Do you have a 'security first' mindset?

To make security a priority at any organization, security professionals must align their goals with those of the business itself. Once business-unit heads view security as an enabler instead of a hindrance, they will invite security professionals to the table during the early stages of project planning.

If you increase your business and political savvy in your organization, chances are you'll be in a position to align security measures better with business goals. Here's a quick quiz that will help you determine how business savvy you are and highlight the areas that need work.

I. PHILOSOPHY

1. Do you believe there's such a thing as 100% security?

If your answer is yes, start changing your outlook. Absolute security may sound like you're doing a great job, but it's an unobtainable state -- and flies in the face of business, which is about taking risks. "Businesses are not in the function of eliminating risk, because that eliminates profits as well," says Andy Ellis, senior director of information security at Akamai Technologies. Your goal should be to provide the appropriate security to enable the business.

If your answer is no, think about balancing an acceptable level of risk against meeting business goals, and discuss and negotiate this risk level with business-unit heads.

2. What is your primary responsibility as a security professional?

A. Mitigate risk

B. Minimize threats

C. Advise the business

If your answer is A or B, you're focusing on how your role limits the organization. Focus instead on how security can enable business, and become an adviser to the executive team.

If your answer is C, you understand what your role in the organization should be.

II. BUSINESS UNDERSTANDING

1. Do you know the goals of each business unit in your organization, and how that group defines success?

If your answer is yes, make sure you're able to use this knowledge when you're planning security strategies. And keep your knowledge up to date: Check back regularly with business-unit heads to learn about new strategies.

If your answer is no, sit down with business-unit heads to get a quick overview of the unit and its goals. Remind them that your job is to help them achieve these goals. They will be more likely to ask you to join a planning meeting for a new IT project if you can speak in terms of the benefits security can bring them.

2. When a business-unit head comes to you to explain a new project, you:

A. Ask about the project's goals

B. Outline the security risks of such a project

C. Run away

If your answer is A, you're more likely to get the security you want integrated into the project than if your answer is B. Understanding a project's goals first, then suggesting appropriate levels of security will make the business-unit head more receptive to your ideas than if you respond negatively with reasons why the project won't work. "Security professionals have to ask, 'what are you trying to accomplish?' and get involved at the front-end planning state to manage risk," says Chad Mead, global head of infrastructure security with JPMorgan Chase Bank, headquartered in New York.

If your answer is C, don't expect the manager to be all ears when you attempt to add security measures to the project in the 11th hour.