Security RFPs: You Must Ask the Right Questions

Whom would you want interviewing prospective specialist Doctors if a family member was sick; your plumber, or your GP?

Why then, would any organisation without in-house expertise try to write their own Request for Proposal (RFP) for security services? Or worse, hand it off to the procurement department who know even less, and only have two remits: 1) meet company policies, and 2) get the best price.

As simple as security is, getting the right services (whether consulting, managed, or product) by finding the right help to MAKE it simple, and hopefully, as easy as possible, is probably the most complicated, and the most necessary, thing you can do. It takes an expert to make things simple. Get THAT right and you’re well on the way to a cost-efficient and above all sustainable security programme appropriate for your business.

Taking PCI as an example, here are the steps that organisations take more often than not:

  1. CEO gets the letter from their acquirer stating that they must achieve PCI compliance.
  2. CEO MAY get as far as DSS Requirement 1: Firewalls etc. and glazes over. They hand this off to the IT Director.
  3. IT Director looks at it in a little more detail, but only enough to realise that they’ll need help. He gets budget for a QSA.
  4. Procurement receive the requirements from the IT Director who wrote them based on many assumptions.
  5. Procurement packages up a sub-set of the requirements along without their own standard requirements out to the QSA ecosystem.
  6. Answers come back to the questions asked and no more, along with a quote based on an inaccurate scope.
  7. Procurement throw out the top and bottom, choose a few in the middle for the next stage and make no effort to refine the selection criteria.
  8. The QSA company who has the best answers to all the wrong questions and is near the bottom in price gets the gig

And what do they end up with? They get what they asked for, and invariably not what they need.

OK, so this is a completely worst case scenario, but you would be as horrified as I am if you actually knew just how close to reality this is. In almost 10 years I’ve been asked for details of my pre-QSA security experience twice, and only once have I been asked to provide personal references. I can get my dog through the SSCs QSA training, and I can sell her to you for a lot less than any of my competition can sell their people, but guess what kind of service you are going to get? About the same actually.

You don’t buy a Smart car then expect it to drive like an Aston Martin, yet you’re shocked and pissed off when your QSA is as much use as hubcaps on a tractor? No offence, but you literally got what you asked for.

Your job as the IT Director (or equivalent) is to do your homework to find the person(s) best placed to then find the services best suited to your business, because they have done it dozens of times for organisation much like yours. And they can do so without any conflict of interest. There are consultants out there who have been in security LONG before they were QSAs, then performed QSA services for many years helping literally hundreds of clients in every industry sector and potentially globally.

These consultants will define the RIGHT questions for your RFP, and then analyse the results before inviting the few decent QSA companies to offer up both their assessment methodology and personnel for appropriate review and interview respectively.

Every service provider out there is trying to maximise their profits – with which I have no problem – but if they are doing so at your expense by giving you inadequately experienced QSAs, tick-in-the-box managed services, or utterly pointless technology then quite frankly you have no-one but yourselves to blame.

The right skills are out there, go find them, or find someone who can.