A conversation with Peter Hesse on prioritizing policies to protect information

“Have you ever seen or heard of anyone prioritizing security policy?”

Central to Peter’s work and Information Protection Assessment (IPA), I asked him to share insights on how to get started assessing and prioritizing our security efforts.

With the current crush of media, starting the conversation with business and decision makers is getting easier. The constant stream of breaches and stories about the threats and attacks that companies of all sizes face have companies concerned. They are struggling to try to understand, let alone get it all done themselves.

“Prioritizing efforts helps the overwhelmed IT staff make progress and show improvement,” explains Peter.

A lot of companies offer assessments. A lot of companies demand their own assessments. Most of us in the industry sense the current approach could be better.

After a few years of basing assessments on the policies of a customer to assess business partners, vendors, and acquisition targets, Peter and team experienced an “aha moment,” about the process.

“We realized that our customer’s process was flawed because it didn’t allow us to capture valuable information if there wasn’t a corresponding checkbox.”

That lead to the creation of the No Checkbox Manifesto. Peter explains that the reliance on lengthy and complicated check-box style assessments leads to incomplete results, a false sense of confidence, and worse, multiple competing check-box based assessments.

Peter’s team decided to take a different approach, and developed the Information Protection Assessment (IPA) process to focus on three areas: information that requires protection, the measures already in place to protect that information, and the organization’s tolerance and appetite for risk.

“We realize that most of our customers do have a compliance need – meaning there are checkboxes that need to be checked – but our process ensures we don’t just check checkboxes but also know how to prioritize efforts to best protect their information.”

According to Peter, focusing on the three elements of the IPA process delivers better results in the same timeframe. And while the assumption is that the effort costs more than a traditional check-box assessment, Peter suggested that sometimes his approach is less expensive, too.

It benefits the company and potential partners. At the end of the assessment, they have a better sense of their information, risk, tolerance, and a plan tailored to their business.

The current challenge to helping people take a more prioritized approach to protecting their information is “a lot like telling someone to go to the doctor for a physical. Many people would prefer to remain blissfully ignorant of their body’s health rather than learn what needs to be improved, and then take action to improve it.”

The Catalyst Questions

These are five questions asked during each conversation. The responses are printed as shared with me. 

1. What is your why? What is your your purpose? What drives you?

One of my first jobs was developing cryptographically secure messaging systems for the defense department. When I would come home, my wife would ask me what I did and my response was always ‘I helped save the world today.’

These days, the work I do is not as directly related to the health and well-being of individuals, but I still feel like I’m trying to make the world a better, safer place. If I can do something so a business not lose the earnings they worked so hard to gain, or to ensure that another person’s identity won’t be stolen, I’ve made a difference.

2. What still requires translation to be successful?What’s something people still struggle to understand, where we can all work together to build a better translation?

We serve both large companies and small businesses. All businesses have similar needs when it comes to security – they want to keep their information safe.

Unfortunately, people tend to jump to solutions too quickly without fully understanding whether or not it will really help in their situation. They want to feel secure by spending money to buy a product which promises to make their network hacker-proof. But what if hackers aren’t their biggest concern?

There are no silver bullets or one-size-fits-all solutions, and the size of the business often governs the budget, personnel, and resources you can bring to bear. There are a myriad of different regulations to comply with, threats to scare you, and products to choose from.

We need better guidance around how to assess security needs, and how to prioritize solutions. The industry needs to stop selling products that treat symptoms and instead start focusing on outcomes.

3. What was your biggest failure? How did you recover? What did you learn from it?Success is often defined by what we learn from our mistakes

My biggest failure was allowing my business to become too dependent upon one customer. We suffered a major downturn in revenue as that customer changed directions, and as a result had to lay off some of my team members. The biggest lesson learned was to focus on diversifying our customer base and keep our pipeline of potential customers full.

4. How do you prioritize and justify your efforts?Help others learn from your experience to sort through the noise to find and focus on what matters

The nature of our business is to support clients that present us with different, interesting challenges every day. I’m passionate about the work I do, and often will end up researching a new topic or technology far more than is necessary to complete the task at hand. As a result, sometimes I tune out more than just the noise – as I become engulfed in solving a problem I sometimes miss some of the signal as well.

This is an area I could improve in, to become a little less interrupt driven and a bit better at prioritizing my own daily efforts.

5. Best piece of advice you ever got… and offer to others

If we in the security industry put things in the way of people getting their jobs done, we will ultimately be unsuccessful.

People will do whatever they find necessary to get their jobs done. It doesn’t matter if the job is a 9-5 desk job at a consulting firm, pharmaceutical research and development, or general contracting.

Connecting with Peter Hesse

Who are you, how do you describe what you do?

I’m Peter Hesse, President and Founder of Gemini Security Solutions, Inc. I’m a consultant working at the nexus of business needs and security demands. I ensure people can do their jobs while still taking appropriate measures to secure their information.

Where and how do you work?Office, road warrior, or coffee shop?

I primarily work out of an office near Washington Dulles Airport in Chantilly, VA. I also have traveled all over the world doing security assessments for customers. Some of my favorite places I’ve visited on behalf of my customers include Krakow, Poland and Antwerpen, Belgium.

Where and how can people connect with you?

• twitter: @pmhesse
• google+: http://gplus.to/pmhesse
• email: pmhesse at geminisecurity.com

• website: https://geminisecurity.com