Operational work maintains and manages a capability. Tactical work executes within it. The difference is scope and time horizon, not importance.
Walk through a single cybersecurity scenario to see both levels. An organization's vulnerability management program sets a 30-day remediation window for critical CVEs. The SLA itself, the scanning cadence, the tooling selection, the exception process, the reporting structure and the escalation path - all of that is operational. It belongs to the program owner.
When a new critical CVE drops, a security engineer pulls the scanner output, filters for affected systems, stages the patch, tests in UAT, deploys to production and confirms remediation. Every step is tactical. The engineer is executing within the operational framework, not designing it.
Operational decisions are about programs and structure: who owns the function, what the target metric is, which tools to use, how exceptions get handled. Tactical decisions are about specific actions at a specific time: what to do with this system right now, following this procedure, to meet this deadline.
A practical check: if you're deciding how a program should work, you're doing operational work. If you're executing a step in a documented procedure, you're doing tactical work. Both are necessary. They just require different skills, different governance and different reporting cadences.
