What's do most security folks say is important but few rarely do?
Lots of fun answers but I'll take the easy route and say a strategy that communicates the scope, value, state, and direction of the program. I received a couple questions about developing strategies lately and it made me wonder if a general template would be helpful? I was a bit surprised when I Googled "information security strategy" or "IT security strategy." Aside from a bunch of random crap, most "strategies" are really control implementation road maps. Check out the FFIEC's take. Here are the first two sentences:
"An information security strategy is a plan to mitigate risks while complying with legal, statutory, contractual, and internally developed requirements. Typical steps to building a strategy include the definition of control objectives, the identification and assessment of approaches to meet the objectives, the selection of controls, the establishment of benchmarks and metrics, and the preparation of implementation and testing plans."
Recall the Magnificent 7 post for my take on Infosec Strategies. I have a much broader view and have witnessed that a "program level strategy" is magic for communicating and building support for your program. Since the FFIEC can't be wrong let's call it semantic differences.
Back to the question. When I create a sample strategy, it will be exactly wrong for you. However I have an uncontrollable feeling to share what I've seen work in the past. As I pull the content together, I'll consider the work as a template with the goal of helping you create or advance yours.