Do RFPs or request for proposals work as intended? It seems they’re loaded with flaws. Yet for some organizations who must follow processes, they become necessary evils for both buyers and sellers. What can we do to improve the process?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our guest Keith McCartney (@kmflgator), vp, security and IT, DNAnexus.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor, TrustCloud
Full transcript
[David Spark] Do RFPs or requests for proposals work as intended? It seems they’re loaded with flaws yet for some organizations who must follow processes, they’ve become necessary evils for both buyers and sellers. What can we do to improve the process?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series. And joining me for this very episode, I know you know him, you better love him, his name is Geoff Belknap. He’s the CISO of LinkedIn. Say hello to the nice audience, Geoff.
[Geoff Belknap] Hello, nice audience, and hello to you too, David.
[David Spark] Thank you very much. Hello back to you as well. Our sponsor for today’s episode is TrustCloud. Thrilled to have TrustCloud onboard. They’ve been a phenomenal brand-new sponsor with us, and we’re thrilled that they’re joining us again. More about TrustCloud – you’re going to be very intrigued by what they’re doing, audience and Geoff and guest who we introduce in a second – later in the show.
But first let’s talk about today’s topic. It was brought to us by Allan Alford who’s the former co-host of this show and now host of The Cyber Ranch Podcast. And he asked if RFPs or requests for proposals actually work, and he pointed out some common complaints and flaws such as innovative solutions ignored while favoring vendors who fit into a specific category. They’re easy for a vendor to answer. There’s no rigor to the process. It takes a long time to fill out, only to be rejected. And companies have to follow process only to realize they had already chosen a vendor already. These are complaints that come up often plus many, many more, and we’ll get into that. So, ultimately, Allan asked, “How can we improve the process?” Geoff, do you think RFPs create more harm than value or the opposite?
[Geoff Belknap] David, I think RFPs are a great topic for us to take on today because the reality is they’re fantastic if you’re just buying widgets and you want to know who’s the best vendor to buy a widget from. Today, when there is so much differentiation between different vendors and different security solutions, this is a conversation we should have. It’s not as easy as just asking everybody to put their best offer on the table and picking it. There’s much more involved today in buying a commercial solution.
[David Spark] Yeah. And there isn’t a one-to-one comparison to vendor to vendor, and that’s where things get really, really hairy and complicated. And yeah, this is a really good topic. I was stunned at the commentary and really intriguing comments on this topic, and we’re going to hit a lot of them today. And the guest we are going to have to join us we’ve had on before on the other show, so thrilled to finally have him here on Defense in Depth. It is none other than Keith McCartney who’s the VP of Security and IT over at DNAnexus. Keith, thank you so much for joining us.
[Keith McCartney] David, Geoff, thanks for having me, glad to be here.
How did we get here?
2:52.868
[David Spark] Fernando Montenegro of Omdia said, “They’re the embodiment of screening mechanisms coupled with a way to theoretically level the playing field.” All right. Fernando stated what they should be. Now, everybody else is a commentary of what they feel they are now. Jessica Murdzak of Optiv said, “Usually they have a preferred vendor and just need to show that they have fairly done due diligence.” And Robin Oldham of Forbes Technology Council said, “The problem is often that the requirements are aligned to favor the vendor that the team wants. It drives up the cost for vendors responding to RFPs they were never going to win, which ultimately is paid for by the customers.”
So, I’m going to sort of double down on Robin’s comment and this is something that came up a lot was the organization they work for, whether a government or private, requires that they show that they have vetted three companies. And often they will put this out just so they can buy company A that they wanted to buy and really what they’re doing is forcing others to pay for their processes. Do you believe that to be true, Geoff?
[Geoff Belknap] I not only believe it to be true, I have seen it many times personally and anecdotally from friends. I’ll preface this by saying we’re using an antiquated approach to buying things that just doesn’t apply anymore. And I sort of mentioned this at the top of the show, RFPs are great. If you are buying ladders, guns, fighter aircraft, RFPs are fantastic because you’ve got very specific…
[David Spark] Hold it. Can I pause you? Ladders, guns, and fighter aircraft – what hardware store are you going to? [Laughter]
[Geoff Belknap] I’m going to the Department of the Raytheon Acme Hardware store I think is the…
[Crosstalk 00:04:54]
[Geoff Belknap] [Laughter] The reality is if you have a very specific thing that everybody knows what the details and specifications and attributes of that thing are, an RFP is great. Because, again, you’re presuming there’s a level playing field, that you’re just buying widgets, and everybody’s widgets are basically the same but you’re trying to suss out what are the differences between the people selling you those widgets.
