Even when you come across some mention of strategy, it is focused on "a strategy" used by a particular organization for budgetary justification. These statements don't need to make conceptual sense, since they serve a political function rather than actually guiding security organizational and operational plans.
Here is a strategy that you can actually use. It actually addresses the question "are we secure enough?" and if the answer is "not yet", provides a way to figure out how to get to that happy state. Unlike any strategy that I've ever seen, and I've seen a lot of them, it incorporates a way to approach cybersecurity that is not for losers. Winning cyberwars and cyber-engagements requires a new way of thinking about security, and this strategy begins to provide one.