On Cyber Strategy
3–9–2026 (Monday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, March 9, 2026. The war in Iran continues, and at home prices at the gas pump are rising and stock indices are falling. Many in the US are bracing for a cyber retaliation, as kinetic activities become difficult for the Iranian regime to exchange.
It’s in this context that the US has released what’s being called “President Trump’s Cyber Strategy for America” last Friday.
Let’s dig in to what’s in the document, and what’s not.
On Cyber Strategy
As noted, this document was released on Friday after quite a bit of anticipation. Obviously, cybersecurity is front of mind for me, and you if you’re watching this show, but also for leaders across industries in the US and around the world.
The strategy itself is quite short, featuring six “policy pillars.” It also contains quite a bit of preamble, but I think we’re better-off focusing on those specific policy pillars.
The first pillar, entitled “Shape Adversary Behavior,” notes a more aggressive stance, including offensive cyber operations by both the US Government and by the private sector.
The second pillar, which is only four sentences long, is called “Promote Common Sense Regulation,” and aims to both streamline regulations (twice, in fact) and emphasize the right to privacy for Americans.
The third pillar seeks to “Modernize and Secure Federal Government Networks,” a much needed effort (though I’d note that it’s not as if agencies haven’t been trying to modernize … for decades).
Pillar 4 aims to “Secure Critical Infrastructure,” obviously a continued priority given that this is quite literally in CISA’s name.
The last two pillars focus on sustaining superiority in critical and emerging technologies and building talent and capacity.
Taken as a whole, most of these aims are both non-controversial and necessary for all sorts of reasons.
I’ve talked before about my thoughts on offensive cyber operations - particularly by private sector actors - but the rest of the strategy seems both reasonable and timely.
The challenge, of course, is when and how the rubber meets the road. It’s been noted that an Action Plan and additional memoranda are forthcoming, which is where we’ll really get a chance to see if the strategy can be implemented.
If you’re in charge of, or even tangentially exposed to cybersecurity strategy at your organization, I would encourage you to think about the steps beyond the vision. In many ways, setting out the vision is the easy part.
Getting there is hard.
What are you going to do? What are you going to not do? What are you going to measure and how will you know if you’re moving in the right direction?
Understanding these parts of a strategy are inherent to it being successful, but are often overlooked at the sake of posturing and positioning.
Strategies and strategists are not the hard part in any of this. The hard part is making and executing a tactical plan, that requires time, resources, people, and effort, and has to exist in the very real world of constraints, costs, and the fact that the adversary gets a vote - regardless of how much you try to shape their behavior.
Fundraising
From a fundraising perspective, we saw a limited amount of fundraising last week, with only $2.3B in newly committed capital, the majority of which is attributed to Sound Point Capital Management, who raised $1.5b for its third private credit fund.
Private credit was the featured topic on today’s Axios Pro Rata newsletter, which featured a piece about the challenges of the private credit cycle, particularly when redemptions are limited. Private credit was also the lead on Scott Galloway’s Market newsletter today, so clearly it’s having a moment.
Like a lot of other things in our space, it remains to be seen if private credit will turn out to be a smart bet, a disastrous investment, or both depending on when and how you’re exposed.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and now sign up for our monthly newsletter, the Intentional Dispatch.
We’ll see you next week for another edition of the Intentional Brief.
Links
https://www.axios.com/2026/03/04/iran-cyber-retaliation-risks
https://cyberscoop.com/trump-cybersecurity-strategy/
https://www.axios.com/newsletters/axios-pro-rata-e3f741fb-a5b1-4f93-badc-9e11f68fef6f.html