Iron Mountain Member Case Study
Iron Mountain Achieves Peak SIG Adoption
Given its heritage of storing, protecting and managing information and other assets for tens of thousands of client companies, it’s no surprise that Iron Mountain has played a pioneering role in advancing third-party risk management (TPRM) standards and practices.
As an early member of the Shared Assessments Program, Iron Mountain often has been the sole vendor on steering committees primarily comprised of outsourcers, consultants and other experts. As Shared Assessments membership expanded to include more third parties in recent years, Iron Mountain has remained an influential shaper of TPRM policies, processes, practices and tools. The company’s inbound TPRM service team has developed an instructive approach for driving the adoption and use of the Standardized Information Gathering (SIG) Questionnaire Tools among client companies.
Kudos to Shared Assessments for developing tools that capture and quantify all the necessary risk data. At this point, the SIG acceptance rate is higher than it’s ever been in the marketplace.
That was not always the case, however. During the past decade or so, Iron Mountain’s inbound team worked diligently and creatively to steadily increase the use of SIG tools among its client companies, according to Seth Bailey and David O’Connor, a Manager in Iron Mountain’s Information Security team. More recently, Bailey’s team has contended with a surge in information security schedules — lengthy and complex addenda to vendor contracts designed to address soaring cybersecurity risks — that necessitate similar levels of diligence, ingenuity and collaboration to manage. The discussions that follow focus on the strategies and tactics Iron Mountain deploys to address both challenges.
Three Ways to Increase SIG Adoption
Bailey’s GRC group, which includes inbound and outbound TPRM services teams, is part of the company’s enterprise risk function, which is led by a Chief Risk Officer. This central function houses physical security, information security and all other functions responsible for second and third lines of defense in the global enterprise. This organizational structure, which was recently put in place, is helpful in that it gives TRPM and other risk groups a say at the senior decision-making table, Bailey emphasizes.
As Iron Mountain has a massive, global client base, negotiating with customers over TPRM-related information requests can be time consuming. Iron Mountain typically qualifies as a high-risk vendor given the fact that it stores data and information for its customers. “Our customers’ ranking systems flag us as a high-risk — not all of the time, but quite frequently,” Bailey explains. “That tends to trigger everything from stringent policies, to on-site assessments, to corporate audits.”
This motivated Iron Mountain to join the Shared Assessments Program to help shape the development of the SIG tools (and, more recently, the SIG Lite tool) — and to encourage the adoption of those tools by thousands of customers. As SIG adoption increased, Iron Mountain experienced significant reductions in the time, effort and money associated with manually responding to unique TPRM questionnaires and/or related information requests submitted by different customers.
Completing custom TPRM information requests typically requires eight full-time-equivalent (FTE) hours, O’Connor estimates while noting that the most comprehensive requests can consume up to a full week’s worth of FTE labor. “We get some extremely large and detailed questionnaires from customers,” he notes. “It requires a very labor-intensive response.” Bailey agrees. “All of that time adds up,” he says, “and it represents a material cost to our company.”
After selling customers, as well as internal sales colleagues, on the benefits of the SIG tools, Iron Mountain’s inbound TPRM team managed to reduce the portion of manual questionnaires it completes to a little more than 9 percent: In 2018, only 199 of the 2,173 security/risk management documentation requests customers submitted needed to be completed manually, O’Connor notes. The SIG questionnaire tools comprised the vast majority of automated questionnaires Iron Mountain submitted in 2018.
Getting to that point took significant time and effort, and Bailey and O’Connor indicate that the following approaches were especially helpful:
- Selling customers on speed: Given the amount of manual work involved, Iron Mountain’s normal turnaround time on completing a custom questionnaire is roughly four weeks. “While we certainly have accelerated that turnaround time,” O’Connor notes, “we do not have an unlimited capacity to respond quickly when we get a surge of custom requests. During peak audit season, when the team is extremely busy, the turnaround time for custom questionnaires can increase to five or six weeks. For those reasons, Iron Mountain promotes the time-savings benefits of the SIG tools to customers. “We’ll say, ‘Hey, listen, we understand you’re in a rush and we can give you the SIG instantly — just ask and we’ll send it over,’” O’Connor continues. “If they decline that offer, we explain how long their custom questionnaire will take to complete.”
