Just saw a blurb about a new book Security Strategy: From Requirements to Reality by Bill Stackpole  and Eric Oksendahl. 

Here is the book description: 

Every business initiative begins with a set of goals and requirements followed by a strategy for meeting those goals. 

An information security program is no different. The majority of what is touted as security strategy is usually more in the realm of tactics. Confusing strategies with tactics keeps organizations from developing an effective information protection strategy. 

The book clarifies the purpose and place of strategy in the information security program. From compliance to physical security strategies, the authors cover a variety of topics that are useful to organizations of all sizes. The text demonstrates how to identify and apply the security strategies discussed. 

Sounds like a great book by authors with a ton of real-world experience.  Unfortunately, it is not being published until October.