Strategy vs Operations vs Tactics

The purpose of this article is to help cybersecurity leaders up their game by gaining a baseline understanding of strategy vs operations vs tactics.

All too often, unprincipled cybersecurity leaders manipulate the business through Fear, Uncertainty and Doubt (FUD) to scare other technology and business leaders into supporting cybersecurity initiatives. These bad actors maintain the illusion of a strong cybersecurity program, when in reality the cybersecurity department is an array of disjointed capabilities that lacks a unifying plan. These individuals stay in the job long enough to claim small victories, implement some cool technology, and then jump ship for larger roles in other organizations to extend their path of disorder. In these cases, a common theme is the lack of viable business planning beyond a shopping list of technologies and headcount targets to further their career goals.

Understand Your Audience - Business Planning Terminology Matters

Cybersecurity is a cost center, not a revenue-generating business function. That means cybersecurity competes with all other departments for budget, and it necessitates a compelling business case to justify needed technology and staffing. Business leaders are getting smarter on the topic of cybersecurity, so cybersecurity leadership needs to rise above the FUD mentality and deliver value that is commensurate with the needs of the business.

With compliance such as EU GDPR and NIST 800-171/CMMC, there is a strong need for cybersecurity leaders who can develop and implement strategic plans to protect systems and data in order to keep their company both secure and compliant. The act of implementing cybersecurity strategic plans does not happen overnight since it requires funding for proper staffing and resources. All of this requires a plan.

Having a hierarchical business plan is a logical step to operationalize the business’ requirements. Understanding the hierarchy of business planning documentation can lead to well-informed risk decisions, which influences technology purchases, staffing resources, and management involvement. This is your opportunity to step up by designing and implementing a cohesive cybersecurity strategy that will be an asset to your company and enable you to be the cybersecurity leader that your organization needs you to be.

Why Should You Conduct Cybersecurity Business Planning As A CISO? If You Fail To Plan, You Plan To Fail

Some of the most-abused business planning statements are strategy, operations, and tactics. While these terms are used by organizations across the globe, the terms have their origins in military planning where the terms have very unique scopes that are important to understand. Hierarchically, tactics support operations and operations support strategy.


The discussion of “strategy vs operations vs tactics” primarily comes down to the concept of defining doctrine. The concepts of strategy, operations and tactics are directly rooted in military planning. The US Army’s formalization of this doctrine occurred in the 1982 release of Field Manual (FM) 100-5 as a way to formalize a logical approach to describe the “levels of war” that span from the generals in charge, all the way to the lowly private in the trenches.

There is overlap between strategic, operational and tactical levels, so there is no clear demarcation that can be uniformly applied to all organizations. The actions of individual contributors at the tactical level stack up to support broader operational goals, which in turn are designed to support a strategy that is aligned with the company’s success. As it applies to the private sector:

Cybersecurity Strategy vs Operations vs Tactics

In the context of cybersecurity & data privacy considerations, it is possible to overlay the “who, what, when, how & why” across the strategic, operational and tactical needs of your organization:

cybersecurity supply chain risk management c-scrm nist 800-161

Real Word Scenario Where Tactics Support Operations & Operations Support The Strategy.

In a real-world scenario, look at the historical event of the Allied invasion of Normandy during the Second World War:

word crimes - strategy vs operations vs tactics

The same concept applies to businesses in every industry. The actions of individual contributors at the tactical level stack up to support broader operational goals, which in turn are designed to support a strategy that is aligned with the company’s success.

What Right Looks Like

An indicator of a well-run cybersecurity program is where staff at all levels clearly know their role in making the organization successful because the leadership implemented a mission, vision, and strategy to drive its operations. This is leadership in its purest form, since it involves providing appropriate direction and then empowering staff to make the right things happen.

A picture is sometimes worth 1,000 words. This diagram helps visualize the hierarchical nature of these business planning components.

 Cybersecurity mission vision strategy template example


Mission statements are similar to vision statements, in that they, too, look at the big picture. However, they're more concrete, and they are definitely more "action-oriented" than vision statements. Your vision statement should inspire people to dream; your mission statement should inspire them to action. Mission statements answer the question of why your business/department exists.

Quite simply, a mission statement is a concise statement that describes why an organization is operating and thus provides a framework within which strategies are formulated. It describes:

A mission statement differentiates an organization from others by explaining its broad scope of activities, its products, and technologies it uses to achieve its goals and objectives. Features of a mission statement:

After having developed possible statements, you will want to ask of each one:

Example mission statements:


A vision answers the “where we want to be” question. It gives us a reminder about what an organization is attempting to develop. It incorporates a shared understanding about the nature and aim of the organization and utilizes this understanding to direct and guide the organization towards a better purpose. Vision statements communicate the concept of what ideal conditions look like in a perfect world for the execution of the mission.

The best visions are inspirational, clear, memorable, and concise. An effective vision statement must have following features:

In order to realize the vision, it must be deeply instilled in the organization, being owned and shared by everyone involved in the organization. For vision statements, we have to make sure it passes the "sniff test":

Example vision statements:


Strategy statements are high-level actions that are coherently arranged to achieve your mission. Defining the objective, scope and competitive advantage requires trade-offs, which are fundamental considerations to building a strategy. For example, if a company decides to pursue growth, it must accept that profitability will not be a priority. If it decides to serve institutional clients, it may ignore retail customers. 

Now that we’ve got the “what” and “why” answered for your organization, it’s time to jump into the “how.” It’s time to lay down how we’re going to execute and bring the vision and mission statements to reality. That’s where setting goals and objectives come into play. We’ll start with a friendly reminder of the importance of making them SMART:

Strategic intent:

There are three basic elements of a strategy statement:

Example strategy statements:


Objectives are the short and mid-range goals that are arranged and prioritized to achieve the strategy.

Example objectives:


Operations are mid-level actions that directly link to strategy and objectives – it clarifies how both will actually be accomplished. Operations transform strategy and objectives into actionable projects or initiatives that define the required resources for tactics to successfully execute.


Tactics are low-level actions that directly link to operations – it specifies how department-level objectives will be achieved on a day-to-day basis through staff assignments, processes and procedures.

Next Steps?

While slightly off-topic from the “word crimes” concept, if you want to make a difference but are not sure where to start your planning efforts, make a pot of coffee and do the below steps and/or read the "how to GRC guide," the Integrated Controls Management (ICM) Model. The results will identify a path forward.

Questions? Please contact us for clarification so that we can help you find the right solution for your cybersecurity and privacy compliance needs.

Browse Our Products

  • Digital Security Program (DSP)

    Digital Security Program (DSP) - SCF Policy Template

    Secure Controls Framework (SCF)

    Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about...

    Choose Options

Learn More About Cybersecurity & Data Privacy