Protecting Mission-Critical Intellectual Property
Some of the world’s best-known products and services shape their identity through a company in Des Moines, Iowa. Quester, founded in 1973 using psychiatric research techniques, interviews customers around the world with text-based artificial intelligence tools. The unique data produced from the artificial intelligence enables Quester to unlock the consumer truth and develop strategies that drive their clients’ business growth.
The strategy and insights firm has earned the trust of some of the largest companies in the technology, consumer packaged goods and retail industries. Keeping that trust puts the pressure on Quester to maintain a state-of-the-art information security strategy.
We deal with some of the world’s most sensitive information from an intellectual property perspective. You can’t even begin a relationship with these clients unless you’re compliant across many of the different info security laws at a state, country and regional level.Tim Hoskins President - Quester
The growth of Quester's international business demands compliance with privacy standards from multiple countries and states.
Several years ago, Hoskins and Senior Vice President of IT Jereme Thomas realized that managing the universe of privacy standards was a bigger job than their existing team could handle. So they decided to look for a vCISO partner.
Finding a vCISO That Gets It
“It seemed like the best of both worlds,” Thomas says. “We obtained the expertise of an entire security team and not just one individual. And it was much more cost-effective to enter into a vCISO partnership than to hire a full-time person.”
Thomas began asking his industry contacts for recommendations, putting a high priority on finding a partner who could not only perform at a high level but also mesh well with Quester’s culture. When Pratum came to present its services, Thomas’ team made an immediate connection.
“Everything just clicked,” he says. “It can be overwhelming at first to go from a limited foundation to getting a formal process in place. But Pratum knew its stuff. They had a plan laid out for us in terms of what we need to be doing month-to-month to get there.”
Pratum Senior Information Security Consultant Jim Sixta began meeting with stakeholders, sharing updates at all-employee meetings and spending time at Quester’s office. “It gets to the point where I walk in the door to meetings and actually forget that I’m a Pratum employee,” Sixta says.
Before long, Quester employees were adopting Sixta’s tips outside of work by setting stronger passwords, performing regular software updates and more. That turned out to be a critical head start when COVID closed down offices and blurred the lines between personal and professional technology.
From Housekeeping to Strategic Planning
Quester’s first task for Pratum was updating the company’s security posture by creating written policies and setting demanding privacy compliance goals. The company asked Sixta to help them identify and comply with the world’s most stringent privacy standards, ensuring that they’d be ready every time new countries issued their own guidelines.
That aggressive early stance prepared Quester to win deals they didn’t even know were coming. Many of their clients move quickly, going from requesting proposals to conducting field research to receiving final reports in three to four weeks. That requires Quester to keep its security documentation constantly updated and ready for client review.
“If they weren’t prepared,” Sixta says, “they would probably be having to pass on some of those, or at least giving other companies the opportunity to reply.”
With their proactive security posture established, Quester now relies on Pratum to map out annual security initiatives that will advance the business.
“Jim knows our business and our environment,” Thomas said. “We can just hand some stuff on to him, and he can run with it. He knows our ins and outs, which is really nice.”
Building a Security Culture
Quester’s leaders credit a company-wide focus on security for making their vCISO experience successful.
“Your leadership team has to be bought in,” Hoskins says. “Is everybody going to be consistent and give it the time and attention it deserves in the early days and at various point throughout the year? If you’re not ready for that, no matter what partner you choose, it’s not going to be successful. We dedicated time and resources to it. That’s the key.”
That commitment clearly permeates the entire company, Sixta says.
“It’s one of the best success stories I’ve seen from the perspective of baking security into their culture,” he says. “Not many companies are this committed to it and continually communicating it. It’s not just a matter of creating documentation and going through the motions. It’s weaving security into their fabric. Employees know we have to maintain this high level of compliance because it may help us land additional business.”
Crafting a Business Advantage
As Quester’s security posture has matured throughout its partnership with Pratum, the company’s executives have evolved their perspective from seeing security as a cost center to viewing it as a revenue generator and differentiator that wins deals. When they’re working with the world’s largest brands, Hoskins says, some of the first questions cover Quester’s security strategy. As a result, Quester has learned to actively market their security focus to cut off less-prepared competitors.
In short, Quester’s vCISO investment has produced clear ROI.
“We’ve had several six-figure, multi-country projects that, if it had not been for the partnership with Pratum, we wouldn’t have even made it to the scope of work stage,” Hoskins says. “That’s how valuable this has been for our business. Thirty percent of our business is global work. Without Pratum’s expertise and our team working together and putting it all in place, that’s 30% of our business that doesn’t exist.”