What Is Strategy in Cybersecurity? Rethinking the Way We Lead, Protect and Adapt
After exploring foundational topics like cyber risk, resilience, communication, and how we think and explain cybersecurity, I realized there was still one concept silently shaping everything we do — strategy.
Cybersecurity doesn’t exist in a vacuum of controls, frameworks, or technology. It’s a field defined by choices: where we focus, what we defend, and how we prepare for what’s next. And those choices must be made in the context of a dynamic, shared, and continuous risk landscape — one where threats evolve constantly, responsibilities are distributed across ecosystems, and the boundaries between internal and external are blurred.
That’s why I believe now is the right time to talk about strategy in cybersecurity — not as a buzzword or a checklist, but as a deliberate set of decisions that define how we position ourselves to adapt, protect, and lead in a world that doesn’t stop moving.
But I know this won’t be an easy conversation. Strategy is one of those words that gets used everywhere, for everything — so much that we’ve stopped questioning what it really means. Each person, each team, each vendor has their own interpretation, and yet we rarely pause to align on a shared understanding. We say “strategy” when we mean “plan,” or “vision,” or “roadmap.” And in that ambiguity, we risk losing the power of strategy as a discipline rooted in choice, tradeoffs, and long-term positioning.
So in this article, I want to reflect on what strategy really means in cybersecurity — and why it’s time we reclaim its depth, its rigor, and its relevance.
Defining Strategy (Or at Least Trying To)
If you ask ten people to define strategy, you’ll likely get ten different answers — and all of them might sound reasonable. That’s the challenge. Strategy is a word we use often but define rarely, and when we do try to define it, we tend to lean on vague abstractions or overly simplified formulas. In cybersecurity, that ambiguity is even more dangerous, because without a clear understanding of what strategy is, we can’t know if we’re actually being strategic — or just busy.
There’s no single “correct” definition of strategy. But over the years, in my work across cybersecurity leadership, operations, and risk, I’ve found one that resonates deeply and cuts through the noise. It comes from Roger Martin, co-author of Playing to Win, who defines strategy as:
“An integrative set of choices that positions you on a playing field of your choice in a way that you win.”
At first glance, this may sound like a business-school phrase. But sit with it for a moment, and its relevance to cybersecurity becomes clear. It’s not about perfection. It’s not about reacting faster than everyone else. It’s about choosing — consciously — where you play, how you allocate your limited resources, and what “winning” actually means for your organization. It’s about making decisions that align your purpose, your strengths, and your environment into a coherent approach that gives you a real chance to succeed.
This definition brings three key elements into focus:
It’s about choices — not everything, not everywhere, but focused tradeoffs.
It’s contextual — you must define your playing field, your risks, and your capabilities.
It’s outcome-oriented — it’s not about activity; it’s about positioning yourself to win.
In the next sections, I’ll explore how this applies directly to cybersecurity — and why so many strategies in our field fail not because they’re wrong, but because they’re not really strategies at all.
What Does “Winning” Mean in Cybersecurity?
Roger Martin’s definition of strategy hinges on a powerful but often overlooked word: win. And that’s no coincidence. When we think about strategy — whether in books, conferences, or corporate discussions — we almost instinctively associate it with winning. Most of the classic strategy examples come from business, sports, or military contexts, where the idea of “winning” is clear and measurable: outpacing competitors, scoring more points, or defeating an adversary. These are environments defined by finite outcomes — someone wins, someone loses, and the game ends.
In business, the idea of winning might seem straightforward: increasing revenue, capturing market share, outperforming competitors, or maximizing shareholder value. There’s often a metric or milestone that can be used to declare victory — quarterly results, market position, or growth benchmarks.
In sports, winning is even more explicit. The game has clear rules, a fixed duration, known players, and a scoreboard. Whether it’s crossing the finish line first, scoring more goals, or earning more points, there’s no ambiguity — someone wins, and someone loses.
In the military, while the terrain is more complex, winning still usually involves concrete objectives: gaining territory, disabling an enemy’s capabilities, or achieving a political outcome through force or deterrence. Victory can be declared when the mission is completed or the adversary is neutralized.
This shapes how many of us approach cybersecurity strategy as well — but as I’ll explain, this mindset doesn’t fit the reality of our domain.
All of these examples represent what James P. Carse, in his book Finite and Infinite Games, calls finite games — activities played for the purpose of winning. They have:
Clear rules
Known players
Defined endpoints
And a winner and a loser
But cybersecurity doesn’t work like that.
