Security Experts:

How to Create a Post-Pandemic Data Security RFP

Even before the pandemic, the last couple of years has seen a series of seismic shifts in data privacy and security for companies. In 2021, there’s no denying things have changed. Some offices are opening up, but for many of us in the data security trenches, we’re still in the middle of a pandemic. Many of us are still firmly embedded in a protocol that’s been in place for more than a year now. 

Sadly, companies that haven't changed their priorities to keep up, ensuring that employees who work from anywhere are secured and empowered to do so, continue to struggle.  

In fact, according to a recent report issued by Gartner on the top risks to monitor and mitigate, the number one concern for risk and audit executives so far this year is cybersecurity control failures. That’s followed up by complications stemming from the new working model and remote talent management.

Many of these businesses shot themselves in the foot from the get-go. As Gartner notes, as IT teams scaled up VPN access across companies, security teams had to modernize remote work access policies and move away from on premises policies, off the cuff. These companies had little experience safeguarding an entire remote workforce, but like many of us over the last year, they adapted on the fly.

The pandemic has shifted organizations’ data security needs, affecting how much they’re willing to spend, their sales cycle, security considerations, and so on. I’ve seen it firsthand with data security requests for proposals, or RFPs, that have come in. Nowadays, when organizations sit down to write an RFP, they know a mass return to the office just isn’t in the cards; they’re now looking to protect a mostly remote workforce. 

Still, when it comes down to it, organizations still need to approach a RFP the same way they’ve done pre-pandemic. Before even thinking about approaching a vendor, talk at length about the project amongst yourselves. What problem are you trying to solve and how will you know when you’ve solved it? Build a dedicated team whose purpose is remediating the issue or filling in the gap. Set milestones, not just for your own internal process but for the external process so you’ll know when you’ve achieved something of note. 

Just when you think you’ve talked enough, talk some more. Ask yourself what people need today, what they think they need, what they don’t know they need, and what they might need in the future. From there, consider both sides of the equation. Talk to your security team and then – and this is often overlooked – non-security people at your business to see all sides of the issue.

After you've set up a project team and built a foundation of what you’re looking for, the team should gain as much outside insight as it can. Source information from peers and from industry analysts who always have the inside track on the machinations of our industry, including what their clients like and don’t like about today’s solutions. Don’t go to them blindly though; be sure to come to them with a shortlist of vendors that you think can help your organization solve your problem. If possible, identify others that have used a vendor on your shortlist and gauge their sentiments, too.

As soon as you’ve determined the problem you’re looking to solve and established who may be able to help you, collectively define evaluation criteria – things you’re looking for in a solution – and how you’re going to grade on each one. Come up with questions to address each one. Can your solution do this and under the following circumstances? Afterwards, determine how critical satisfying each question is. 

Sometimes compiling a list of yes and no questions, or questions vendor can respond “Does Not Meet, “Partially Meet,” or “Fully Meet” to, with detail, can help eliminate grey areas. These types of questions can sometimes force a vendor to commit while still leaving them a little bit of wiggle room to explain where they fall on each one. 

For example, for many organizations, a solution that can prevent employees from storing company data in the cloud but can also detect and alert when a user is trying to move files somewhere outside of the company’s preset guidelines is a must these days. With employees continuing to work from home, the same goes for a solution that can help tip an admin off when sensitive data is being moved to shared storage, like a personal folder or file on their network, or a removeable device, like USB or NAS. 

For needs like these, it’s important to create a scoring system that allows companies to adjust their weightings. Just how well does each solution satisfy each request?

Once you’ve completed your RFP, it’s up to you whether and when you share it externally. Just know that when you do, vendors will tailor their approach to answering your questions, for better or worse. That’s why it can help having a vendor scoring system set up ahead of time to ensure you can evaluate each one consistently, independent of their responses to the technical criteria. 

After you’ve engaged each vendor, more research may be necessary. Consider how long each vendor has been in the field, refer to customer references, and try to find any data on their churn rate or leadership team to see if they’ll gel with what your organization is looking for. 

Be sure to debrief after each vendor evaluation for a pulse check on whether they’re still in the running or not. Your business means as much to them as theirs to yours. No one wants to be left hanging. At the end of all of the evaluations, review the vendors and make a case for and against each one.

While obviously every organization won’t follow the same path when it comes to writing an RFP, hopefully these tips aid your business when it comes to selecting and evaluating an effective data security RFP in “these uncertain times.” 

RelatedEvaluating an Intelligence Vendor: Key Questions to Consider

view counter
Tim Bandos is the Chief Information Security Officer & VP of Managed Security Services at Digital Guardian with more than 15 years of experience in information technology and securing mission-critical data. Tim joined Digital Guardian in 2016 as VP of Cybersecurity and successfully built the company’s Managed Detection & Response program from ground up. Prior to Digital Guardian, Tim ran a global security team for Dupont company where he was responsible for overseeing internal controls, incident response and threat intelligence.