Summary: A strategy defines how an organization aims to win in security, while a plan outlines specific actions to achieve that strategy. Effective security strategies should focus on risk transparency, reducing control costs, and improving productivity. It’s important to remember that planning is not the same as having a strategy; strategy is about a clear theory of success.