RFPs are a Waste of Time

How to stop wasting time by writing stronger RFPs

The Rationale for Not Responding

One of the most common refrains from enterprise IT sales reps is, “If we didn’t help write the RFP, they are NOT buying from us. It’s a waste of my time.” The reality is, that you’re guaranteed NOT to win the deal if you never received the RFP from that prospect to begin with. As Wayne Gretzky said, “You miss 100 percent of the shots that you don’t take.”

It is true that some enterprises use RFPs to both meet a requirement from their procurement department to obtain competitive bids and to place their preferred vendor into a de-facto leadership position in the sales process. The fact is though you can still win RFPs even if you didn’t influence their creation – by offering up a stronger security and compliance message. Your sales process needs to have a proactive, stronger security message to differentiate your company.

It’s Not You, it’s Me.

According to a recent Deloitte global survey of 170 organizations, 87 percent of respondents faced a disruptive incident with third-parties in the last two to three years. The same survey found a similar percentage of acceptance that boards of companies are being held accountable for third party vendor risks.(1)

In regulated industries (e.g. finance , healthcare) the requirement to verify and audit third-party vendor risk becomes even more important with the added regulatory compliance risks of fines and sanctions. Vendor risk is most acute with cloud (SaaS) based service providers where your application design, data handling processes, third party APIs and underlying hosting infrastructure all become potential data leak vectors for your end customer. Compliance and InfoSec teams often can and will veto deals that don’t comply with their compliance standards or security requirements.

What You Need to Know

While compliance can stop an evaluation, it can also help enable it. The sooner you positively and effectively engage the client’s InfoSec and Risk teams in the sales process, the better. You can take these proactive steps to improve your chances for closing a deal:

Prepare a standard set of documentation you can provide all clients under NDA. This would include documents such as your complete information security program, data privacy program, GDPR, business continuity and disaster recovery plans along with product and financial documentation. (Hint: Tugboat Logic’s Information Security Program Export function allows you to summarize your system of record as part of this report)

Plan a product review call with key security stakeholders and have your engineering and IT teams walk them through how your solution is designed, how PII is collected in your application, and how data flows into and out of your application infrastructure.

Ensure your documentation is up to date. Develop a regular review cadence with your team to ensure your information security program is current.

Own and Dominate the Process

You don’t need to take a passive or defensive role in your customer’s due diligence process. Better preparation and active engagement will help you win more deals. Here is some final guidance to RFP response success:

Take the RFP response seriously. Answer questions as fully as possible with more than just a yes or no answer.

Ask your team for help on bringing forward any and all security-centric capabilities in your solution.

When in doubt around a client requirement or request – ask for clarification on whether its applicable to your product or service. For example, an RFP question may ask “Do you encrypt all sensitive data in your application?” This could be clarified in your response as “Yes, but only for structured data in account settings (email and phone number) since all other sensitive data comes from a public source such as social media.”

Ensure your RFP responses are supported by your Information Security Policy document to ensure robustness and increase credibility with the client.

Use an automated solution to answer RFPs to reduce the time spent by your team and ensure consistency in your answers. Automated tools have the added benefit of sustaining an accessible record and, in the case of Tugboat Logic – a link back to your info security program so you can track gaps and address commitments made to clients over time.