kras99 - stock.adobe.com
How to build a cybersecurity RFP
Crafting a cybersecurity RFP requires clear goals, precise questions and vendor vetting. Follow these guidelines to streamline the process and meet your company's security needs.
A cybersecurity request for proposal (RFP) is a formal questionnaire that outlines an organization's specific cybersecurity requirements and invites vendors to submit competitive bids and detailed solutions. It's a useful tool for organizations seeking to improve their cybersecurity posture or procure new cybersecurity products.
Why a cybersecurity RFP matters
A cybersecurity RFP helps its issuers in at least three ways.
- It encourages organizations to clarify their security goals, identify their most important objectives and which products and/or services they truly need.
- It provides a structured way to evaluate vendors, centralizing critical information for easier comparison and decision-making.
- A well-designed RFP helps vendors understand the organization's cybersecurity priorities and determine whether and how their products can meet those needs.
Core components of a cybersecurity RFP
Most RFPs typically include the following sections:
1. Project overview
Describes your company -- the issuing organization -- and its clearly defined project goals.
2. Company background
Provides information about the issuing organization's mission and operations, with the aim of giving vendors insight into its cybersecurity culture and specific cybersecurity needs.
3. Project goals
Articulates the project's desired outcomes and objectives, clarifying what the organization aims to achieve and guiding vendors in aligning their proposals with these goals.
4. Scope of work/deliverables
Outlines the specific tasks and deliverables expected from the vendor, including functional requirements, project management responsibilities, and testing and QA processes.
5. Timeline
Lays out the key deadlines and milestones for the project, helping vendors plan their resources and manage their time effectively to meet the organization's expectations.
6. Budget (optional)
While not always included, this section can provide an estimated budget range for the project, helping vendors tailor their proposals to fit financial constraints and expectations.
7. Selection criteria and submission instructions
Spells out the criteria that will be used to evaluate proposals and details instructions on how to submit responses. This ensures vendors understand the process and requirements for consideration.
Where cybersecurity RFPs can go wrong: Common pitfalls
A guide to building a cybersecurity RFP would be incomplete without addressing the potential downsides of the process. The problem with RFPs, according to well-known cybersecurity blogger Tom Alrich, is that they can turn into voluminous, irrelevant checklists that consume time and money without delivering value. In addition, drafting a cybersecurity RFP can take anywhere from several weeks to months.
All too often, RFP questionnaires focus on evaluating the cybersecurity vendor while failing to ask the most important questions: Those directly related to the vendor's specific product or service the organization needs.
Cybersecurity expert and analyst Daniel Miessler has cautioned that RFPs can be misleading, since it's extremely difficult to assess a vendor's cybersecurity posture from the outside. PoC demonstrations and initial investigations don't necessarily provide conclusive validation. Ratings can be socially engineered, product descriptions inflated, and organizations often lack complete visibility into their vendors' practices, especially how they handle sensitive data or manage supply chain or fourth-party risks.
Steps to drafting a cybersecurity RFP
To get the most out of your RFP, take the following steps:
1. Identify your security needs and pain points
Sit down with your team to identify, document and prioritize the current vulnerabilities your organization faces as well as potential threats the organization might encounter in the future. Consider factors such as past security incidents, compliance requirements and emerging threats in the cybersecurity landscape. Involve key stakeholders to ensure all relevant concerns are addressed.
2. Craft clear and relevant questions
Questions should be clear, concise and crafted to assess vendor capabilities relevant to your requirements. Unclear instructions often lead to the wrong products or services being recommended. The cybersecurity RFP should clearly state what your organization needs, the price you are willing to pay and whether the vendor can meet your request. Include criteria for evaluating responses, such as security practices, incident management and cost.
3. Vet vendors thoroughly
Investigate vendors' security practices through peer review sites such as Gartner Peer Insights and G2. Look for critical details such as their credit ratings, security scorecards and incident reports. Additionally, ask for references from existing customers and review case studies.
4. Screen vendor offerings through proof of concept
Always request a proof of concept (PoC) to evaluate the product's performance in real-world scenarios.
"I'd suggest making sure the PoC includes everything from the ingestion of data to the use of the tool, so that you have a good understanding of the management and administration of the tool.…," said Daryl Anderson, a resident engineer at security data platform vendor Gravwell. "Ultimately, no matter how good it looks, you will be using it, so getting a feel for how it fits your needs is critical."
You should also ensure the RFP is structured logically, making it easy for vendors to provide the necessary information. To keep the process on track, set a timeline for responses.
Finally, the questionnaire should be short, readable and concise.
Key questions to ask vendors
Questions depend on an organization's particular needs and desired solutions. According to the experts we interviewed, some important questions to consider include the following:
- Analyst retention rate. What is the average retention rate of your cybersecurity analysts, particularly those handling client accounts or incident response? High turnover could be a concern.
- Service implementation timeline. What is the expected timeline for getting the service up and running?
- Incident investigation process. What is your standard incident investigation process, including the typical phases, activities and key deliverables at each stage?
- Incident response and remediation capabilities. To what extent do you provide incident response capabilities beyond detection and analysis? Specifically, do you offer containment, eradication and recovery support? Please describe the scope of these capabilities and how they're implemented or communicated.
- Incident escalation and communication procedures. Describe your incident escalation procedures, including internal escalation paths, the process for escalating critical incidents to designated contacts, the channels used -- phone, email and secure portal -- frequency of updates and the level of detail provided to stakeholders.
- Feedback-based service improvement. How will you improve your service based on our feedback? For example, if we indicate that we don't need notifications for certain activities, will you acknowledge this or continue sending false alarms?
- Partnership expectations. What do you expect from us in this partnership?
- SLA metrics. What are your cybersecurity SLA metrics for Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR)?
Best practices to help ensure your RFP is useful, not wasteful
Most RFPs contain upward of 400 questions across hundreds of categories, potentially resulting in wasted resources for both organizations and vendors.
Organizations that follow cybersecurity best practices start by clearly understanding their business needs and goals, focusing on the specific products and services required. These organizations draft questions that are unambiguous, concise and relevant. Key points to consider include the following:
- Focus on addressing prioritized risk management concerns.
- Look for products that save money.
- Identify your red flags.
- Exclude legal terms from your RFP. If you have additional information, link to those resources as FAQs on your website.
- Aim to avoid excessive back-and-forth in follow-up communications.
Leah Zitter, Ph.D., is a seasoned writer and researcher on generative AI and cybersecurity, drawing on over a decade of experience in emerging technologies to deliver insights on innovation, applications and industry trends. She is a Certified Information Systems Security Professional (CISSP) from (ISC)2.
