The security management of an organization is the responsibility of upper management. Many large organizations have structured hierarchies with certain positions that report to upper management. Some upper management positions in cybersecurity consist of the Chief Information Officer (CIO), Chief Security Officer (CSO), or the Chief Information Security Officer (CISO).
In organizations, it is good cyber hygiene to develop three main types of plans. These consist of: (1) Strategic Plan, (2) Tactical Plan, and (3) Operational Plan.
A strategic plan in cybersecurity is the long term plan for the organization. These typically look forward around 5 years and are the foundation to the organizations security posture. The strategic plan should be closely aligned with the business goals and objectives.
A tactical plan is typically created from the strategic plan. Since the strategic plan is more long term, the tactical plan will break down the strategic plan into 1 year goals to accomplish the long term vision.
The operational plan is the more detailed plan of all three. This plan really breaks down the strategic and operational plan to include many specific details on budget, staffing, scheduling, and step-by-step actions.