Common Mistakes When Writing RFPs for Managed Security Services

Data breaches and other information security threats are on the rise, and the cyber security skills gap is widening.

Many organizations, faced with limited in-house resources, are choosing to partner with managed security service providers (MSSPs) to handle all or specific areas of their information security needs.

Hiring an MSSP allows organizations to focus on their core competencies while benefitting from the expertise of skilled security experts who monitor the system around the clock, usually at a lower cost than hiring security analysts in-house.

In many organizations, evaluating and selecting an MSSP is a process that usually involves writing a request for proposal (RFP).

A well-written RFP is beneficial to the selection process, as it allows an organization to gather and evaluate its options in an orderly manner.

However, a poorly written RFP can result in few or no bids; bids that are too high or unrealistically low; bids that do not address the areas the organization wanted to address; or requirements mismatches (which may not be obvious until after a contract is signed, and results in a failed business relationship).

Among the most common mistakes made by organizations when writing an RFP for an MSSP are:

• Using an inappropriate RFP template. RFPs, like business cases, are often written using templates. However, many boilerplate templates simply aren’t appropriate for hiring an MSSP because they are geared towards products, not services. Thus, they’ll ask questions that make no sense, such as asking the respondent to list part numbers.
• Asking questions that are ambiguous, not applicable, and/or duplicative. RFPs are often written by an organization’s procurement department, and the authors may or may not fully grasp what an MSSP does. As a result, they fill the RFP with questions that are unclear or are not applicable to what an MSSP does. The questions may also be repeated throughout the document, each time in a different section and with a different item number.
• Issuing an RFP that simply makes statements and does not ask any questions. Many times, the “questions” on an RFP for an MSSP won’t be questions at all; they’ll be statements such as “Vendor must meet all contractual obligations,” or “Vendor must have x years of experience.”
• Not listing the in-house technologies the MSSP will manage or monitor. If an MSSP does not know what technologies it will be working with, it will not be able to provide an accurate bid.

How to Write a Solid RFP for an MSSP

How can organizations avoid these pitfalls and write an RFP that generates good responses from a number of MSSPs?

Following are some tips:

• First, determine whether an RFP is needed. In some organizations, particularly large corporations and public sector organizations, RFPs are required. A smaller organization, however, may benefit from a less formal selection process.
• If you’re unsure what you need, consider starting with a Request for Information (RFI). An RFI is perfect in situations where an organization isn’t certain what its needs are and needs more information from vendors to get started. The information gathered from the RFI can be used to issue an RFP later.
• Come up with a realistic budget. No organization wants to spend more money than it has to, but it’s important that your budget is based on realistic market rates, not just what you’d prefer to pay.
• Outline clear, precise expectations. This includes listing the technologies the MSSP will be monitoring or managing, both hardware and software, to ensure the most accurate bids as well as the best organizational fit.
• Ask clear questions that address your organization’s environment and needs. This will allow the MSSP to directly address your organization’s specific needs. Make sure that the IT and procurement departments work together to ensure that the questions are relevant and unambiguous, and that there are no duplicative questions.
• Do not write a book. Not only are 100-plus-page RFP’s difficult for MSSP’s to answer, reading the responses will be overwhelming. Concise yet comprehensive RFP’s will generate the most responses, and you will be able to evaluate them much more easily.

There are many MSSPs in the market, and not every MSSP is the right fit for every organization.

A well-written RFP is the first step in choosing an MSSP that your organization can have a long and beneficial relationship with.

Mike Baker is founder and Principal at Mosaic451, a bespoke cybersecurity service provider and consultancy with specific expertise in building, operating and defending some of the most highly-secure networks in North America.