Yesterday I wrote about some common Request for Proposal (RFP) pitfalls we have seen over the years at Trustwave. (part 1)

Trustwave offers a wide range of services — from Managed Detection & Response (MDR), Managed SIEM services from Splunk, Qradar, and Microsoft Sentinel security testing, to complex red team engagements, so we‘ve seen numerous of styles and approaches in the format and presentation of the requests. 

This writing reawakened an earlier train of thought about changing the security industry’s mindset toward the RFP process. In cybersecurity, a single solution or vendor rarely meets an organization’s needs entirely. While there are naturally varying levels to this sweeping statement when we get to the workshop stage of nearly every engagement, we find the client has matured since the start of the engagement; they’ve had additional discussions and continued to refine their requirements. 

This change means the RFP document started six months ago is no longer relevant—either in part or in its entirety.

For example, during the period the RFP was being written, the business has come to more fully understand their requirements so that the initial list of 42 mandatory items is now down to only five elements. Alternately, a previous requirement that mandated onsite data storage has since been superseded by the cloud-first mantra as a result of the growth in remote employees.

So why do we put ourselves through this process? Is this a bizarre Stockholm Syndrome in which we lay captive wanting to hear a vendor’s strategies or marketing-approved answers that make each sound fabulous with only the best security people in the world? It could be. But I’m pretty sure we can do better.

Improving the RFP Process

There are numerous ways the RFP process can improve. We could even start a think tank and call it The Stockholm Group. As an example, I’ve outlined an alternate method to simplify an organization’s procurement procedure.

• Select five vendors/service providers your peers have recommended and/or have scored highly in a respected third-party evaluation (e.g., Gartner, Forrester, etc.)
• Invite them to an introductory call.
• Present the challenge(s) you would like them to solve 
• Supply each vendor with the presentation and any other relevant details.
• Book workshops with each vendor
• Give them 2 hours to present their solution. 
• Discern the reality of what they can deliver: This is not simply a sales pitch; you must know the ins and outs of the solution, how it will solve your business need, how it operates within your existing structure, and the responder company’s SLAs around implementation, support, etc.
• Narrow down the field to two finalists.
• Schedule a final workshop with each to address any unanswered questions or concerns.
• Negotiate – don’t skip this part! You will ultimately regret “settling” for a solution or price that wasn’t your intended goal.
• Sign contracts, start implementation
• Live happily ever after

Above all, be transparent with the vendors. Tell them why you ultimately opted to go with a competitor and what they could have done differently to win the business. You could potentially influence their future roadmap to consider different capabilities, or at the very least, assure the salesperson that they haven’t completely failed for not securing your business.

The aim of any new approach should be to more efficiently and accurately obtain the necessary information and achieve the outcomes both parties are striving for. This streamlined process can significantly reduce the time from initiating the RFP to implementation and improve the quality of the vendors’ responses.

If you would like to talk to our dedicated RFP team on your current or future RFP plans, feel free to get in touch at mailto:[email protected].