When called to participate in a strategic planning process, often the typical planning session is more focused on security gap analysis than on developing a true strategic plan for security. Put simply, the typical security team, for various valid reasons, audits the environment for its ability to defend against generic threats or attacks, and, where they see holes in their existing controls, they develop a plan to plug them. The resulting roll-out plan isn’t a strategic plan because it’s missing a key ingredient: an explicit understanding of the company’s assets that need to be protected. This paper examines what is involved in developing a world-class security strategy.