YES! You step out of the board meeting with a smile. Since becoming responsible for Cyber Security 3 months ago, you first started to assess what the organization had already in place and what was missing to face today’s cyber threats and meet regulatory requirements. The outcome showed that – while doing good at some aspects – the organization serious lacked in some domains of information security.
Today, the Board agreed with your proposal to build a remediation plan and you feel relieved. You will be able to sleep better knowing that you will have more control over the digital risks your organization faces. Walking back to your office, reality starts to sink in.
Now what?
Do you outsource, recruit, buy new technology, optimize what you already have…? And what is the right solution to meet your needs? Speaking of needs, you have a good idea what controls you are lacking but are not sure yet how to resolve this with all the possible solutions that exist in the marketplace. You have spoken to a large amount of product vendors and solution providers, but they all seem to promise a silver bullet.
How do you even know you are spending your precious budget to get most value from your investment? A lot of questions race through your head but not enough answers. You will need some of those answers soon! Next board meeting, you need to report on progress of what you just sold to your board … Suddenly, you feel very alone … also realizing that you will be held accountable for all the choices you will make.
Does the above sound familiar? As a Cyber Security decision maker, it’s not easy today to stay up to date with the overwhelming amount of existing and new security products and service providers, and how they compare to each other. Many organizations are therefore following the crowd, and buy security solutions that are known to be good but are these solutions also the right ones for your specific requirements? And if there is a match, are they implemented and used in the most (cost-) effective and efficient way?
Buying the right security solution
By following a clear set of security and market principles that are based on common sense, rather than complexity, we are convinced that buying the right security solution can be made easier.
Knowing what you have and knowing what you want to achieve are the foundation of a successful approach. Still many organizations that don’t know what they have, try to overcome this by applying the same known security controls everywhere which leads to a mediocre security level at its best, not sufficiently protecting the assets that really matter.
So, how to succeed where others fail? You start with mapping your needs. This process is essential if you are to understand the scope of what you have to defend and what you care about most. Ask yourself the following questions: What business risks am I trying to mitigate? What are my threats? What are my existing controls and capabilities? What are my regulatory requirements? And, what would be the key success factors that would make me happy after one year in service? A risk-burn strategy that quantifies the current risk-level and the desired risk level after implementation will help you build an acceptable mitigation cost and help you get buy-in from other stakeholders in the organization.
Reaching out to the market
Before reaching out to the market for proposals, you should prepare an overview of the must-have and nice-to-have services, covering the technology, people, processes and regulatory aspects. You should also make sure that these are aligned to your organization, its existing capabilities and controls – don’t buy a security camera before you bought a door with a lock on it – and last but not least it needs to be aligned your budget.
Although each organization is unique, that doesn’t usually mean that it also requires a unique Cyber Security solution. A high-quality and a financially healthy MSSP will build its services in a scalable way, meaning that 80% of the deliverables are standard and shared amongst all of its customers while only 20% or less of the deliverables are tailored to specific customer demands. This way they can guarantee a consistent quality at an acceptable price-point. However, we see that many organizations come up with a huge number of unique requirements that turn this equation upside down, leading to less scalable services, less quality and a higher cost. So, unless you really have unique security requirements, it is advised to align yourself to existing offerings. This can be achieved via requests for information or by organizing a bidder’s conference that allows potential suppliers to present their various service options for your requirements.
Next to the service requirements, you should also define the (technical) scope of the solution. We have seen countless requests for proposals that don’t have a well-defined scope and expect from the bidder to come up with it instead. You know your organization better than any bidder so if you don’t know the answer, the bidder certainly won’t. Instead, they will assume a scope that is either over-scoped and has a higher price tag to cover for the uncertainty risk, or it is under-scoped leading to an unworkable solution and extra cost in delivery.
Since your security requirements will change over time, the selected services and their scope should also be agile and capable enough to evolve together with the organization from a people, process, technical, and cost perspective.
Cybervalue’s key recommendations:
- Start with defining the overall solution requirements based on your business risks, threats to your business, existing people- and technical capabilities, solution objectives with the key success factors, integration and regulatory requirements, and your budget;
- Make sure that everybody in your organization is aware and aligned on what to outsource versus what to keep inhouse, on the project objectives, and on the project timelines;
- Align solution requirements to what is available on the market and aim for requirements that match for 80% with standard available solutions;
- Avoid vendor lock-in;
- Organize a Request for Information, informal meetings, or bidder’s conference if you have no clear view on what the market has to offer;
- Ask for proposals that include the entire solution lifecycle and its cost, including service implementation & integration, operational mode, reporting, service enhancement, and service decommissioning. Make sure to ask for the dependencies and assumptions on your organization and your other suppliers such as effort and availability to avoid hidden costs;
- Use a task (RACI) – and result driven approach for describing your service needs, allowing you to be specific in who does what, how and when;
- Be clear on the technical scope, hereby avoiding assumptions made by bidders that have little insight into your environment;
- Keep your RFP requirements be to the point to avoid getting encyclopedia-sized proposals that are hard to review and compare, and will lead to ambiguity. This will also facilitate contracting in the award stage;
- Have a transparent pricing-response structure;
- Talk to the bidder’s people who will actually deliver the solution to you;
- Set realistic timelines for the RFP process, the service implementation and integration, acceptance, and its activation.
Are you looking for help or just want a second opinion for your already on-going RFP process? Don’t hesitate to contact us. Based on our 20 years+ of experience in hands-on security engineering and consulting, running security operations, performing CISO and CTO roles, and supporting sales on a global scale with bidding RFPs, we gathered and combined proven best-in-breed approaches, and built a framework on how to identify and to select the right security solution tailored to your business at the right price.
