Atul Vashistha:
Welcome everyone to the next episode of CRO Wisdom, the voice of risk leaders. I’m really delighted today to have Jenna Wells from Iron Mountain, a foreign Marine officer who focused on signals and electronic ground intelligence, and has made this career now in risk management. Jenna, welcome.
Jenna Wells:
Thank you, Atul. I’m so happy and honored to be here and I’m really excited for the session. So thank you for having me.
Atul Vashistha:
So, Jenna, let’s start by talking to the audience about what is your role today?
Jenna Wells:
Sure. So my technical title is the Director of Third Party Risk Management. So I oversee a direct team of six and that is both remote and local to Boston. I am located in our headquarters, which is Boston, and I’m responsible for the implementation, the regulation and really just the global management of Iron Mountain’s third-party ecosystem, which is across 50 plus countries. And it’s a very wide array of third parties that we deal with on a day-to-day basis.
Atul Vashistha:
Yeah, I remember this well, Jenna, when it started you in that role and now the team that you’ve put together. Wonderful. So Jenna, one of the questions I always ask risk leaders like you is, how did you end up in risk management? Because that’s not where everybody started, especially in your case, you started with the Marines. Tell us a little bit about that.
Jenna Wells:
I did, and I didn’t even know risk management could be a career or a field in full transparency. And I’m so thankful that I landed here, because I feel it was actually a very natural transition, I would say with my personality, my background. So to take it a few steps back, I was a signals intelligence officer in the Marine Corps and everyone, it’s such a risk-based job and risk-based mindset in the Marine Corps, especially being an officer. So I think that really helped me to have a very unique perspective that does serve me well in the job today. And one thing I think, I always say this, and people laugh when they say, risk management and they hear signals and electronic intelligence. I’m the most non-technical person you will ever meet. Literally, if I didn’t need a cell phone, I wouldn’t have one. And I think, I really love and transitioned into risk management and I promise I’ll bring us all together at the end. It encompasses so many different areas. And in the Marine Corps I got to interact with so many different Marines, so many different coalition partners, so many just different people in different areas. And so I transitioned out of the Marine Corps. I joined a private asset management firm. I managed their global risk command center, focusing a lot on the physical security piece and the CCTVs and the 24/7 management. I oversaw a team of 13 at that job. And during my time there, I really focused on their third party team and our global third-parties from a physical security perspective. And from that I got really interested and I got very close with the manager for third party risk. And then when a position opened up on her team, I really jumped at the chance. So that allowed me to transition from just focusing on physical security, to really the holistic risk management piece, which is physical security, information security, cyber, business continuity and disaster recovery, while still allowing me to network and interact with people from all of those fields. And that’s really what I liked about it the most. I got to interact on a day-to-day basis and I still do with people across all risk areas and then just other areas of the firm and procurement, legal, compliance. I get to talk to everyone. And I think, nowadays everything is so technical. Everyone’s like, “Well, you just focus on cyber or information security.” And I’m like, “No, absolutely not. Because if I did, I would go crazy.” And that’s why there’s subject matter experts on my team that do that. And then the opportunity came at Iron Mountain to actually build their program and manage my own program and team, which coming from a young Marine Corps officer where I had so much responsibility and then not so much starting out in the civilian world and then the opportunity to build and manage a team. I really couldn’t ask for anything else. And here I am two and a half years later, so. That was a lot, apologies.
I think the focus on outsourcing is massive and I think you need to be able to be dynamic with those priorities, if that makes sense. The environment is changing every single day, with the pandemic, with the regulatory requirements, with the locations that people are working, the locations that your data’s housed and your data is going to. So I think you need to be dynamic in your priorities, and very agile with what you’re focusing on.
Atul Vashistha:
No, not at all. Jenna, actually thank you for walking through that story, because as you know, I’ve been involved with national security a fair amount, and one of my passions is to help veterans transition to the corporate or the civilian world. And I think you’ve actually laid a really good roadmap for those that may be interested in a career in risk management. And this field has definitely grown tremendously, especially with the attention from COVID and with supply chain issues coming up. So really thank you for that.
Jenna Wells:
Absolutely.