- Educating sales colleagues on SIG benefits: Iron Mountain’s inbound TPRM team delivers formal training to sales and operations colleagues. These efforts raise awareness of the need to involve the inbound team whenever a customer submits a TPRM-related request (i.e., a contract or a questionnaire); emphasizes the time- and cost-savings value the SIG tools generate for the company; and provides an overview of the security assurance reference (SAR) guide that the inbound team developed and continually updates (see below). “The main thrust of our training is educating them about our request process and underscoring the importance of having requests come through us,” O’Connor notes. “Sales has been great. Once they understand the SIG tools, they really get on board and push the benefits of the SIG for us.”
- Publishing and continuously updating a security assurance reference (SAR) guide: About ten years ago, Iron Mountain’s inbound team developed a security assurance reference (SAR) guide as a more efficient way for validating completed questionnaires against policy. The SAR contains policies, workflows and screenshots that portray the security and risks management activities and practices customers want to see and evaluate. “The SAR validates what’s in the SIG,” Bailey notes. The guide has grown significantly more detailed during the past 10 years given that it is updated on a quarterly basis in response to new risks, varying types of security risks, customer requests and, of course, internal policy adjustments. “Many of our customers love the guide because it contains most of the policy and program information that they want to see,” O’Connor notes. “Some of our largest customers request to see the SAR after every single quarterly update. They value having the most current information about our program.”
While those three steps were instrumental in increasing the rate of SIG acceptance over in recent years, Iron Mountain continually evaluates new approaches and tactics for increasing the efficiency and effectiveness of sharing security and risk-management information with customers. “We recognize that some other companies charge customers for certain inbound third-party risk services,” O’Connor notes. “While Iron Mountain has not taken this step, we’re always evaluating potential adjustments that can drive improvements.”
Information Security Schedule Requests Soar
Iron Mountain also continually calibrates its inbound third-party risk management activities in response to changing customer expectations. In the past two years, for example, the volume and complexity of information security-specific schedules have increased dramatically.
“We’ve experienced a massive uptick in the information security requirements companies are asking for in their contracts,” O’Connor reports. “Customers are getting very specific and more stringent about what they expect us to do from an information security perspective and what they want us to provide during audits.”
These information security schedules require extensive initial reviews by experienced information security experts, and often a second round of review by Iron Mountain’s Legal team. Time-consuming and detailed discussions between the two companies can ensue, and that back-and-forth can sometimes extend the sales cycle.
“These requests are our biggest pain point right now,” O’Connor says. This is really an industry wide concern.” To address this challenge, the inbound team has taken the following two actions:
- Creating a default security schedule: Working closely with the Iron Mountain’s most experienced information security professionals, the inbound team developed a security schedule that it offers to customers. Most companies have responded enthusiastically to the template, but the team continues to update the default schedule to reflect common requests and requirements contained in all of the security schedules Iron Mountain receives – including those from our largest customers.
- Developing an internal guidance document for Legal: To strengthen their legal colleagues’ negotiating hands — and to save them time — internal information security specialists developed a guidance document containing explanations of common technology requests, how those issues are addressed in practice and, in some case, alternative language that legal can suggest be used in the contract. “It’s definitely a work in progress,” O’Connor notes, “but it has helped further reduce our internal review time.”
Bailey and O’Connor remain optimistic about the progress of TPRM standardization.
“The value we gain from the SIG tools is much higher now than it’s ever been, because the acceptance rate is so high,” says Bailey. “There are several reasons for that, one of which is that the industry is maturing. You can see that in how many people from Shared Assessments’ steering committees have moved to new companies over time. Each time that occurs, awareness grows.”
Trusted by more than 225,000 organizations around the world, and with a real estate network of more than 90 million square feet across more than 1,450 facilities in over 50 countries, Iron Mountain stores and protects billions of valued assets, including critical business information, highly sensitive data, and cultural and historical artifacts.
Providing solutions that include information management, digital transformation, secure storage, secure destruction, as well as data centers, cloud services and art storage and logistics, Iron Mountain helps customers lower cost and risk, comply with regulations, recover from disaster and enable a digital way of working.
9 percent: Portion of all inbound third-party risk management questionnaires containing custom requirements