Tim Bandos, CISO & VP of Managed Security Services, Digital Guardian discusses how businesses can approach a data security RFP that will protect a global remote workforce; and the importance of building a dedicated team whose purpose is remediating the issue or filling in the gap.
Data security has never been more important. Even before COVID-19, cyberattacks posed a major threat to businesses, and the pandemic instantly made companies more vulnerable. The sudden shift to remote working required rapid expansion of corporate networks and introduction of new devices, presenting a daunting challenge for security teams and a tantalising opportunity for malicious actors.
The improvised expansion of security systems has been a gift to cybercriminals as IT teams figure out how to protect a remote workforce. There has been a 62% increase in ransomware globally since 2019, and IBM’s 2021 X-Force Threat Intelligence Index found that cyberattacks on healthcare, manufacturing and energy doubled in 2020, from the previous year.
Security officers aren’t unaware of this increased, evolved threat. The recent wave of data security requests for proposals (RFPs) reflects a shift in the priorities and needs of organisations, who know that the new corporate reality involves distributed, remote teams instead of en masse in-office working. The efficacy of their threat response, however, depends on the quality of their security solutions; these solutions, in turn, rely on comprehensive RFPs.
Given this dynamic, security officers should understand how businesses can create robust RFPs that help safeguard their work in a post-pandemic world. If you’re a security executive undertaking this process, here are a few points to consider in reaching that understanding.
Preparing your RFP
The coronavirus may have introduced new challenges, but the fundamental principles of an RFP haven’t changed. Preparation is still the most important part of the process and the best strategy clearly involves setting up a dedicated team to oversee proceedings and scrutinise the problem at hand.
Before approaching any vendors, organisations must fully understand the issue they are tackling and determine what success looks like. This means setting milestones to track achievement internally and externally, and maximising insight on the issue. Businesses should consider both present and future needs and should consult both security personnel and non-security staff who may have unique perspectives on new security solutions.
Security has no place for pride and gaining outside insight is also crucial. The experience of peers and industry analysts can be critical in sorting out the best solutions and determining the efficacy of vendors’ software. Peer outreach needs a plan to be productive, however, so businesses should draw up a shortlist of vendors – ideally ones these peers have used – for broad discussion.
Choosing the right evaluation strategy
Upon creating an RFP project team, fully identifying the security issue and identifying a shortlist of potential vendors, you should proceed to the next stage: establishing your RFP’s evaluation criteria. These should highlight your desired solution attributes and let you see how well a vendor measures up.
You should craft several questions that address each of the elements you’re seeking a solution. These questions should determine if a vendor can provide a service and under what circumstances. Making the answers ‘yes’ or ‘no’ – or offering a set of fixed responses – can help eliminate grey areas by forcing a vendor to commit.
A vendor’s answers should feed into a scoring system that is also weighted to reflect your organisational priorities, as some criteria will be more important than others.
Sharing and vetting
Once an RFP has been written you can decide whether to share it externally. Keep in mind: externally share your RFP, expect vendors to tailor their approach to the shared questions. Having a vendor scoring system in place, before external sharing, will therefore help you consistently evaluate vendors, regardless of responses to technical criteria.
Vetting a vendor, of course, extends well beyond an RFP. You should also consider how long each vendor has been operating, the quality of their references and research their churn rate and leadership team to see if they will work well with your organisation.
Making a decision
After all these stages are completed, you should review the vendors you’re considering and make a case for and against each one to determine the overall winner. Whatever the outcome, good organisations will let a vendor know they are out of the running, as soon as they are no longer being considered. Not only is this courteous, but it also makes a good impression if you should ever need a vendor’s services in the future.
Investing this much time and effort in an RFP may seem like overkill. But rigorously assessing vendors is the only way to find a solution that completely addresses a business’s security needs and protects them in a post-pandemic world. If you understand these points, you’re well on your way to crafting a robust RFP.
Read the latest edition of PCR’s monthly magazine below: