than trying to solve every security challenge simultaneously.
This risk-based approach enables organizations to:
- Focus limited security resources where they deliver maximum value
- Make informed decisions based on business context and threat landscape
- Avoid “security theater” that creates work without meaningful protection
- Prioritize resilience for critical business functions and assets
Cross-Functional Note: This risk-focused, resilience-oriented approach requires integration across organizational functions — security emerges from collaboration between security specialists, engineers, product teams, operations, compliance, and business units working together to identify and address the risks that matter most.
Key Advantages of This Approach
 |
Resilience Over Prevention Creating adaptive systems that detect anomalies, reconfigure rapidly, learn continuously, and transform failures into improvements. |
 |
Decentralized Execution with Clear Guardrails Empowering teams across the organization to implement security within their domains while providing clear boundaries and guidance. |
|
Risk-Based Prioritization Focusing security efforts where they matter most by systematically evaluating business risk, threat landscape, and organizational context. |
 |
Visible Progress and Value Delivering concrete, measurable security improvements on regular cycles with clear language to discuss progress. |
 |
Time-Bounded Security Improvement Setting fixed time commitments with appropriate scope and circuit breakers to prevent runaway projects. |
A Methodology That Scales: The Organizational Maturity Model
Organizations at different stages of growth face different security challenges. The Peak Defence Method provides guidance appropriate to your organizational maturity.
Level 1: Startup Foundation (5-50 employees)
Small organizations need pragmatic security approaches that deliver maximum value with minimal resources.
At this level, the methodology focuses on:
- Essential security practices with immediate impact
- Simple, lightweight processes and documentation
- Direct collaboration across functions
- Practical tools that work within tight resource constraints
Cross-Functional Integration at Level 1 In startups, cross-functional collaboration happens organically through direct communication. Our guidance at this level emphasizes simple security responsibilities everyone understands, direct collaboration between technical and business roles, and clear security communication in plain language.
Example Boundary Artefact A one-page “Security Responsibilities” document listing who handles what security tasks and when, visible to all team members.
Level 2: Scale-up Enhancement (50-500 employees)
Growing organizations need more structured approaches without excessive bureaucracy.
At this level, the methodology provides:
- Formal processes balanced with practical flexibility
- Structured roles and responsibilities
- Dedicated security resources working across teams
- Scalable security patterns and frameworks
Cross-Functional Integration at Level 2 As organizations grow, cross-functional security work requires more deliberate coordination. Our guidance at this level emphasizes security programs spanning departmental boundaries, structured touchpoints between security and other functions, and regular cross-functional security forums.
Example Boundary Artefact A “Security Requirements Template” with different sections for product, engineering, compliance, and operations teams to ensure comprehensive coverage.
Level 3: Enterprise Optimization (500+ employees)
Large organizations need comprehensive security approaches that work across complex structures.
At this level, the methodology provides:
- Enterprise-wide security architecture and governance
- Specialized security functions with clear interfaces
- Formal processes integrated with business operations
- Strategic security direction aligned with business objectives
Cross-Functional Integration at Level 3 In enterprise organizations, systematic approaches to cross-functional security are essential. Our guidance at this level emphasizes federated security operating models across business units, formal governance with cross-functional representation, and security service models with defined interfaces.
Example Boundary Artefact An “Enterprise Security Control Framework” mapping controls to business capabilities with clear responsibilities across organizational functions.
Framework Overview
The Peak Defence Method operates across four interconnected planning horizons (Lifetime, Yearly, Quarterly, and Cycle) and defines four essential roles (Security Leaders, Security Shapers, Security Implementers, and Security Enablers) that exist across organizational functions.
These planning horizons and roles are explored in depth in the Planning Horizons and Security Roles and Responsibilities chapters.
Cross-Functional Security: A Core Principle
Security is inherently cross-functional. The Peak Defence Method recognizes that effective security emerges from collaboration across organizational boundaries, not from isolated security teams imposing controls on others.
Security as a Collaborative Discipline
We view security not as a specialized technical function but as a collaborative discipline that spans:
- Product/Engineering: Building security into systems from the beginning
- Operations: Maintaining and monitoring security controls
- Legal/Compliance: Ensuring regulatory and contractual requirements are met
- Business Units: Balancing security with business objectives and constraints
- Executive Leadership: Setting direction and allocating resources
Decentralized Execution in Practice
The principle of Decentralized Execution comes to life through cross-functional collaboration. Rather than centralizing all security decisions and implementations in a specialized team, the Peak Defence Method:
- Distributes security responsibility to those closest to the work
- Empowers teams with security patterns they can implement independently
- Creates clear escalation paths for complex security decisions
- Provides just enough governance to ensure consistency
- Establishes shared risk ownership across functional boundaries
This decentralized approach enables security to scale with the organization while reducing bottlenecks and friction.
Integration, Not Isolation
 |
Peak Defence Approach integrates security into existing workflows, translates security concepts for different audiences, and solves problems collaboratively |
 |
Traditional Approach positions security teams as isolated enforcers, creating friction and resistance |
Getting Started with the Methodology
The Peak Defence Method is designed for practical implementation regardless of your organization’s size or security maturity.
Assess Your Current State
- Identify your organization’s maturity level (e.g. Startup, Scale-up, or Enterprise)
- Evaluate your current security approach against the core principles
- Identify key gaps and opportunities for improvement
- Assess cross-functional security coordination and interfaces
Start Where You Are
You don’t need to implement the entire methodology at once.
- Focus on Fundamentals: Begin with the Core Principles to align your security philosophy
- Structure Your Time: Implement the Planning Horizons to organize security work effectively
- Improve Your Approach: Adopting effective scoping, a.k.a Shaping, can help define better security initiatives.
- Clarify Responsibilities: Use Security Roles to establish who does what
Focus on Quick Wins
Look for high-impact, low-effort improvements that demonstrate value:
- Implement six-week delivery cycles (a.k.a. Security Sprints) to create visible progress
- Develop simple security patterns that work across functional boundaries
- Establish regular forums for cross-functional security coordination
How This Documentation Is Organized
The Peak Defence Method is organized into core chapters that provide comprehensive guidance:
- Introduction (this chapter): Overview and key concepts
- Core Principles: The philosophical foundation of resilience-oriented security
- Planning Horizons: How to organize security work across different time scales
- Shaping Security Work: Defining resilient security initiatives at the right level of abstraction
- Security Roles and Responsibilities: Establishing effective security functions across the organization
- The Peak Defence Advantage: Transforming security effectiveness through the methodology
- Community Integration: Evolving this methodology through collaborative contribution
- Templates, Recipes and Artefacts
- References
Each chapter provides implementation guidance, cross-functional considerations, practical examples, and common challenges and solutions.
Join Our Community
The Peak Defence Method is designed as a living, evolving methodology that grows through community contribution. We invite you to:
- Implement the methodology in your organization
- Share your experiences and adaptations
- Contribute enhancements to the core methodology
- Participate in discussions with fellow practitioners
To get involved, visit our GitHub repository at github.com/peakdefence/method.
Next Steps
Ready to transform your security approach? Continue to Core Principles to understand the philosophical foundation of the Peak Defence Method, or jump directly to the chapter most relevant to your current challenges:
For organizing security work effectively: Planning Horizons
For defining better security initiatives: Shaping Security Work
For establishing security roles: Security Roles and Responsibilities
The Peak Defence Method is maintained by Peak Defence and the security community. For more information about Peak Defence’s services, visit peakdefence.com.
This documentation is designed to be a practical guide for implementing the Peak Defence Method in your organization. Each section provides concrete guidance, templates, and examples that can be adapted to your specific context.