How to Build a Multi-Year Cyber Security Strategy (Without a Maturity Checklist)
The most common starting point for a security strategy exercise is a maturity assessment. A consultant runs through a framework, scores each domain, produces a radar chart, and recommends lifting every domain to level three. The organisation then spends the next two years working through a checklist. At the end of it, the maturity score is higher, but nobody can say with confidence whether the organisation is actually better protected against the threats that matter to it.
Maturity models are useful diagnostic tools. They are not strategy. A strategy answers the question of where you need to go and why, given what your business does, what it depends on, and what could actually harm it. That requires a different starting point than a capability scoring exercise.
Start With Business Risk, Not Security Domains
The first step in building a strategy that will actually be funded and executed is understanding what the business is trying to protect. This is not a technology question. It is a business question. What are the processes, data sets, and relationships that generate value for the organisation? What would be the consequence of a serious disruption to each of them? Who would attack them and how? These questions anchor security investment to business outcomes rather than to the completeness of your control library.
For the NSW councils we work with, this analysis almost always surfaces a small number of genuinely critical systems, a large number of administrative systems, and a long tail of legacy applications that nobody has assessed in years. The strategy does not need to address all of them equally. It needs to be honest about where the exposure is and where investment will produce the greatest reduction in risk. That requires a risk-based view of the environment, not a maturity-based view.
Structure the Strategy Around Sequenced Initiatives, Not Domains
Once you understand your risk picture, you can sequence initiatives in a way that reflects dependency and urgency. Some controls are prerequisites for others. Identity management needs to be functional before you can meaningfully enforce least-privilege access. Incident detection needs to be operational before you can measure your mean time to respond. Building a strategy that ignores these dependencies produces a plan where activities happen in the wrong order and spend on later initiatives is wasted because foundations are missing.
A multi-year strategy should group initiatives into phases. The first phase addresses the highest-risk gaps and the foundational capabilities. The second phase builds on those foundations with more sophisticated controls and broader coverage. The third phase focuses on continuous improvement, measurement, and embedding security into business processes. Each phase should have measurable outcomes, not just activities. "Implement multi-factor authentication" is an activity. "Eliminate credential-based account compromise as a viable attack path" is an outcome.
Make the Business Case Explicit
Every multi-year security strategy needs a budget, and budgets require a business case. The business case for security investment is not "compliance requires it" or "everyone else does it." The business case is the reduction in expected loss from specific risk scenarios, expressed in terms the board and executive team can evaluate against other uses of capital.
This does not require actuarial precision. It requires enough structure that decision-makers can compare the cost of a control against the risk it mitigates. A rough estimate that is directionally correct is more useful than a spreadsheet that is precise but disconnected from actual business risk. If you cannot articulate why a control is worth its cost in risk reduction terms, it should not be in the strategy.
Build In Governance and Review Cadence
A strategy is not a document that sits in a drawer until the next audit. It is a living instrument that gets updated as threats, business priorities, and the security environment change. The strategy needs a governance structure: who owns it, who reports on progress, who has authority to reprioritise, and how often those conversations happen.
We recommend a quarterly strategic review as the minimum cadence. That is not a status report on project tasks. It is a review of the risk picture, progress against outcomes, and any adjustments needed to the next phase of the plan. The annual review is where the strategy is formally updated. Between reviews, the risk register and programme tracking provide the continuity. Without this structure, multi-year strategies decay into outdated documents that nobody trusts.
- Identify your critical assets and the business impact of their compromise or loss
- Map current controls to those assets and identify the most material gaps
- Sequence initiatives by dependency and risk reduction value, not by maturity domain
- Express outcomes in business risk terms, not control implementation terms
- Define a governance cadence that keeps the strategy current between annual reviews
To discuss building a multi-year security strategy for your organisation, contact Cyberlinx at info@cyberlinx.com.au.
Related Articles