Atul Vashistha:
So Jenna, let’s talk about today. And when you think about your role, and when you think about other risk leaders, what should be the priorities today to face today’s risks and tomorrow’s risks for that matter?
Jenna Wells:
Yeah, that’s a great question. I think priorities is, that’s a hard one. I think the focus on outsourcing is massive and I think you need to be able to be dynamic with those priorities, if that makes sense. The environment is changing every single day, with the pandemic, with the regulatory requirements, with the locations that people are working, the locations that your data’s housed and your data is going to. So I think you need to be dynamic in your priorities, and very agile with what you’re focusing on. And that’s probably a very roundabout answer to your question. But my priorities are maintaining, just maintaining a very acute awareness of what’s going on with our supply chain, and that, it’s the networking piece in my opinion, and it’s the aggregation and the gathering of data. And it’s being able to identify those changes and then escalate and notify as necessary. So, I’m very aware of, I’d say the 30,000 foot picture on okay, to take it back to COVID. Where are the COVID hotspots right now? What’s in lockdown? Okay, so let me notify the procurement teams, look at the contractual language. Let’s notify the information security team of that changing, business continuity or disaster recovery site to make sure they track our data. And that we’re secure with our data transfer. Let’s talk to the business to make sure they’re having no impact. So my priority is being dynamic and agile, I would say, and making sure my team is really in the weeds of these day-to-day changes.
Atul Vashistha:
So, Jenna, I think you framed it really well, which is, the dynamic and agile, and which leads to my next question. Risk management constantly evolving, right? The threats are constantly evolving, the disruptions are evolving. And so we’re seeing this movement, as you know, I’ve been evangelizing continuous monitoring for a very long period of time. So talk to us about how should companies, or how are you thinking about incorporating continuous monitoring to make sure that you are being agile and dynamic as you undertake risk?
Jenna Wells:
So I think the biggest thing that we’re doing right now is we’re trying to take continuous monitoring and expand it. And I mean, in yes, the tools that we use, but also in the awareness with the different organizations that I work within the company. So, it’s not just the third party risks team to continuously monitor. In that risk-based mindset and approach, everyone that I work with probably thinks I’m the biggest broken record, but I’m like, risk-based mindset. There’ll be sales or procurement or risk or information security, let’s take a risk-based approach to this. And we’re really trying to expand that. So what my team does is we use a couple of tools in our continuous monitoring portfolio. We have criteria for immediate alerts and immediate notification, what needs to be an immediate call, what needs to be an email. And then we aggregate that data on a monthly basis to really do a look back and say, “Okay, here in this last month, here’s what our vendor population was doing. Here’s some of the changes. And then here’s where we see the market going.” So the biggest thing for me is really just expanding that mindset, which I don’t think is ever going to go away, whether it’s the next pandemic or it’s the continuous focus on outsourcing and the changing dynamic cloud environment and where data is being transferred to. It’s really just getting that message out there that, “This is here to stay. So, let’s all kind of get outside of our bubble and pay attention to this stuff and then work together.” If you know something, or the business relationship owner is really the closest to that relationship. My team is doing the assessment and the monitoring, but we’re not working day to day with that vendor nine times out of 10. So if they notice a degradation of services or an issue happening, notify us. We’ll run that through our systems. We’ll reach out and maybe do a point in time assessment or something like that. So it’s, let’s look at this from a holistic supply chain life cycle, and really all be involved. So I just can’t focus enough on the risk-based mindset that we’re really trying to impart on everyone.
Atul Vashistha:
No, I think there’s really at least two great takeaways, Jenna, from what you just said. I think one being is making sure that risk mindset is embedded in all our kind of business thinking, because that’s what leads to resilience. And you look at the record of the companies that actually continue to serve their customers, because they saw a risk as resilience and not just a cost-based compliance. The second point that I’d like you to comment a little bit more on, Jenna, I was going to ask you later, but you brought it up, so it’s perfect. So it’s perfect, which is, we often say risk management very siloed. Compliance is looking at compliance and procurement looks at financial risk and cyber looks at cyber, but you very clearly made the point that you are talking to all business functions, right? So you’re cutting through that. Talk to us a little bit more about what has worked for you, so that could be maybe some good advice for others.