There is no final whistle. No ultimate scoreboard. No permanent state of “secure.” We’re not playing for a singular victory, but for resilience, continuity, and long-term relevance. Threats evolve. Systems change. Attackers adapt. New risks emerge overnight.
This makes cybersecurity much closer to an infinite game — where the goal isn’t to win once and be done, but to keep playing, to stay in the game, to adapt and improve continuously.
Carse describes it like this:
“A finite game is played for the purpose of winning; an infinite game for the purpose of continuing the play.”
So, what does “winning” mean in cybersecurity?
Not eliminating all threats. Not achieving perfect compliance. Not reaching a static, ideal state of security.
Instead, it means:
Sustaining operations through disruption
Improving faster than adversaries evolve
Building resilience, trust, and adaptability over time
Maintaining your organization’s ability to thrive in a volatile, digital world
This shift in mindset is critical. If we frame our cybersecurity strategies around a finite-game mentality, we risk overpromising, underdelivering, and becoming blind to what matters most: staying in the game with strength, clarity, and endurance.
A New Definition for Cybersecurity Strategy
If we accept that cybersecurity is not a finite game with a clear end state, but an infinite challenge that requires continuous adaptation, then our definition of strategy must evolve as well.
Traditional strategy models — borrowed from business, military, or sports — often emphasize winning, dominance, or achieving fixed goals. But as we’ve explored, cybersecurity operates in a fundamentally different context: the goal is not to win once, but to endure, adapt, and thrive in the face of ongoing, evolving threats.
This demands a shift in how we define strategy in our field.
Cybersecurity strategy is an integrative set of choices that positions your organization on a risk landscape of your choice in a way that sustains resilience over time.
This definition carries weight because it reflects three essential truths:
Cybersecurity is about choices. You cannot protect everything equally. Strategic thinking means deciding where to focus, what risks to prioritize, and what tradeoffs to accept — all guided by your organization’s risk appetite. Without understanding how much risk you’re willing to tolerate, you can’t define where to invest, where to be strict, and where to accept exposure. Risk appetite transforms abstract decision-making into aligned, purposeful action. It’s what separates controlled risk from unmanaged chaos. In the end, without choice, there is no strategy — only activity.
Cybersecurity is contextual. The “playing field” is not generic. It’s shaped by your threat landscape, business objectives, digital architecture, regulatory obligations, and available resources. What works for one organization may be irrelevant — or dangerous — for another.
Cybersecurity is about resilience. Not in the abstract sense, but in a real, operational sense: the ability to absorb shocks, recover quickly, learn from incidents, and emerge stronger. Strategy in cybersecurity must sustain this capability — not for a moment, but over time.
This reframing moves us away from reactive playbooks and toward deliberate positioning, based on purpose, risk, and resilience. It invites us to stop chasing perfection and start building endurance.
And perhaps most importantly, it acknowledges a core truth we too often ignore: in cybersecurity, you don’t win by eliminating all risk — you win by staying in the game.
Aligning Strategy with the Cybersecurity Compass
The definition of cybersecurity strategy as “an integrative set of choices that positions your organization on a risk landscape of your choice in a way that sustains resilience over time” doesn’t exist in isolation. It lives within a framework — a system of orientation that helps guide those choices. That’s exactly why I created the Cybersecurity Compass.
The Compass is more than a visual model — it’s a strategic lens. It helps organizations navigate complexity, prioritize actions, and position themselves intentionally across all phases of cyber risk: before, during, and after a breach.
Let’s connect the definition to the Compass:
Integrative set of choices: The Compass doesn’t suggest isolated functions — it shows how Cyber Risk Management, Detection and Response, and Cyber Resilience must work together, not as silos but as coordinated domains. True strategy lies in integrating these areas and balancing them according to your threat landscape, business model, and maturity.
Playing field of your choice: The Compass forces organizations to recognize where they currently operate. Are you mostly reactive and defensive? Or are you leaning into proactive and predictive capabilities? Strategy is not about aspiring to the center — it’s about understanding your position and making conscious shifts based on risk and value.
Sustaining resilience over time: At its core, the Compass points toward a north star — Proactive and Predictive posture — while acknowledging that resilience is built not just by preparing for threats, but by how you detect, respond, recover, and improve. Resilience isn’t a phase; it’s an outcome of strategic positioning across the entire model.
