December 21, 2017

To RFP or Not to RFP – WST

Many institutions utilize formal Request for Proposals (RFP) to solicit information security and compliance services from vendors and some use an informal purchasing process. Both ways have their advantages and drawbacks. Here are a few pros and cons with RFPs.


      • RFPs are a great way to consistently communicate your needs to vendors and get comparable proposals back from them.
      • RFPs tend to make the selection process easier and an ‘apples to apples’ comparison is feasible.
      • RFPs can limit the amount of scoping and discovery calls with vendors.
      • RFPs are a good way to let the vendor know what is required of them to work with your institution.


      • RFPs require work on the front end to create and distribute the RFP.
      • Since RFPs outline the work to be performed, if they are not done correctly there is the possibility you are not getting the level or type of service you may need.
      • RFPs can stifle creative processes and services which may be more beneficial for your institution.
      • Some vendors may choose not to respond to an RFP due to a real or perceived requirement in the RFP.

As a vendor who receives a lot of RFPs, the number one concern with many is they were written years ago and have been recycled and regurgitated so many times they do not make a lot of sense in today’s environment. The following are some other things to consider when issuing an RFP.

      • Overly aggressive scheduling dates: Most successful professional services firms will need 90-120 days from the selection date to the work date. So make sure and build in ample scheduling windows into your RFP process and plan to issue the RFP at least six months prior to when you want the engagement scheduled.
      • Some RFPs go too far into detail: This can lead to vendors being unable to utilize normal service protocol and templates. Try not to go too deep into the details when writing the RFP.
      • Pre-select and qualify RFP recipients. Ensure the vendors you invite have the appropriate credentials and are professional service providers for the work you are requesting. We are sometimes asked to compare our services with a “friend of a friend” who does this work on the side and can do it for half the price. Only invite vendors you will trust to do the work.
      • Limit invites: 3-5 vendors are usually adequate for the RFP cycle. Any more than this can create problems with the final selection process.
      • Overly rigid RFPs can kick out a good proposal because a “t” was not crossed or an “i” was not dotted. The RFP should be about bringing comparable and competitive bids to the table that will provide you the best possible service and not about jumping through hoops.

10-D Security has a free RFP Template for Information Security and Compliance services. The template can be requested at

Past Weekly Security Tips – WST