Jenna Wells:
Absolutely. I think what’s worked for me the most is, and I’m going to bring it back to me not loving the technical piece, is I love to talk to people. And I love to bring people together and not send an email, get someone on a call and say, “Can we just like the seven of us sit in a room and let’s talk about this?” So I’m very breaking down those silos and bringing people together and saying, “First of all, this is why this is important.” We’re so busy, all of us, I understand that. But let’s proactively look at some of these things which might retroactively make all of our jobs easier. And also protects the company in a much more, I guess, resilient way, to bring the resilience in. So, I would say, “Wait, what I’m focusing on now is breaking down those silos and then bringing us all together as a risk team,” because there’s, you have your compliance department looking at maybe the HIPAA and the GDPR aspects of something and where the data is. Well, if you go to the information security team, they probably have that pretty comprehensive data diagram, right? And then if you go to the third party risk team and look at our inherent risk profile with all of the demographic information, that should really bring it together. And then you look at the contract with the addendums and the appropriate language. And if we’re doing those together in one life cycle, first of all it’s going to cut down your SLA time. So the business is going to like you a lot better, which we’re trying to be seen, not as a roadblock, as a partner with the business. But it makes the whole process so much easier and streamlined.
Atul Vashistha:
Yeah. So, Jenna, let’s talk another challenge that we see, and love your observations on that. So too often, when we look at risk leaders, risk managers, the risk domains they focus on often are cyber and then financial risk of third parties. And very rarely are they looking beyond it. Talk to us about kind of, how do you think about risk domains and a wider risk aperture, any advice for risk leaders around that?
Jenna Wells:
So I think Iron Mountain is probably a great example of that. First of all, because we are a massive global company, but we also have a very… Our core business and what we grew from is shredding transport, right? So it’s a very brick and mortar important business that people don’t think about much anymore because of the cloud environment and the scanning and in the dynamic, new offerings that the company has, which is amazing, but we need to really focus at Iron Mountain on all of it, right? So physical security, incredibly important. I can’t even stress enough that the physical security requirements that we have and that we monitor. Background requirements and compliance requirements. Because we deal with hospitals and schools, where there’s HIPAA requirements and we’re very heavily focused in the EU with GDPR and the privacy regulations. So, we can’t focus on one area and they all really bleed in to one another when you think about it. If someone has an incredibly poor physical security department, that’s a red flag, are they spending enough money on cyber or maybe that’s where all their money is going, which is a problem as well. So we like to see a holistic view of risk from our vendors as well. They should be paying attention to all of it. So I would say that’s just so important from my perspective at Iron Mountain. And again, we’re such a unique company because we have to focus on all of that from everything from our cloud hosting providers, to literally that shred vendor in Alaska. But no one’s thinking about that, but you can’t … Money, we don’t take, obviously financial risk is incredibly important, but a vendor that you’re paying $5,000 to can take down a vendor you’re paying $5 million to. So you don’t use the monetary value as the only aspect of risk.
Atul Vashistha:
Jenna, that’s a really good point. I think the other point that you just made is all about the parties, because for example, many of our, one of the business customers monitors, many of them monitor Iron Mountain. But the reality is, you are talking about your third parties, which are their fourth parties. So Jenna, the scope of third parties, third party risk, absolutely expanding. Risk is dynamic, risk is agile, any observations on artificial intelligence, automation, and how you’re seeing that benefit risk management?
Jenna Wells:
It’s growing. I would say that’s absolutely the biggest growing field that we’re seeing from all of our vendors, as well as our own internal processes. You know, like I said, because Iron Mountain has such a wide array of offerings that we offer our clients. But we’re also seeing that from a lot of our vendors who want to introduce some of this into their day-to-day. So what we’re doing is one, staying very on top of our, not only our annual reviews, but also our meetings with procurement and the forecasting reviews, right? So, we have, if we have X vendor doing this for us, are they going to be doing this for us when we renegotiate the contract or we evolve the relationship? So, it again, it’s utilizing those partners to make sure one we’re tracking our own evolving relationships, and then also reassessing as necessary and required to make sure we’re looking at those new controls. Because everything now is going into the cloud, and it’s not only going into the cloud, but it’s, what cloud, right? And where’s that cloud located? And then where’s that backup cloud or their hot DR site, because is that crossing country borders? So with the move into AI, you introduce a whole new level of risk, and you’re taking some of the physical security risk out of it. You’re taking some of the disaster recovery or the backup site risk out of it, but you’re introducing a whole new set of risks that need to be identified one, and then thought about and mitigated as necessary.