Additionally, the Compass captures another vital truth: cybersecurity is a continuous journey, not a checklist. The circular structure reminds us that risk doesn’t move in straight lines, and that strategy must account for constant movement — whether you’re before, during, or after a breach.
In essence, the Cybersecurity Compass is a strategic map, and your strategy defines how you navigate it.
Translating the Choice Cascade to Cybersecurity
To make strategy real, we need a way to move from abstract definitions to actionable decisions. That’s where the Choice Cascade, introduced in Playing to Win by Roger Martin and A.G. Lafley, becomes incredibly useful — even in cybersecurity.
Originally designed for business strategy, the Choice Cascade is a sequence of five interconnected choices:
What are our aspirations and goals?
Where will we play?
How will we win?
What capabilities must be in place to win?
What management systems are required?
Each of these choices is both a commitment and a learning opportunity — forming what the authors call a fast learning loop. While originally focused on markets and competition, this model aligns surprisingly well with the strategic challenges of cybersecurity, especially when we reframe “winning” as sustaining resilience over time.
Here’s how the cascade translates into cybersecurity:
What level of resilience, trust, and risk tolerance do we want to achieve? This defines your cybersecurity north star — the role you want security to play in enabling the business, protecting value, and responding to uncertainty.
Where are our most critical digital assets, risks, and exposure points? This includes cloud workloads, user identities, APIs, data repositories, third-party integrations, etc. You can’t protect everything — strategy means choosing where to focus.
How will we sustain resilience and adapt faster than threats in those areas? This might involve adopting a risk-based approach, leveraging advanced detection, investing in recovery capabilities, or building strong security culture.
What capabilities do we need to detect, protect, respond, and recover effectively? Think of technical controls, visibility, automation, cyber threat intelligence, risk quantification, and skilled talent.
What governance, metrics, and operational models will keep us aligned and improving? This is about having a CROC (Cyber Risk Operations Center), outcome-driven metrics, continuous feedback loops, and incident response readiness.
What makes the Choice Cascade powerful for cybersecurity is that it prevents us from jumping straight into tools and tactics. It forces us to first clarify the purpose, scope, and principles that guide everything else. It also builds in the expectation that strategy is iterative — not fixed. As new threats emerge and environments evolve, we loop back, reassess, and refine.
This mirrors the Cybersecurity Compass, which is not a static model but a dynamic orientation system. Just as the Compass helps teams navigate phases of risk (before, during, after a breach), the Choice Cascade helps leadership navigate strategic coherence — making sure every investment, process, and capability aligns with an intentional, resilient direction.
In short, the Choice Cascade gives cybersecurity leaders a structured way to think and decide — not just react.
The Fast Learning Loop: Essential for Cybersecurity Strategy
One of the most powerful — and often overlooked — elements of the Playing to Win framework is the Fast Learning Loop that connects every stage of the Choice Cascade. This loop acknowledges a critical truth: strategy is not a one-time event. It’s a continuous process of learning, adapting, and refining choices based on feedback from the real world.
In cybersecurity, this concept is not only relevant — it’s indispensable. Why?
Because the threat landscape doesn’t wait. New vulnerabilities emerge. Adversaries change tactics. Technologies shift. Regulations evolve. What worked yesterday may not be enough tomorrow. And what you assumed to be a low-priority risk last year may now be your most significant exposure.
That’s why static strategies fail in cybersecurity. They create brittle plans based on frozen assumptions. What we need instead is a strategic process that’s built for change and feedback — and that’s exactly what the Fast Learning Loop offers.
Here’s how the loop translates into cybersecurity:
After setting resilience goals, we may realize through red teaming/tabletop exercises or real-world incidents that our targets were either too ambitious or not aligned with business needs. So we recalibrate.
After choosing where to focus (e.g., cloud or identity), we may detect new attack vectors or discover hidden exposures that change our threat prioritization.
After building capabilities, we may discover through red teaming or audits that they’re not performing as intended or are being bypassed.
After implementing management systems, we may see misaligned KPIs or lack of actionability in our metrics, and refine how we track performance and impact.
Each learning moment becomes a trigger for re-evaluation. And when done well, this doesn’t cause instability — it creates resilience through adaptability.
In a field where attackers are always evolving, our ability to learn faster than the adversary becomes a decisive advantage. The organizations that thrive are not those with the biggest budgets, but those with the clearest strategic focus and the fastest learning loops.
So yes — the Fast Learning Loop is not only relevant to cybersecurity. It should be foundational.