That is just not the case at all in the security space. We have a variety of different solutions, we have a variety of different ways that those solutions are provided, we have a bunch of different engagement models for different people that sell things that are seemingly the same, and all of that stuff matters. And if you put an RFP out, what you’re sort of insinuating, and I think there’s some negative connotation here, is that “Eh. All you security guys, you’re the same. Just tell me what the price is for this CASB or something like that.” And that’s you’re starting off on a bad foot. And if all you’re trying to do is just justify that you bought something and you didn’t do it improperly, RFP’s great. But if you want to build a real relationship, it’s probably not the way you want to get started.
[David Spark] Keith, do you think buyers of security products essentially doing the RFP process are essentially passing their cost of due diligence off to the sellers and they’re like, “Well, they want it so desperately, so if they want it so badly, we’ll make them jump through these hoops.” What do you think?
[Keith McCartney] Yeah, I think it definitely happens, as Geoff mentioned. I like to think I’m a little bit of an optimist here and I like to think that there are teams out there that are using the RFP process to really understand what they’re getting and to make the right decisions about what they’re purchasing. Fully, we all know that it doesn’t always happen that way, but if you do use the process and go into it kind of understanding what’s important to you, you can learn something about the market that you may not have understood or may not have realized if you’re looking at it just as a single solution of, “Hey, I want to buy this one and I’ve got to get through this RFP process to get there.” But as Geoff mentioned, I definitely agree with him, I think more often than not, this is a little bit of busy work for the vendors that don’t get selected unfortunately.
What are they doing right? What are they doing wrong?
7:04.337
[David Spark] Kenny Stella of ALTR said, “Vendors are usually just column fodder.” I like that term. “Procurement has to have at least X amount of proposals to push it through to purchase, thus the RFP.” We brought this up at the beginning of the show. “If we aren’t having discussions pre-RFP, I’ve basically missed the boat already.” Many said exactly that. And Pete Mistry of Okta said, “My personal approach has been very much to ensure that we are influencing the decision-making tree with an organization before an actual RFI, request for information, or RFP is issued as this generally means that we stand a much better chance of securing the customer.” So, this requires essentially vendors to start building relationships with potential customers way before an RFP happens. I got to assume that’s the best strategy. Yes, Keith?
[Keith McCartney] Yes. I think what Kenny and Pete said is quite accurate. You need to look at it in the sense of how is this relationship going to benefit both parties and is the buyer educated to understand what it is they need to be successful and meet their requirements.
[David Spark] And actually you can definitely influence the requirements at that time. Geoff?
[Geoff Belknap] Yeah, absolutely. I think the problem though is if you’re influencing requirements, you’re sort of starting off understanding that if you’re working with a customer, you’re understanding that they have a sort of broken, unhelpful procurement process. And there are many people that are buying security solutions that desperately need something cutting edge or new that have to demonstrate for whatever reason their policy internally is they have to show that they talked to multiple vendors, that there’s a reason they can only choose this one vendor, and they have to do their diligence to demonstrate that. The federal government or state governments also, it’s a great example. They have to by law demonstrate that they spent that money wisely.
And I get it, but the reality is things are so different that it shouldn’t be a matter of like, “Hey, I know you’re going to go out to RFP, here’s the things you need to keep in mind.” We really need to look at when there’s a class of products that might be brand new. And without naming any vendors, there’s a whole slew of things that are new every year. That if you try to go out to an RFP and you try to just gather what’s new in the ecosystem, you’re just burning a lot of time. You’re trying to boil everything down to words and descriptions that all sound common, and that RFP process is not really what you need there.
So, I think if anything what I would do is tell people, [Laughter] and I don’t know if we have a huge audience of procurement officers that listen to our show, maybe we should, that it’s time to move on and think about what’s a rapid acquisition process for something that is an N of 1, a brand-new product in its space. How do we address that? How do we be competitive? How do we know we’re getting a good price? And how do we know we’re getting a solution that works for us? I don’t think RFP does that, but I deeply understand the desire to get a good price, to make sure that you’re not missing any solutions that are in the market space. Maybe you went to RSA and heard about something and didn’t hear about something else and I want to have a fulsome view of things. So, I think there’s a time and a place for RFP here, but I think the reality is the time and place for that was about 15, 20 years ago.
[David Spark] One quick follow-up question with you, Keith, is per what Geoff just said, it seems, and I said also earlier about influencing the decision, it seems extraordinarily easy to kind of abuse this system in terms of stacking the deck in your favor if you get a conversation early on. Is there some kind of check and balance to make either stacking the deck not so easy or when it is attempted, you’re aware of that, so essentially a request doesn’t so lean in favor of one vendor.
