Do RFPs Work?
Do RFPs or requests for proposals work as intended? It seems they're loaded with flaws. Yet for some organizations who must follow processes, they become necessary evils for both buyers and sellers. What can we do to improve the process?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark , the producer of CISO Series , and Geoff Belknap , CISO, LinkedIn . We welcome our guest Keith McCartney , vp, security and IT, DNAnexus .
Here’s what we discussed:
The RFP’s purpose is to create an equitable buying process that nobody seems to believe. "They’re the embodiment of screening mechanisms coupled with a way to theoretically level the playing field,” said Fernando Montenegro of Omdia . It appears to be a check box requirement to appease company’s policy and regulations. "Usually they have a preferred vendor and just need to show that they have fairly done due diligence," said Jessica Weiland of Optiv Inc."The requirements are often aligned to favor the vendor that the team wants,” Robin Oldham of Cydea . “It drives up the cost for vendors responding to RFPs they were never going to win, which ultimately is paid for by customers."
To win an RFP you have to be involved before the RFP process begins. "Vendors are usually just column fodder - procurement has to have at least X amount of proposals to push it through to purchase, thus the RFP,” said Kenny Stella of ALTR . “If we aren't having discussions pre-RFP I've basically missed the boat already." Getting in early has been the technique of Pete Mistry of Okta : "My personal approach has been very much to ensure that we are influencing the decision-making tree within an organization before an actual RFI/RFP is issued as this generally means that we stand a much better chance of securing the customer."
RFPs often fail to reward innovation. "RFPs are also often written with a “rear view mirror” perspective on available solutions and their functionality, which can inadvertently block out new and innovative vendors,” said Rick Bullotta . "A good RFP will be written in a way that defines the desired business outcome, not the solution. That way, you're not limiting innovation in vendor's proposals,” said Dan Edwards of Park National Bank . Supporting that theory, Michael B. of Progress said, "Good RFI and RFP docs should lay out the problem and ask for approaches to solve it.”
The RFP is often a good exercise for the issuer. "The RFP is useful in forcing the requesting party to at least exercise some forethought in describing what they need," said Paul Hugenberg III CPA, CISA, CRISC, CISSP, CMMC-RP of Rea & Associates, Inc. To get the solution you want, you need to ask the right questions, noted Yaron Levi of 杜比实验室 , "Don't just ask, ‘Do you have X,’ but ask to explain or demonstrate how the vendor accomplishes or supports X."
Don’t just get in early, start working early to truly understand the needs. Easier said than done, but try to find a way to get working with the company on a limited time or even pro bono so you can scope their problem statement and requirements. “Through this exercise, you demonstrate your ability to understand their issues and give them exposure to your capabilities,” said Michael Lines of Open Technology Solutions, LLC .
Please listen to the full episode here, on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast , please go ahead and subscribe now.
Huge thanks to our sponsor, TrustCloud
Join us TOMORROW, Friday [05-19-23], for "Hacking the Software Supply Chain"
Join us Friday, May 19, 2023, for?“Hacking the Software Supply Chain: An hour of critical discussion of catching intruders to your SDLC pipeline.”
It all begins at 1 PM ET/10 AM PT on Friday, May 19, 2023?with guests Mackenzie Jackson , developer advocate, GitGuardian ?and? Julie Tsai , Board Member, Bay Area CSO Council .?We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.
领英推荐
Huge thanks to our sponsor, GitGuardian
Cyber Security Headlines - Week in Review
Make sure you?register on YouTube ?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter? Richard Stroffolino .?We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be David Hannigan , CISO, Nubank .
Thanks to our sponsor of Cyber Security Headlines, Hunters
Jump in on these conversations?
"What is your favorite question to ask someone when interviewing them for a job in infosec?"?(More here )
"Do you believe statements like: 'Cybersecurity has millions of unfilled roles!'...LinkedIn gives you a different picture."?(More here )
"Cybersecurity is a huge career field. What career path within this field should you take?"?(More here )
Coming up in the weeks ahead?on?Super Cyber Friday?we have:
Save your spot and register for them all now!
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at?cisoseries.com .
Interested in sponsorship,?contact me,? David Spark .
Cybersecurity Leader (CISO/TechOps) | Board Member | Investor/Advisor | Author/Instructor | +18y (Sec)DevOps
1 年It's interesting how something that was originally intended to promote transparency and fairness and economy has mushroomed nto something else.
Co-Founder and COO at Prosal || Scale Your Business with RFPs
1 年This post is spot on! RFPs can be a huge time investment with very little to no reward, only to find that someone was already picked as the winner before the process even began. A lack of transparency and engagement in an RFP process is a lack of respect for those people who are considering responding to you. I get on my pedestal often about this topic: https://prosal.io/#/blog/four-tips-for-more-rfp-responses-candidates
Changing how companies collect, measure, and analyze buying requirements, so you can make better buying decisions.
1 年This discussion highlights the many pitfalls and complexities inherent in traditional RFP processes, making it clear that we must push for reform. We can't continue to let flawed systems that reward early involvement, overlook innovation, and often result in inflated costs dominate our procurement practices. This is a call to action! It's time to retire antiquated RFP methods tied to pdfs and spreadsheets and embrace a new era of procurement with tools like TheGreenRFP. It offers a streamlined, efficient, and transparent approach that goes beyond merely ticking boxes to satisfy company policy and regulations. Let's truly level the playing field and foster an environment where innovation and effectiveness are valued over connections and familiarity. Our focus should be on achieving business outcomes and fostering competition that benefits all stakeholders.
Cybersecurity As-A-Service Confidence
1 年My opinion - RFPs are a big waste of time often being a cut, copy, & paste from an outdated vendor doc. There's value in being able to quickly eliminate the 4,200+ security vendors and quickly down select based on the desired outcome, environmental context, external risk factors, and otherwise preferences that the org has - but there are better ways to do this.