Insights BLOG

Three Questions to Consider before going to RFP

March 2022

A request for proposal (RFP) can be a time-consuming and cumbersome process for organisations looking to solve business challenges. And, it may not always result in the most ideal solution and technology partner being selected for the optimal long-term results.

Successfully selecting a cybersecurity firm to protect your organisation is not simple. IT security is highly technical, requires tools and expert people to work in concert, must match your risk profile, and fit in a budget, all in a constantly evolving threat landscape. One of the biggest challenges that organisations face when going to RFP is that they must be precise and exact to be prescriptive; however, many organisations may fail to map their needs to solutions effectively.

Unfortunately, you can only get the right answer if you ask the right question, and organisations may not always ask the right questions during the RFP process.

Is RFP the right choice?

Problems need solutions; however, the answer is not always cut and dried. Going to RFP is not always the best next step for organisations looking to solve business challenges. There are three key questions organisations should consider before going to RFP:

1. Is this reactive or planned?

One of the first questions you need to consider before going to RFP is simple: is this need reactive or planned? Drilling down into this means understanding if this is a reactive need for a new challenge that needs to be solved immediately or proactive planning where time isn't as restrictive.
For reactive challenges, going to RFP may not be the most suitable approach, as it can create new challenges or exacerbate existing ones, especially if it delays the process of identifying and implementing solutions. By the time you find a solution, the problem or business challenge may have evolved to the point that your chosen solution is no longer viable.

2. Does this make sense to the business as a whole?

One of the biggest challenges with going to RFP is the risk of buying in isolation. It's critical to understand the problem you're trying to solve and how solutions will interact with the wider business and existing technology stack. Failing to do so means solutions may not integrate with the existing technology stack, resulting in a costly mistake.

Additionally, some business units may not be mature enough to fully understand or explain the problem at hand, leading to ill-defined RFPs or selecting technology that doesn't actually meet the requirements.

If your business is going to RFP, it's essential that you can, where needed, give context to vendors on how this solution will fit into the wider strategy and what the end goal looks like for your business. This will help vendors to answer the RFP more effectively.

3. Do we have the necessary funding available?

Funding is an essential piece of the puzzle. However, it's not as simple as having the funding available to support the immediate solution to a problem. It's important to shift your thinking to instead consider new solutions as technology investments that will support your business over time, instead of just right now. As such, you need to understand if your business can fund the solution over its entire lifecycle.
One of the other elements to consider is how a solution will change your business risk. Before going to RFP, you need to take each of these elements under advisement and ensure that you truly understand the challenge at hand and the type of solution you're looking for to achieve certain outcomes. In addition, you need to ensure that you have a strategy that aligns solutions to take your business forward. Your strategy should not only aim to solve the challenge for today and tomorrow, but for one, two, and five years down the track.

CSO Group provides organisations with effective cybersecurity services, risk management, and protection. For more information or to find out how CSO Group can assist you, please contact the CSO team at: