I’ve worked in the information security space for over two decades. RFPs are a simple fact of the business: you will have to answer them, and some will be better than others. However, over the last 5-10 years, I’ve watched as RFPs have become progressively more convoluted and irrelevant to the problem that the business is attempting to solve.
Many times you'll notice that RFPs are simply being reused and repurposed, e.g. add a few questions and the firewall RFP becomes the antivirus RFP which then becomes the SIEM RFP. It happens, and we're all guilty of a bit of copy-and-paste. Take that a step further and combine it with onerous procurement processes, perceived and real compliance mandates, and pages of unrelated question that get tacked onto the relevant questions, and eventually the overall purpose and goal of the RFP becomes completely unrecognizable.
Without realizing it, companies are shooting themselves in the foot: the focus becomes completing the Byzantine RFP process instead of identifying the correct technology.
That being said, let’s translate the process to something we’re all likely familiar with: purchasing a vehicle. Imagine that you're in the market for a truck, and leaning towards the Ford F150 or a Dodge Ram. Rather than reading the multitude of reviews or taking the trucks for a test drive, you show up at the dealership with a 400-question RFP that you'd like the dealership to complete within 10 business days. The RFP includes questions such as:
- Describe the accomplishments and backgrounds of all executives at the company.
- How many buttons are included on the dashboard of your vehicle? Describe the exact color and function of each button along with photos of each.
- Please list the water and electric usage for all local and remote employees, along with methods implemented to reduce that consumption.
- Describe the development methods used by the engineering teams assigned to the vehicles. If the answer is not “Agile software development”, please describe the training, certification, and practices used to follow your method of development on the Honda Pilot.
- Describe your reasoning behind adding brakes to the vehicle, specifically when compared to the Nissan Maxima. Include at least 7 examples.
- On a scale of 1-5, on average how many technicians are globally servicing motorcycles on a Tuesday between 3-7 PM Pacific time? What type of motorcycles? What is your SLA on servicing motorcycles?
- Please describe how your vehicle can accelerate from 0 – 178 MPH with exactly 5 occupants in the vehicle while pulling an oblong object attached with a 27-foot chain. Include diagrams and diagnostic output measurements.
Sounds ridiculous, right? Unfortunately this has become the standard.
You walked into the dealership with the desired outcome of purchasing the “better” truck by going through the RFP process. Instead, you’ll end up working with the dealership that told a low-level employee to BS their way through the answers as quickly as possible “to get to the next step”. The dealership already knows that the RFP is just a prelude to the test drive, which itself is likely the step before the actual purchase.
There has to be a better way to meet the goals of the business. Before sending out the next RFP, read through the questions and ask “will these questions help my business identify the best solution, or are they going to get me a bunch of meaningless responses?” If it's the latter, then it might be time to re-evalute the existing process.