The Difference Between Cybersecurity Strategy & Cybersecurity Frameworks, Models Or Standards.

ISO standards, NIST standards, OWASP Top 10, CIS Benchmarks, STRIDE, risk management frameworks, SOC 2, PCI, HIPAA, the Cloud Security Alliance Cloud Controls Matrix, the AWS Cloud Adoption Framework Security Perspective and AWS Well-Architected Security Pillar.
These and many more models, standards and frameworks form the pillars of the cybersecurity community and have defined best practices for industry professionals and organizations for decades now.
It should hence come as no surprise the term “strategy” has been used widely by most industry professionals when referring to frameworks, models or standards. This mis-representation has lead to many believing the implementation of these industry best pratices with regards to cybersecurity are in fact an implementation of a cybersecurity strategy.
However this is not the case.
The reason for this can be derived from the critical inputs of a cybersecurity strategy. In particlar:
§ The identification of an organization's high-value assets (HVAs).
§ The specific requirements, threats, and risks that apply to each organization, informed by the industry they are in, the place(s) in the world where they do business, and the people associated with each organization.
High Value Assets (HVAs) are also known as "crown jewels" of an organization. If HVAs are at any point compromised, the organization will fail or be severely disrupted.
As part of the cybersecurity strategy of an organization it is essential for the CISO to indentify the HVAs of an given organization as this would inform executives and the board of directors, in the event of resource allocation, reduction and any risk-based decision making proceess.
For a broader overview of HVAs and their role in the cybersecurity strategy, consider reading the following linked article: High Value Assets (HVAs), The 'crown jewels' of a cybersecurity strategy.
The identification of the specific requirements, threats, and risks that apply to each organization, using credible threat intelligence, informs the cybersecurity strategy and helps CISOs prioritize essential resources as it allows the organization to measure the value of its assets based on the specific threats and risks associated with each asset.
Understanding both HVAs and the identification of the specific requirements, threats, and risks that apply to each organization, using credible threat intelligence,allows the CISO to derive a particular Cybersecurity model/framework that uniquely addresses the specific requirements, threats, and risks that apply to a given organization.
Essentially the resultant of a cybersecurity strategy is the development of a model/framework that uniquely addresses the specicific needs of a given organization.