Atul Vashistha:
Yeah, and that scale just really cannot do that with humans. We have to leverage automation. Absolutely. So let’s maybe end with a few questions around the risk profession itself. So Bloomberg recently declared risk management risk officer a hot job. What do you think about that?
Jenna Wells:
I love it. I mean, I’ll be honest. That’s so exciting for me, because this is an area that I want to continue to grow in and continue to evolve. I’m getting much more involved in the information security piece and in the cyber piece, because I know that’s where it’s going. And that’s an area that I think is also really exciting for my team, right? Because I have an incredible team that are focused on different areas that are now growing and honestly never knew this was a path for them as well. So, I think, everyone from just out of college to someone who transitioned out of the military, like me in their mid to late 20s, or even later in their career, you really can take any background and bring it into risk management and bring something to the table, which I think is so unique about this. And so really special, not to be corny, but about this profession where you can, anything is … Most jobs are applicable because you don’t realize that at the time and don’t think that there’s risk in in everyday life. And every job that you have that you’re mitigating and thinking about without calling it risk. So I think that’s such a great pathway for a risk management professional where so many real world experiences in prior jobs are applicable. And it’s only going to grow. And if you only focus on one area, then you’re in trouble. You need, to me you just, you really need to be very diverse in your portfolio and what you think about and what you want to do in the future.
Be ready for anything and be adaptable, be able to adapt to ever changing environments and get comfortable being uncomfortable.
Atul Vashistha:
Right, that’s really helpful. So Jenna, let’s focus on kind of your personal growth. What resources do you rely on to make yourself a better risk leader?
Jenna Wells:
All of my colleagues, literally all of my colleagues and my team. My team continually surprises me every day. Some of them are so young and they have just these incredible ideas, and they look at the program and say, “I think if we do this or we add this, this would be really beneficial.” And it’s like, “Yes, that excellent observation.” And then partnering so closely with my colleagues in information security and the cyber team, and in areas that I’m not as well versed in as they are, learning from them every day. And you know, I’m very involved in NIST now. We’re a NIST shop and we focus so heavily on NIST. So, I’ve been doing so much work with those teams and in the mapping and making sure I’m well versed in the regulatory requirements and calling the legal team and just doing all of that. So, for me, it’s my colleagues, they’re absolutely invaluable in my team. And just having, knowing who to call. Again, it kind of goes back to, I don’t want to just read a white paper. I want to sit down with you and hear how you solve this. And also, how can this make my program better and how can our programs integrate? So, definitely the people.
Atul Vashistha:
Wonderful. So Jenna, my final question. Any other advice, or what advice would you give to future risk leaders?
Jenna Wells:
I would just say, be ready for anything and be adapt, sorry be adaptable, be able to adapt to ever changing environments and get comfortable being uncomfortable. And I think, in doing that, that you’re just going to go so far in this changing environment. We spoke about earlier, whether it’s the next pandemic, or the next natural disaster or what may be the next breach, where there’s a dynamic change in the regulatory environment or the way we do business, just become comfortable with being uncomfortable. And then, you can just adapt and move forward. But I would also say honestly, have fun with it, and just be with your colleagues and make connections. And I think that’s going to take everyone very, very far, especially in this remote environment. It’s so hard to get on a call and see someone face to face. So make a point to do that.
Atul Vashistha:
So be uncomfortable with being uncomfortable.
Jenna Wells:
No, right, be comfortable with being uncomfortable.
Atul Vashistha:
I get it. It talks about be ready for change and be resilient. Jenna, thank you so much for joining us. This was really, for me, it really gave me another insight into what makes you successful. Thank you so much.
Jenna Wells:
Thank you for having me. It was a pleasure.
Atul Vashistha:
To the audience, if you want to hear from leaders like Jenna Wells, please send us your suggestions on who we should interview next. Until the next episode, thank you.