It reinforces your Compass. It energizes your strategy. And it ensures that your cybersecurity choices aren’t just smart once — they’re smart over time.
The Problem: When Cybersecurity Strategy Is Framed Incorrectly
One of the most persistent issues in cybersecurity leadership comes from misunderstanding what cybersecurity strategy truly is. Too often, organizations fall into one of two traps: treating cybersecurity like traditional business strategy (a finite game), or adopting an unstructured infinite game mindset without clear guidance. Both lead to failure — but for different reasons.
1. Treating Cybersecurity as a Business Strategy (Finite Game)
Many organizations approach cybersecurity with finite game thinking, using business strategy habits: setting short-term goals, defining KPIs, and seeking a “victory” moment when security is “achieved.” This mindset leads to dangerous assumptions:
“If we implement all controls, we’ll be secure.”
“Compliance equals protection.”
“Once the project finishes, our security is done.”
“Let’s throw more technology at the problem until it’s solved.”
“A risk heatmap is our cybersecurity strategy.”
That last belief is particularly damaging. Risk heatmaps can visualize threats, but they are not a strategy. Color-coded charts don’t drive action. They provide a snapshot, not direction. Too often, leadership mistakes a heatmap report for a strategic roadmap — when in reality, it’s just a static artifact of a moment in time.
Similarly, deploying more technologies without clear alignment to risk or resilience goals only adds complexity, not security. This is how many organizations end up with:
Overlapping tools with unmanaged risks.
Teams stuck maintaining technology instead of managing actual cyber risk.
A false sense of progress driven by activity, not outcomes.
By treating cybersecurity as a finite game, organizations fall into the trap of believing they can finish security — when in fact, they need to continuously evolve it.
2. Misapplying Infinite Game Thinking
At the opposite extreme, some leaders recognize cybersecurity as an ongoing effort, but mistakenly drift into unstructured infinite game thinking. They believe security is never-ending, but without defining clear priorities, focus areas, or guiding principles. This results in:
Endless reactivity without strategic intent.
Teams overwhelmed by “doing everything” forever.
Leadership unable to measure or communicate progress.
Without structured decisions, infinite thinking becomes strategic drift — not resilience.
3. Why Both Are Wrong
Cybersecurity demands a hybrid strategic mindset:
The infinite game lens acknowledges that security is continuous and adaptive.
The structured strategy approach ensures deliberate focus, resource alignment, and meaningful progress.
Neither alone is enough.
In cybersecurity, you don’t win by finishing a project, nor by endlessly reacting. You succeed by making risk-informed choices, adapting them over time, and sustaining resilience.
That’s why models like the Cybersecurity Compass, the Choice Cascade, and the Fast Learning Loop are so important. They provide:
Structure without rigidity.
Direction without illusion.
Resilience without aimlessness.
In cybersecurity, strategy is not a heatmap, a compliance checklist, or a stack of technologies. It’s a continuous, learning-driven process of making the right choices in the face of evolving risk.
Practical Steps for Leadership: Applying a Hybrid Cybersecurity Strategy Mindset
Understanding that cybersecurity is neither a finite game nor an unstructured infinite pursuit is only the beginning. Leadership needs practical, repeatable actions to apply this hybrid strategy mindset. Here’s how:
1. Define Resilience as Your Strategic North Star
Stop aiming for “perfect security” or “total prevention.”
Define what resilience looks like for your organization: Is it reducing ransomware recovery time? Is it ensuring uninterrupted operations during supply chain disruptions?
Make resilience a measurable, operational concept — not just a vague aspiration.
2.Make Deliberate “Where to Play” Choices
Accept that you cannot defend everything equally.
Use your Cybersecurity Compass to identify critical assets, high-risk domains (cloud, identity, data, supply chain), and key exposure points.
Prioritize focus areas based on business impact — not fear, not trends, and definitely not vendor pitches.
3. Stop Mistaking Tools for Strategy
Audit your current technology stack and identify redundant, unused, or misaligned tools.
Ask, for every tool: “What risk does this specifically help us manage?”
Shift budget from accumulating more technology to strengthening core capabilities like detection, response, and recovery.
4. Move Beyond Heatmaps
Use risk heatmaps as a diagnostic tool, not as a strategic compass.
Drive strategic discussions with real metrics: threat-informed risk assessments, incident recovery times, attack surface visibility, and resilience readiness.
Focus reporting on outcomes, not colors.
