Mark Olson, CISO of Iron Mountain, took over the role from his predecessor with the initiative to transform the conversation with executives and align security to the business. With an established information security program already in place, Olson had a comfortable transition into the role. He immediately sought to direct the conversation away from one of being attacked or compromised, to instead an important discussion about risk. “The programs were well in hand here and working when I came in, so it was really how I could elevate the awareness level to the executive team,” says Olson.
Olson is involved in conversations about cyber insurance policy levels, revenue levels associated with business, the impact in customer volume, and how these risks may affect business proceedings. This risk conversation has become a true driver for ongoing projects and changes to infrastructure. To accomplish this conversation, Olson’s team uses an enterprise risk management system that tracks risk from a business perspective. “I always go back to this risk position and include business revenue and cost in it. I then take all of this material and add it to the application, making this system the single point of reference,” says Olson.
Reporting to the CSO and working closely with the CIO, Olson meets regularly with the Risk and Safety committee of the Board to provide them with a high-level view of the most critical risks, details on the remediation of these risks, and a running commentary on long and short term projects. While most Boards hear from the CIO, Olson states that is not the case at Iron Mountain, “The CIO and I jointly present.”
“To characterize the questions I hear from the Board committee – they often ask questions to ensure we understand the problem and that we have an adequate solution to resolve or remediate risk,” says Olson. As CISO at Iron Mountain, Olson finds that these Boardroom discussions are really about executives getting comfortable with who he is, what he knows, and whether they feel he has identified the right things to help reduce cyber risk.
Olson believes the Board committee understands the value of security and sees the need for a dynamic security program to be in place. While this understanding is important, Olson knows that security is one of many issues the committee needs to consider in reviewing business operations. “The Board committee feels that security is important, but what is of overriding importance is if the company is being run effectively,” says Olson. This is why Olson has focused on enabling his security program to support business growth.
Olson ensures a productive, two-way communication with the Board committee by doing two things. First, he educates the Board in a clear, concise way by painting a business-focused picture and avoiding any tactical IT-intensive conversation. Second, Olson never speaks specifically about how he is getting a project done, he instead discusses crucial things he has identified, what programs are in place, and where he is within that program. Olson also produces a one-page metric chart comprised of projects and a coordinating color-system for their level of completion. “I always show the Board committee two basic charts which provide the status of public-facing infrastructure and key projects to provide an overall picture of the progress of the projects and their value to risk management.”
As a second-time CISO, Olson has experienced the evolution of the role as it matures into a crucial tool for the business to position to customers. “Today, when we go out and talk to the customer base, we talk about the great offerings that we have and the good physical controls on warehouse space. Information security has become part of the sales cycle and a true value statement to our customers,” says Olson. He believes security has evolved into a direct relationship with business and has become part of the core operational decision set.