[Keith McCartney] Yeah. I think obviously from the buyer perspective, they have control over that, right? They’re setting the questions and the criteria and the weights and the scoring of what’s coming back from the vendors on the RFP side. I think from a vendor perspective, it’s a little bit more challenging. You have to really pay attention to what you’re being asked, and you know the space just as well as the buyer does, right? Does the questionnaire seem weighted towards one of your competitors and is it worth your time and your effort to respond to that RFP. I do agree. I think that that’s challenging. And I don’t know a great solution to that other than to just really understand what are we being asked to do. Are we being asked to compete or are we being asked to just be column fodder as one of the question askers aptly put it.
Sponsor – TrustCloud
11:50.321
[David Spark] Before we go on any further, I do want to mention our sponsor TrustCloud. They are a very intriguing organization who I don’t know if they handle RFPs themself but I’m sure they have in the past. So, security and compliance are too often viewed as a cost center – we all know that, right? Instead of driving real business value. So, TrustCloud is actually here to change that. So, listen up because this is what we speak a lot about on this show. TrustCloud is the only all-in-one predictive risk and compliance platform that helps your entire team automate work and make a more secure business. So, you can reduce the time and cost of completing audits with programmatic control verification. TrustCloud’s automated evidence collection and common controls framework helps you meet requirements to many standards at the same time. So, you map once, and you meet multiple standards. Now that saves some time.
Does your team struggle with security questionnaires? Of course you do. TrustCloud makes reviews faster. First, create a trust portal to showcase your security posture, so fewer customers actually even send questionnaires. Then, let TrustCloud’s AI engine answer questionnaires for you, so you can spend your time on the most important projects. Are you managing your risk register in spreadsheets? TrustCloud connects to your systems for continuous, business-wide monitoring to identify risks and suggest solutions. TrustCloud maps liability, so you can tie contractual commitments to your compliance posture and prove the value of your security program. Visit trustcloud.ai/cisoseries and connect with one of their specialists today to learn how you can transform security and compliance from a cost center into a profit center with TrustCloud. Once again, that’s trustcloud.ai/cisoseries.
Does anyone have a better solution?
13:50.318
[David Spark] Rick Bullotta said, “RFPs are often written with a rearview mirror perspective on available solutions and their functionality, which can actually inadvertently block out new and innovative vendors.” And something you were talking about, Geoff, is there’s all these new solutions that are coming out. And Dan Edwards of Park National Bank said, “A good RFP will be written in a way that defines the desired business outcomes, not the solution.” I like that. “That way, you’re not limiting innovation in vendor’s proposals.” And Michael B. of Progress said, “Good RFI and RFP docs should lay out the problem and ask for approaches to solve it. You will be pleasantly surprised at the diverse approaches presented and will likely end up with a solution far more advanced than what you would get otherwise.” So, Geoff, I’ll start with you. I think Dan and Michael said a really nice suggestion specifically for the buyers of ask for the outcome, not specifically the solution because it could come from different avenues in that case. Have you ever done that or seen something like that?
[Geoff Belknap] You know, I don’t think I have. I think it’s a great idea.
[David Spark] It’s an interesting take.
[Geoff Belknap] It’s definitely a very refreshing take. I think the problem here becomes if I do that, how do I get that RFP/RFI in front of as many people that might have a solution as possible? Which is a common thing we talk about on this show all the time. How do we get new solutions in front of new people? But this is a great way to do that because then I’m putting out an RFP or an RFI that says, “I got this problem. I’m looking for a solution to that. Who’s got something?” And you’re doing that in a formal way. I like that a lot. I think that if you’re in an organization that has to do an RFP, like this is the way to do it so you have a really big opportunity to look at what the totality of options are in your space.
[David Spark] Yeah. And you can say something like, “Well, we need a solution that does X. We are considering EDR, XDR, or whatever it may be, but we’re open to other takes and solutions to handle this,” kind of a thing. Keith, what’s your feeling on this? I definitely think that the pressure is on the buyer to clearly define their objectives. I’m not in security but I’ve seen requests for proposals where it’s clear the buyer didn’t know what the heck they wanted.
[Keith McCartney] Yeah. I think we’ve all seen that in some way, shape, or form. I agree. I think Dan and Michael are on to something here. This is a great way to do it. I’ve also seen RFPs that have a question section or a clarification section where the providers have the opportunity to go back and add additional things in the RFP that they think would need to be clarified or would potentially help the buyer make a better decision. Those are obviously distributed then to all of the participants in the RFP but it’s a really good way to go to the experts and the providers, and say, “Hey, what are we missing? What’s not clear? What do you need to know to provide us an effective response?”