5. Operationalize the Fast Learning Loop
Treat every incident, red team exercise, or compliance gap as strategic feedback — not just an operational task.
Schedule regular strategic reviews, where leadership revisits: Current resilience goals, evolving threat landscape, emerging risks and exposure points, performance of capabilities.
Use these sessions to adjust priorities — not just to review status.
6. Link Strategy Directly to Business Outcomes
Frame cybersecurity decisions in terms business leaders understand: “This investment reduces downtime risk by X%.” “This capability improves recovery time from ransomware by Y hours.”
Ensure security isn’t a technical silo — but part of the broader business strategy.
7. Teach Strategy Thinking Across Teams
Train technical teams to understand that doing security work is not the same as following a strategy.
Embed strategic thinking into daily work: Why are we prioritizing this control? How does this task align with our resilience goals? What risk does this mitigate?
Create a culture that values clarity of purpose over reactive activity.
8. Leading Cybersecurity Like a Strategic Function
In the end, applying this hybrid mindset means leading cybersecurity as a strategic function, not an operational burden. It means making choices with purpose, adapting continuously, and focusing every action on sustaining resilience over time. Tools don’t make you secure. Plans don’t make you resilient. Choices do. And choices are the essence of strategy.
Cybersecurity Strategy Is About Choices, Not Checklists
Cybersecurity today isn’t a problem you can solve. It’s a risk you must manage — continuously, deliberately, and strategically. It’s not a finite game with a clear finish line, nor an infinite game of aimless persistence. It’s something in between: a continuous challenge that demands structured adaptability.
Throughout this article, I’ve shared how thinking of cybersecurity strategy purely as a business strategy — with clear goals, win conditions, and KPIs — leads to dangerous complacency. And how approaching it as an infinite game without structure leads to endless reactivity. Both miss the point.
Cybersecurity strategy is neither static nor chaotic. It’s about making purposeful choices inside a continuously shifting landscape.
Choices about where to focus your limited resources.
Choices about what resilience means for your business.
Choices about how you learn, adapt, and improve over time.
Tools won’t define your strategy. Heatmaps won’t tell you where to go. Technology alone won’t make you secure.
Your ability to make — and remake — clear, risk-informed decisions is your real strategic advantage.
For cybersecurity leaders, the challenge isn’t building a perfect plan. It’s building a decision framework — one that aligns teams, guides investments, and sustains resilience in a world that doesn’t stop moving.
In the end, strategy in cybersecurity isn’t about winning. It’s about enduring. Learning. And leading. That’s the real game we’re playing. And it’s one worth playing well.
Lafley, A. Martin, R. (2013). Playing to Win: How Strategy Really Works. Amazon. https://www.amazon.com/-/es/G-Lafley-ebook/dp/B00AJVJ1HI/
Carse, J. (2011). Finite and Infinite Games. Amazon. https://www.amazon.com/-/es/James-P-Carse-ebook/dp/B004W3FM4A/
Castro, J. (2025). Applying Structured Thinking to Cybersecurity: The Power of the Six Thinking Hats and Cybersecurity Compass. ResearchGate. https://www.researchgate.net/publication/389738059 DOI:10.13140/RG.2.2.26332.91523
Castro, J. (2025). Cyber Risk is the New Perimeter. ResearchGate. https://www.researchgate.net/publication/393465035_Cyber_Risk_Is_the_New_Perimeter DOI:10.13140/RG.2.2.15094.51524
Castro, J. (2024). Strategic Cyber Defense: Applying Sun Tzu’s Art of War Lessons to the Cybersecurity Compass. ResearchGate. https://www.researchgate.net/publication/387410535 DOI:10.13140/RG.2.2.25085.68327
Castro, J. (2024). A Common Language for Cybersecurity. ResearchGate. https://www.researchgate.net/publication/387505866 DOI:10.13140/RG.2.2.31894.05448
Castro, J. (2024). Cybersecurity Compass — Bridging the Communication Gap. ResearchGate. https://www.researchgate.net/publication/387789339 DOI:10.13140/RG.2.2.36333.29926
Castro, J. (2024). The Cybersecurity Compass: A Tool for All. ResearchGate. https://www.researchgate.net/publication/387789627 DOI:10.13140/RG.2.2.14103.48807
Castro, J. (2024). Cyber Resilience — The Learning Phase of the Cybersecurity Compass Framework. ResearchGate. https://www.researchgate.net/publication/387903363 DOI:10.13140/RG.2.2.11619.67366