There are five critical questions CIOs must ask themselves:

1. Are we compliant both locally and globally?

2. Is mobility threatening the security perimeter?

3. Are our Cloud applications secured?

4. What kind of internal threats are we facing and how are we dealing with them?

5. What is the ROI on our security investments?

Are we compliant—locally and globally?  The issue is complex. The law that applies to the storage repository in one region will not be the same as the law that applies to another region. The storage repository must be structured to comply with the local law and the law that governs your company headquarters.  Ignorance will not be treated as an adequate excuse for non-compliance.

Is mobility threatening the security perimeter? Today, BYOD (Bring your own device) policy is widely accepted.  CIO’s must have a clear understanding of what mobility involves and take the right steps to ensure that perimeter security is never breached.  Isolation of work data from personal data, encryption of business information, enforced backup of data to centralized repositories, and compulsory mobile application vulnerability assessment may be some of the steps that you can take to secure the perimeter and mitigate “device risk” or “application risk”.

Are the Cloud applications secure?  They are as secure as the CIO makes them to be. Application security will be the province of the service provider only if the application is provided by them. Custom and off-the-shelf applications deployed by the organization will remain the responsibility of the CIO.  The CIO must verify the security systems provided by the Cloud vendor and ensure that they do not compromise security in any way. They must check the encryption protocols and ascertain that the encryption makes the data really impregnable to the unauthorized.  They have to test the application for security weaknesses and vulnerabilities and ensure that these vulnerabilities are patched and secured against attacks.

This brings us to the next question about internal threats. CIOs have to secure the system against internal threats.  The CIO will have to set up monitoring systems that track user activity and logs of events to facilitate investigation of system events or for proactive and predictive analysis.

Finally, CIOs need to be aware that security ROI is all about risk mitigation and cannot be computed accurately in numerical values. 100 percent security is also a myth. So, security ROI can at best be approximated.