Under the SESAR Programme, the European Air Traffic Management (ATM) industry has adopted an approach of 'design-in security' by applying security assessment from the beginning of the development lifecycle. This has necessitated a convergence of different approaches to security assessment from the different partners. A number of challenges have been apparent in developing both the method to be used and then executing it in a synchronised way with the rest of the programme. This paper highlights the issues raised in developing the methodology from the perspective of the security experts working within the programme.