The content of the vision inside the overall organisation’s security must explain why security is important for that organisation. The message is even more powerful when is connected to the overall organisation strategy and core principle.
Anyway the security strategy can begin with just a sentence describing the security vision for the enterprise. Moreover another hindering element of a security strategy, especially for a CISO, is the expectation for the board to achieve result in a very short timeframe.
Organization security strategy needs to be tailored to the individual industry and the specific threats that an enterprise faces. Some threats that would be considered a high risk high probability for one organization might not viewed in the same way by a different organization.