Let us not be frightened by the words, the majority of security awareness sessions are quite boring ! Ask your users. They don't talk the users language and don't align to their concerns.The majority of users behaves gingerly when called to duty. A lot of money throw to the trash.
FISMA, HIPAA, CAG-SANS Top 20 Critical Security Controls, ISO 27001/27002, PCI DSS, NERC-CIP, European regulations, Does it ring a bell ?
Your organization is subjected to a security related regulation or maybe to multiple ones! This is not a surprise as nowadays nearly all industry sectors are subjected to security regulations. Compliance to these regulations could be sometime confusing but is definitely time, human and finance consuming.
Strategy & tactics
Strategic planning is a fundamental element of successful companies and is a crucial part of managing delivery.
Without a security strategy it will often not be clear how the security controls contributes to the overall aims of the organization.