As CIO at Iron Mountain Inc., William Brown has had a "front-row seat," as he is wont to say, to the landscape of compliance requirements facing companies. After all, Boston-based Iron Mountain is keeper to 425 million cubic feet of paper records, 10 billion emails, 65 million computer backup tapes, 2.5 million PCs and 20,000 servers, making it one of the largest information management and records storage companies in the world.
Brown, who joined Iron Mountain in 2005 and took the CIO job in 2008, will soon relinquish that front-row seat to become a player on the compliance field -- or as some would attest, the compliance battleground. As soon as Brown can find his replacement, he will become Iron Mountain's first senior vice president of compliance process, a career move he announced at the recent MIT Sloan CIO Symposium. We caught up with Brown after the conference to find out what it means to be taking the helm of compliance process at Iron Mountain and what's on his new agenda. Here is an edited version.
What produced the change from CIO to senior vice president of compliance process?
Brown: The genesis was that over the nearly five years I've been here, I have seen the data privacy and operational aspects of compliance become very dynamic. There are a lot of emerging standards. I saw this as a hot area that will require senior leadership at Iron Mountain. And it is an area where we can make a real impact on the success of our customers.
Where is the problem with keeping compliance and IT under the same leadership? Is it a matter of compliance ballooning so there is no time for the CIO to do it, or is it that data management is ballooning so there is no time for a CIO to do compliance?
Brown: From my experience, the CIO has a front-row seat for all things compliance. Sometimes it is almost like the audit du jour. One time of the year, you have the Sarbanes-Oxley auditor coming in to ask you about your compliance there. As we start to look at the data we are storing, security standards like Massachusetts data privacy laws that have emerged over the last 18 to 24 months demand attention.
Will your compliance role have the same status as a CFO or a CIO -- in other words, C-level status?
Brown: I am not going to be the chief compliance officer, if that is the question. Ernie Cloutier, our chief counsel, has that role. But my role as a senior leader draws on my time as a CIO. I think we're finding CIOs have an incredible ability to use some of the skills and the experiences they have in companies and reposition themselves to help companies in ever-emerging areas. The largest companies do this repositioning regularly -- IBM and HP, and folks like that. At Iron Mountain, we are witnessing firsthand the challenges to our customers in terms of risk and compliance in ways they never had to think about before. I think it is an area where a senior leader can migrate and offer some significant impact in the value proposition for our customers.
Is this a lateral move, a promotion?
Brown: It is not a promotion. I am not reporting to the CEO any longer. It will be folded into what we call our global standards organization, so I look at it as more of a lateral move.
But this is a brand-new role. And the genesis is a business case that I have been developing over quite some time: a need to make Iron Mountain more effective in this area in supporting our customers' requirements, and then leveraging that to help customers do the same.
One of the things you witness as a CIO is that many companies, many organizations, attack compliance in a siloed manner. There are different areas of the organization that are dealing with compliance. In fact, it is funny, when you talk about the word compliance, it has many meanings to many different people. I think it was Chief Justice [Stewart], when he talked about pornography, saying something like it is hard to define, but you know it when you see it. Well, I think about compliance in much the same way. In my mind, compliance is defined as the behavior that we want our employees to exhibit on the frontline that makes us add value for our customers. So, this job is really about performance management more than anything.
There are CIOs who will want to know how overseeing compliance process overlaps with other positions in the company. Is there any conflict between the legal teams that normally handle compliance and the IT wonks?
Brown: As part of my developing the business case for this job, those are exactly the kinds of discussions we had with other senior leaders. If you think about the process aspect, there are a whole bunch of intersection points.
If you picture compliance process as a wheel, or a continuum, from the left side you have privacy and compliance, which are legally oriented and help us translate compliance requirements. On the other side you have, in our case, the product managers and service-line owners who have an agenda around those things they would like to build for our customers and the enterprise risk folks, who have an agenda around minimizing risk.
I think we're finding CIOs have an incredible ability to use some of the skills and the experiences they have in companies and reposition themselves to help companies in ever-emerging areas.
William Brown, CIO, Iron Mountain Inc.
My role sits in the middle -- to now drive from the left to the right what the operational folks should do in the record centers and what the IT folks should do in terms of delivering information management products to our customers. And then the other intersecting point is with internal audit for the inspection and mitigation.
There is one other aspect: Iron Mountain needs to understand where compliance is going to come from. And we need to know where the puck is going to end up. Gartner calls it a "weather bureau for compliance." I think there will be a large role we can play in designing for the future state of compliance as opposed to responding to what the requirements are presently.
We've heard from CIOs how the automation of IT controls has brought down IT costs on regulations such as the Sarbanes-Oxley Act. But no one is telling us that audit costs are going down.
Brown: You're right. The end game is to take control objectives, which are foreign to people outside of the audit cycles, and quite frankly make them a part of people's job descriptions and roles. This becomes something they do every day and have accountability for, and they are graded on in their performance reviews. It becomes part of their DNA. That should make the role of the internal auditor less.
If you take just one example, say enterprise encryption. There are PCI requirements around that, HIPPA requirements around it, Mass. privacy requirements. If you make encryption an enterprise control objective and you keep that control objective "green," then that makes the auditing for all three of those separate compliance regulations much more easy.
Is there anything you're going to miss about the CIO job? And tell me a few things you really won't miss.
Brown: This role is very adjacent to IT, so it is not like I am leaving anyone behind. And it has many of the same ingredients as IT, as I've said. I don't think there was anything as CIO that I really didn't like doing. All these things are really part of an effective CIO. I liked most every part of my job, and I think I will approach compliance in much the same way.
When do you start?
Brown: First of all I have to find a successor. That is job 1. As I do that, I am spending a small amount of my time making sure I have crisply identified the compliance landscape for where the opportunities are.
What are the characteristics of a CIO that make the CIO a natural fit for compliance?
Brown: If you can effectively lead and manage governance for an organization, that is a definite prerequisite and one that will serve you well in this role. I think the way CIOs and IT people translate requirements into actions is the second part.
Let us know what you think about this Q&A email Linda Tucci, Senior News Writer.