Can a business strategy-development method like Mintzberg's bridge be applied to IT/cyber security?
Yes — the same multi-perspective, strategy-then-tactics thinking transfers directly to security: you set a long-term security direction, then choose concrete defensive tactics to implement it.
These strategy frameworks — Porter's generic strategies, Mintzberg's bridge — carry straight over to cyber security. The same logic applies:
- Look back — which past incidents and controls worked or failed?
- Look from above / sideways — the threat landscape and what attackers (and peers) are doing.
- Look from below — your own assets, weaknesses, and resources (an internal security SWOT).
- Look forward / beyond — emerging threats and scenarios.
- See implementation through — operate controls continuously, not once.
The takeaway: a cyber security strategy is a long-term direction for handling threats; the tactics are the specific technical and organizational measures that realize it.
Tip: Strategy and tactics aren't just business or military concepts — they're exactly how to reason about defending an organization: set the long-term security direction, then pick the tactics that implement it.
Go deeper:
NIST Cybersecurity Framework — a widely used framework that does exactly this: organises a security strategy into functions (Identify, Protect, Detect, Respond, Recover) you then implement with concrete controls.