On dating websites, users answer profile questions to help you find the perfect match. What are your hobbies? Where do you like to travel? How do you feel about kids? Pretty standard inquiry to help zero in on someone promising.
But when it comes to vetting IT assessment vendors, decision-makers struggle with knowing what to ask about, much less what to expect in answers from aspiring partners. Maybe their Request for Proposal (RFP) is outdated, not representing present-day security concerns, relevant offerings, critical auditor credentials, or other key components that would ensure your IT security is poised for proper protection.
Today, we demystify RFP development to help you land the best possible partner for your upcoming IT assessment and, ultimately, elevate your security posture.
RFPs are as varied as dating profiles, with some requesting bare bones info, and others more like tomes. Here’s what your next RFP could include, as well as meaningful answers to keep an eye out for. (Even if you don’t issue RFPs but accept proposals from vendors, much of the same criteria and expectations apply.)
1. Your RFP Bones. Basic Sections. Most RFPs have some universal sections. These typically include: Organizational Intro, Project Overview and Scope, Assessment Expectations, Contact Person, Procedure for Submitting Questions, Response Format, Evaluation Criteria, Statement of Confidentiality, and Selection Process.
- TIP: You can certainly stop at the above list; however, taking the time to include some or all of what’s suggested below will give you a lot more information with which to make an informed decision. You’ll also learn a great deal about what differentiates your options from one another.
2. Where Are You Coming From? Background. The organization you partner with is your assessment “date” for at least the next year, so ask about their founding, mission, and history.
- TIP: Look for well-established, ideally founder-led companies, which have proven to be more innovative, adaptable, and sustainable. They also tend to reflect the founder’s mentality and original “front line obsession”—which, if around IT security assessment, will likely mean everyone you come into contact with at the organization will share the same passion and priorities.
3. Who’s At The Helm? Leadership. Every organization is a reflection of its leadership, so who’s “at the top” of the vendor companies you’re considering? Their influence will be felt in every aspect of your project and partnership.
- TIP: Prioritize companies led by true security experts vs. just a business head. Someone with their own IT chops captaining the ship will always make sure security, not profit, steers their course day in and out, and that means better services for you.
4. Is Your Main Thing THEIR Main Thing? Specialization. Business keynote and author Steven Covey said, “The main thing is to keep the main thing the main thing.” So inquire about the company’s range of services to see how much of their effort and expertise are focused on security assessment.
- TIP: A Multi-Service Provider (MSP) has a myriad of offerings, meaning they’re likely doing assessment off the sides of their desks. They’re also commonly looking to up-sell you on their other products and services—which begs the question, how are they objective in the next assessment of their own solutions? By contrast, pure play assessment providers will offer you the benefit of their laser focus on the most recent security threats, along with innovative audit methodology and best practices for risk reduction. This type of partner will offer greater depth and objectivity in your assessment, as well as meaningful solutions that address present-day threats to your environment.
5. Where’s The Beef? Detailed Service Descriptions. It’s easy for vendors to list service titles and options, but just like a dating profile, the devil is in the details. Instead of accepting a simple list or table of services with no real meat, ask for more.
- TIP: Expect at least a few sentences on each service, if not paragraphs in some cases, as well as links to service pages on their website, screenshots of results, example deliverables, etc., all of which will preview the depth of each vendor’s methods and reporting.
Get serious about cyber defense.
6. What’s In It For Me? Flexible Scope. Specifically asking for a range of add-ons or customization to scope will give you a sense of how closely you can align your environment and security priorities to their services.
- TIP: Watch out for cookie-cutter packages that are convenient for vendors, but which may drive up costs on you with unnecessary items or cause exclusion of key one-offs you need. A true partner will offer a “menu” of scoping items, and within them, further tailoring for the size and nature of your environment, ensuring you get exactly what you need and aren’t stuck paying for more.
7. Who Am I Dealing With Here? Qualifications. Auditors are a varied bunch, from newbs to vets, so ask about degrees, certifications, and experience of those who’ll be working on your project, as well as project lead profiles and resumes.
- TIP: A lot of MSPs outsource novice auditors with limited experience, education, and certifications, if any. Dedicated assessment providers, by contrast, will have in-house experts with impressive backgrounds. The depth, quality, and accuracy of your assessment will vary dramatically on which route you go, so if you ask about qualifications, the differences will be clear.
8. How Does It All Flow? Process and Timeline. Assessment companies have varied approaches to the audit process, particularly depending upon whether they’re fitting you into their world or vice versa. Ask for a clear timeline and audit flow, so you can anticipate how the project will mesh with your team, deadlines, and competing priorities.
- TIP: Expect a clear and logical audit flow that begins with a kick-off meeting with all stakeholders, so everyone’s on the same page from day one about scope, key contacts, document collection, rules of engagement, project milestones, progress updates, and plan for presentation of deliverables.
9. What Do I Get In The End? Deliverables and Solutions. Deliverables have a wide range of possibilities, partly due to the expertise of auditor analysis, and partly due to what’s stated as expected. So define the types of deliverables and presentations you want and request examples during vetting.
- TIP: Sample deliverables are a chance to see the depth of the assessment each vendor would provide, as well as the nature of recommended solutions. Even if only a sample, you should be able to discern whether remediation is generic (unfortunately common among MSPs) or customized for your environment and reasonable given your resources (more the standard with specialized providers).
10. What’s Your Best Price? Affordability.
- TIP: IT security assessments are largely “you-get-what-you-pay-for.” Choosing the bargain basement price provider may be tempting to your budget but ultimately not worth it when you consider the risk to your security and the financial and reputational expense of a breach. Instead, look for a provider who offers high quality assessments, but also lots of ways to make things affordable, such as à la carte scoping options, multi-year agreement discounts, extension discounts, etc.
11. Who Do We Both Know? References. Nothing beats the testimonials – or cautions—of your own industry peers. At minimum, ask for 3 within-industry reference letters and/or contact information.
- TIP: Even with a letter, it’s worth a call or LinkedIn message to get the details of working with a potential partner. As you review testimonials, look/listen for evidence of consistent communication practices, project organization, and service-orientation—because at the end of the day, these are the things that most impact your assessment experience. You can also look for industry recognition as a sign of professional endorsement.
12. Ask And Ye Shall Receive. Transparency. While no one wants to build or respond to an endless RFP, a well-crafted one that lays out your needs thoughtfully is what creates the potential for receiving meaningful responses that help you determine the right vendor.
- TIP: Be as open about your needs and challenges as possible—if not in the RFP itself, then in the conversations with vendors you interview. Your transparency will prompt offerings of solutions from all interested parties—ideas you can potentially use even if you don’t select the vendor.
Proposals That Have It All
Assessment providers with substantive offerings will be excited to provide you a detailed proposal outlining any and all of the above. If it’s helpful to see an example of such a proposal with the aforementioned sections, feel free to request one from our team at BAI Security.
We’d be happy to provide a detailed proposal with à la carte options and affordable pricing for any of the following services:
- IT Security Assessment
- IT Risk Assessment
- HIPAA Security Risk Assessment
- HIPAA Privacy Risk Assessment
- IT General Controls Audit
- Security Best Practice Evaluations
- FedLine Security & Controls Procedures Audit
- Ransomware & Endpoint Compromise Simulation
- Red Team Assessment
- Social Engineering Evaluation
- Network Vulnerability Assessment & Management
- Vendor Management Risk Assessment