A cyber security strategy should include an objective that aligns with the goals of the business. Once the objective is clear, various resources of information are needed to build out the strategy to establish the current state of the program.
The current state will identify risks and weaknesses within the organization. The strategy will provide the security controls and recommendations to remediate and reduce risk.

The framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cyber security risk.
In addition to helping organizations manage and reduce risks, it is designed to encourage risk and cyber security management communications to both internal and external organizational stakeholders.

Preparation of the cyber security strategy starts with engaging all relevant stakeholders. This communication will provide insight on the business goals and requirements to secure. At this point, a roadmap strategy can be developed utilizing the 8 steps listed earlier in this article.

A typical time frame to evaluate a cyber security strategy at a minimum is annually. However, the cyber security strategy may be re-evaluated sooner in case there is a security breach, company acquisitions, or change in business model.