Today’s data security RFP must measure what really matters
Even before the advent of COVID-19, seismic shifts in data security had already prompted a rapid acceleration of cybersecurity protocols. When the pandemic hit, it launched a worldwide remote working revolution. Most organizations now have at least a partially remote workforce — both currently and for the foreseeable future. Although offices are starting to open up, data security warriors are still firmly embedded in a protocol that’s been in place for more than a year.
Today, data security request for proposals (RFP) aim to protect a mostly remote workforce. Ensuring data security and productivity for employees who work remotely should have been a top priority for every single company; those who have failed to match their data security priorities to the ‘new normal’ continue to struggle.
A recent report by research and advisory company Gartner identified cybersecurity control failures as the number one concern for risk and audit executives this year. This concern was cited by 67% of respondents, across a range of regions and industry sectors. The findings are no surprise. As IT teams scaled up VPN (virtual private network) access, security teams went into crisis response mode — rapidly modernizing remote work access policies, despite the limited experience of safeguarding an entirely remote workforce.
Team orientated and sustainability
Data security needs shifted dramatically — including budgets, sales cycles and security considerations. But despite changing data security needs, organizations should approach an RFP the same way they did pre-pandemic. This means that, prior to vendor selection, they should thoroughly discuss the project in-house. Build a dedicated team to drive the problem-solving process. Ensure the project team defines related milestones, as these will help to measure progress and success both internally and externally. Whatever the specific goal, the overall aim is to build an agile environment capable of quickly responding to changing threats.
It’s also crucial to think about a solution’s sustainability. Ask what is needed right now, instead of what people think they need. What is there about this issue that people don’t know they need? And what might they need in the future? Discuss with the security team and also with non-security teams to get a wider view. You want your RFP to accurately reflect your corporate ambition. Think about quick iteration and flexible contracts that can react to the rapidly changing landscape – contractually and commercially you want a supplier that keeps you one step ahead of future cyber hacks.
Armed with a robust template of what their looking for, the project team should gather as much external intel as possible. Using a shortlist of possible vendors, source information from peers and industry analysts – anyone with insider insight in the data security industry. Try to get the broader picture of selected vendors, taking note of any likes and dislikes of available solutions. Where possible, source feedback from businesses who have used one of your shortlisted vendors.
RFP evaluation and vendor selection
Once the problem that needs to be solved (and who may be able to help solve it) has been determined, it’s time to define evaluation criteria – what is looked for in a solution, and how to grade each one. Create questions that address each requirement and ask about scenarios in the specific sector. Afterwards, determine the importance of each individual requirement.
Sometimes grey areas can be eliminated through yes and no questions, or questions where a vendor can respond “Does Not Meet, “Partially Meet,” or “Fully Meet”, with explanatory detail. Where there is any uncertainty, ask supplementary questions.
The remote working set-up absolutely requires a solution that can prevent employees from storing company data in the cloud — but which can also detect and alert when a user is trying to move files outside of the company’s pre-set guidelines. Similarly, it’s invaluable to have a solution that can tip an admin off when sensitive data is being moved to shared storage, like a personal folder or file, or a removable device. A scoring system that allows companies to adjust their weightings will let you see how well a solution satisfies each requirement.
Having a robust scoring system in place will help you consistently evaluate each vendor, independently, based on their responses to the technical criteria. You may choose not to publish the scoring regime, but ideally, you should test it to make sure it can’t be ‘gamed’. Before final selection, review each vendor’s evaluations and make a case both for and against each one. And before commencing with your chosen vendor, you should debrief those vendors who did not get selected.
There’s no fixed way to write an RFP, but sticking to the golden rule of measuring what matters and ensuring alignment with corporate IT strategy and corporate ambition, will shepherd towards the best possible outcome.
Article contributed by Tim Bandos, CISO and VP Managed Security Services at Digital Guardian
20 January 2022
17 January 2022