So what is a sensible strategy? At its essence, a strategy is a plan broken down into short-term tactical actions, medium-term planned activities and long-term direction.
A few things to consider when developing your strategy:
Do you understand your organisation's risk profile?
What are your assets, threats, vulnerabilities and security controls? Do you have adequate tools to provide situational awareness?
Actions that could improve visibility can include; installing a free log server product from a security information and event management (SIEM) vendor, starting a risk register, performing an inventory of public facing websites, commissioning a penetration test, procuring a vulnerability management solution or Host Based Intrusion Prevention technology.
Resources and Structure
Does your organisation have people allocated to the required operations and governance functions?
Are the activities they undertake aligned with the risk profile? Are activities being undertaken to secure the most important business processes and the applications that support them — as well as standard "best practices".
What are the business's strategic plans?
Replacing the core application for the main business process? Expanding to Asia? What is the security function doing to help make this happen?
A sensible strategy might (for example) include up-skilling and recruiting personnel to help secure the new core application, or perhaps building a methodology for due diligence and on boarding new business acquisitions.
Security Controls Improvement
The risk profile generally can be improved by the improvement of existing controls — or the introduction of new ones. Controls can be improved by testing them, documenting them, and training the personnel who will administer them.
Is the current budget adequate for the required activities?
What are you doing to secure additional funding? Or what are you doing to ensure stakeholders are aware of the risk profile resulting from budget restrictions.
Have you identified the key stakeholders you need to buy in to the strategy for it to succeed?
What can you add on to a request to "sweeten the deal"? Do you have an inconsequential "sacrificial lamb" to offer up if cuts are enforced?
Hopefully this helps you move beyond "buzzword compliance".