In digital security the term strategy is often mixed up with plans and the execution of the strategy is lacking. Not because the identified technical improvements aren’t correctly identified, but because the strategy process and content itself is insufficient. Or the people executing the strategy lack the capabilities we have identified.