New operational controls are often set up in the aftermath of incidents, new threats, new regulations, or audit findings. Some may argue that it is useless to develop a security strategy with distant objectives, because security only works in reactive mode. Besides traditional business units, the IT department, corporate entities, Human Resources, and others should be considered as partners in the context of developing a security strategy. Business units should understand that the exercise is intended to provide relevant information to elaborate or review the security strategy. There are many examples of security strategy designs and presentations to draw from; however, it would be prudent to present our strategy by focusing on expressed business needs. The importance lies in adopting a formal approach to the establishment and revision of a security strategy. The mission is a short statement recalling security’s main objectives, its main functions, and its contribution to business goals.