More About Cybersecurity Strategy

The previous article (October 16) established that strategy is a map, not a plan. That insight sounds simple, but it changes everything about how we lead. Let’s spend a moment exploring what it really means.
A strategy is not a checklist. There should be nothing to check off. A strategy guides us to respond rather than to react. To act responsively rather than reactively, leadership must anticipate threats rather than await incidents.

Awareness is your security posture

Awareness today means protecting your reputation and protecting your technical infrastructure is the same thing. This paradigm is called Security of Thought.
Cybersecurity is no longer IT maintenance — in fact, it is no longer about IT in any way. Cybersecurity is how the organisation perceives, interprets, and adapts to risk. I explained risk using two models in the last article: VUCAD, which is based in Schneider’s paradigm of presilience, and SKEW ( Story, Knowledge, Ethics, Wholeness). Let’s now expand on this.

The SKEW + VUCAD Interface

	Story Volatility	Knowledge Uncertainty	Ethics Complexity	Wholeness Ambiguity & Digitisation
Effect on Organisation	Unclear stories amplify chaos.	Gaps in shared understanding magnify doubt.	Ethical drift compounds system sprawl.	Fragmented identity erodes digital trust.
Strategic Task	Curate consistent narrative channels.	Establish a shared situational picture.	Reinforce value-driven decision protocols.	Integrate human and technical authentication practices.

Story

Volatility

Knowledge

Uncertainty

Ethics

Complexity

Wholeness

Ambiguity & Digitisation

Effect on Organisation

Unclear stories amplify chaos.

Gaps in shared understanding magnify doubt.

Ethical drift compounds system sprawl.

Fragmented identity erodes digital trust.

Strategic Task

Curate consistent narrative channels.

Establish a shared situational picture.

Reinforce value-driven decision protocols.

Integrate human and technical authentication practices.

Effect on Organisation Unclear stories amplify chaos. Gaps in shared understanding magnify doubt. Ethical drift compounds system sprawl. Fragmented identity erodes digital trust.
Strategic Task Curate consistent narrative channels. Establish a shared situational picture. Reinforce value-driven decision protocols. Integrate human and technical authentication practices.
When these are aligned, presilience becomes measurable: the organisation learns while disrupted.

The Security of Thought, Mind Hacking & Metrics

Metrics show how well something works. In cybersecurity, they make ideas visible and trackable over time.

We can’t measure Security of Thought directly: thoughts aren’t tangible; we can, however, measure whether an organisation thinks clearly, trusts its storytellers, and adapts its narrative under stress.

No firewall can protect a confused mind. Building Security of Thought requires two types of literacy:

Cognitive Hygiene		Decisive Flexibility
Train teams to recognise misinformation and disinformation		Add reflection looping to your incident response — answer What story are we telling ourselves about this incident

Train teams to recognise misinformation and disinformation Add reflection looping to your incident response — answer What story are we telling ourselves about this incident?

Operationalising Presilience

To build presilience is to treat incident management as a chance to respond, not a chance to react.

Detection? Or interpretation?

To spot threats is to ask what, but that’s not all we do when we’re presilient: we also ask how. In the first instance we’re actually asking what happened; in the second we’re actually asking how does this affect us? Put somewhat differently…
To respond is to reframe: when something goes wrong, panic communication (a reaction) is replaced with well-understood storytelling (a response) that reminds everyone affected of the new mission: defense — and to defend is to protect meaning.
The days when defense meant merely mitigating harm are gone. In our time and place, to defend means to hold fast to purpose when our world quakes, shakes, or bakes. Modern defending is today about the preservation of trust, coherence, and collective sense-making.
To recover inevitably means to renew — a truth long understood by those who work in disaster management. Recovery always changes the system it repairs; renewal is where recovery naturally leads. The well-understood story becomes an updated institutional myth:

“This is how we stayed whole.”

Telling these stories strengthens what we know (our collective memory) and helps teams move forward rather than bounce back.

Governance Implications

In CJCS doctrine, the word authority defines both permissions and those who hold them. A mature cybersecurity strategy assigns authority effectively.

Narrative Authority		Technical Authority
The CJCS doctine behind Security of Thought		The CJCS doctine behind Security of Systems

The CJCS doctine behind Security of Thought The CJCS doctine behind Security of Systems
The oversight community holding these authorities should include each in quarterly risk audits, require joint briefings from the Chief Information Officer and the Communications Officer, and assess cultural health within the security posture. This ensures that systems are secure and that people trust the storytellers who explain them.

Closing Insight

Resilience begins where explanation ends.

A strategy that joins story and system teaches a disrupted organisation how to stay whole. The goal is continuity within disruption, because avoiding disruption is no longer likely even when it remains possible.