Common Mistakes When Writing RFPs for Managed Security Services

Using an inappropriate RFP template. RFPs, like business cases, are often written using templates. However, many boilerplate templates simply aren’t appropriate for hiring an MSSP because they are geared towards products, not services. Thus, they’ll ask questions that make no sense, such as asking the respondent to list part numbers.

Asking questions that are ambiguous, not applicable, and/or duplicative. RFPs are often written by an organization’s procurement department, and the authors may or may not fully grasp what an MSSP does. As a result, they fill the RFP with questions that are unclear or are not applicable to what an MSSP does. The questions may also be repeated throughout the document, each time in a different section and with a different item number.

Issuing an RFP that simply makes statements and does not ask any questions. Many times, the “questions” on an RFP for an MSSP won’t be questions at all; they’ll be statements such as “Vendor must meet all contractual obligations,” or “Vendor must have x years of experience.”

Not listing the in-house technologies the MSSP will manage or monitor. If an MSSP does not know what technologies it will be working with, it will not be able to provide an accurate bid.

First, determine whether an RFP is needed. In some organizations, particularly large corporations and public sector organizations, RFPs are required. A smaller organization, however, may benefit from a less formal selection process.

If you’re unsure what you need, consider starting with a Request for Information (RFI). An RFI is perfect in situations where an organization isn’t certain what its needs are and needs more information from vendors to get started. The information gathered from the RFI can be used to issue an RFP later.

Come up with a realistic budget. No organization wants to spend more money than it has to, but it’s important that your budget is based on realistic market rates, not just what you’d prefer to pay.

Outline clear, precise expectations. This includes listing the technologies the MSSP will be monitoring or managing, both hardware and software, to ensure the most accurate bids as well as the best organizational fit.

Ask clear questions that address your organization’s environment and needs. This will allow the MSSP to directly address your organization’s specific needs. Make sure that the IT and procurement departments work together to ensure that the questions are relevant and unambiguous, and that there are no duplicative questions.

Do not write a book. Not only are 100-plus-page RFP’s difficult for MSSP’s to answer, reading the responses will be overwhelming. Concise yet comprehensive RFP’s will generate the most responses, and you will be able to evaluate them much more easily.