Affirmative. You need to know if critical data is going places you don't want it to go--even if it's just between internal departments. One company found out that customer service reps were distributing customer data among themselves, not even knowing that that was a violation of protocol.
And in an era of portable devices and cloud computing, you need to know when something connects to your systems, whether that device or person is cleared, and if the device itself has adequate safeguards.
Should I derail a project nearing completion to insert security measures?
Trick question. Short of lighting fires in all the recycling bins to get your CEO's attention, you should do everything in your power to stop projects that will endanger your customers' information (and by extension, your company).
But you can't let that situation occur in the first place. If a proposal is solid enough to show the CEO, it should arrive with security already baked into the details. In fact, security needs to be a standard litmus test, just like ROI is (or should be), for whether the idea makes it out of a department or division.
You might hear that one project is essentially the same as another one that got a green light six months ago. Don't waver. Security challenges mutate like the flu. And no two projects are alike, which means there are new vulnerabilities with each one.
Sign up for CIO Asia eNewsletters.