How to Waste Less Time by Writing Better RFPs

One thing we hear from enterprise IT sales reps is, “If we didn’t help write the RFP, they’re NOT buying from us. It’s a waste of my time.”

But if you didn’t receive an RFP to begin with, you’re definitely NOT going to win the deal. As Wayne Gretzky said, “You miss 100 percent of the shots that you don’t take.”

It’s true, some enterprises use RFPs to put their preferred vendor in a de-facto leadership position in the sales process. That said, you can still win RFPs, even if you didn’t influence how they were written. You do it by offering stronger security and compliance messaging.

It’s Not You, It’s Me

According to a recent Deloitte global survey of 170 organizations, 87% of respondents faced a disruptive incident with third-party vendors in the last two to three years.

In regulated industries the requirement to verify and audit third-party vendor risk becomes even more important. That’s because of added compliance liabilities that include heavy fines and sanctions. Vendor risk is most acute with cloud-based service providers, where application design, data-handling processes, third-party APIs and underlying hosting infrastructure all represent potential vulnerabilities. Compliance and InfoSec teams can and often do veto deals that don’t comply with their security requirements.

What You Need to Know

While compliance can stop an evaluation, it can also help enable it. The sooner you positively and effectively engage the client’s InfoSec and risk teams in the sales process, the better.

You can take these proactive steps to improve your chances for closing a deal:

  • Prepare a standard set of documentation you can provide all clients under NDA. This should include your complete information security program, data privacy program, GDPR, business continuity and disaster recovery plans along with product and financial documentation. (Hot tip: Tugboat Logic’s Information Security Program Export function allows you to summarize your system of record as part of this report.)
  • Plan a product review call with key security stakeholders and have your engineering and IT teams walk them through how your solution is designed, PII is collected in your application, and how data flows in and out of your application infrastructure.
  • Ensure your documentation is up to date. Develop a regular review cadence with your team to ensure your information security program is current.

Own and Dominate the Process

You don’t need to take a passive or defensive role in your customer’s due diligence process. Better preparation and active engagement will help you win more deals.

Here is some final guidance to RFP response success:

  • Take the RFP seriously. Provide more than a yes or no answer.
  • Ask your team for help explaining your security capabilities.
  • When in doubt about a client requirement or request, ask for clarification on whether its applicable to your product or service. For example, an RFP question may ask, “Do you encrypt all sensitive data in your application?” This could be clarified in your response as, “Yes, but only for structured data in account settings since all other sensitive data comes from a public source such as social media.”
  • Ensure your RFP responses are supported by your information security policy to increase credibility with the client.
  • Use an automated RFP solution to reduce time and provide consistently high-quality answers. Automated tools have the added benefit of sustaining an accessible record and, in the case of Tugboat Logic, a link back to your information security program. That way, you can track gaps and address commitments made to clients over time.

Final Thoughts

Want to learn more about how we help businesses accelerate the RFP security questionnaire process? Feel free to get in touch with us. We’re always happy to help!

Related Articles

Backup and Recovery Process: Choose It or Lose It

Backup and Recovery Process: Choose It or Lose It

Despite our best efforts, sometimes things go wrong. The best way to handle situations should they arise, is to have a plan to act in advance, and keep that plan updated when threats change. This not only covers risks to your data by bad actors but plans in the event of a server outage or a natural disaster as a few examples.

read more


Pin It on Pinterest

Share This