[David Spark] That’s actually a very, very good point. Allowing for a level of two-way communication rather than, “Here’s a request. You send one communication back and maybe we’ll respond or maybe we won’t.” Which is, I’m sorry, kind of stressful, yes, Geoff?
[Geoff Belknap] Absolutely. I think it also just highlights that RFP, while well-intended, it’s just a little too structured. Now it’s great in that it gets rid of, theoretically, the idea that a golf match or a trip to a sports event is the thing that’s going to lock on what the widget is that you’re trying to purchase. It’s just, I got to say, as a guy who does startups because I’m a terrible employee and I have problems with authority, it’s too much structure for me. I want to roam free and graze on all the amazing solutions that are out there for me. But I do think, again, if you have to do this process, this is the way to do it. Be open about the problem you’re trying to solve and be open to new ways to solve it and make sure that you have a clear open forum to have back and forth about the discussion.
Again, kind of the objective from a procurement and from a fiduciary duty perspective for an RFP is to make sure you’re getting a great deal and you’re getting something that’s fit for purpose. It doesn’t mean you can’t have conversations or build a relationship with the people that are offering those solutions. And I have definitely been involved in those processes where it’s like, “I’m not allowed to talk to you guys. I’m only allowed to talk to you through the RFI/RFP venue and these formal back and forths.” It’s just not great for everybody.
What aspects haven’t been considered?
18:28.052
[David Spark] Yaron Levi of Dolby Laboratories said, “To have an effective RFP you need to ask the right questions, so don’t just ask ‘Do you have X?’ but ask to explain or demonstrate how do the vendors accomplish or support X.” And Paul Hugenberg of Rea & Associates said, “The RFP is useful in forcing the requesting party to at least exercise some foresight or forethought in describing what they need.” And Michael Lines of Open Technology Solutions said, “Better to work directly with the client on a pro bono or limited fee basis upfront to scope their problem statement and requirements. Through this exercise, you demonstrate your ability to understand their issues and give them exposure to your capabilities.” So, that’s an interesting one, this Michael Lines one. I mean, I think most companies would much rather do that because there is a cost to doing an RFP, than doing an RFP. What do you think of that last suggestion, Keith, that Michael has?
[Keith McCartney] Yeah. I mean, this to me really sounds like the way that most companies have set up their business development operations anyway. I think you might be limited in the really rigid RFP processes; you may not be able to do this. But I think most vendors and providers are looking at the market and looking at how they can create a space for themselves and how they can help demonstrate the value, which is exactly what he’s suggesting here. It does work well, does work well.
[David Spark] But I will say the only negative here, and want your thoughts on this, Geoff, is you’re inviting somebody to be a little bit more intrusive which an RFP is not allowing for. Geoff?
[Geoff Belknap] Yeah. So, let me get out of the way that I agree with Keith here and I definitely have been involved with what Michael’s laying out here. The problem for me is ethically, I hired you or you’re giving to me for free services to define what my RFP should be and what the solution I’m looking for, how to really describe it. If you then also bid on that RFP, if you provide a proposal…
[David Spark] Well, this gets to our point at the beginning, yes.
[Geoff Belknap] Yeah. There’s a big conflict of interest here. Of course, I’m sure every major vendor for an RFP that’s out right now would be glad to offer you free consulting services to define how the RFP should be written.
[David Spark] Right.
[Geoff Belknap] Because then it’s going to sound exactly like their product and only like their product.
[David Spark] [Laughter]
[Geoff Belknap] So, I think you just have to be really thoughtful. In the case where what you’re looking for is a professional service, I think this is fine because it’s going to be very rare that you’re only going to be able to buy professional services from the person that wrote the RFP for you. And the reality is, a lot of times RFPs are for products that are very complicated or a solution’s very complicated, and it’s helpful to have expertise. Because if you’re going out to an RFP, it’s either because you have a regulatory encumberment or a requirement or because you don’t have the technical skills in-house to really decide what solution you should buy. And indeed, early in my career, I would sometimes review RFPs for small municipalities and counties because they’re trying to buy a phone system or a network system. And they wouldn’t go to RFP if they knew what they needed to buy or whether something was good or not, so they needed somebody to help them. So, I think in this case perfectly okay, really advantageous, but in very narrow solutions should that person who helped with the RFP bid on the RFP.
[David Spark] All right. I’m going to close with one question for both of you. If you were to tell all buyers, “Make sure you answer this one question in your RFP, which you don’t think many of them are doing, what is that one question you’d ask them to do? Keith, you first.
[Keith McCartney] Yeah. I think it goes back to the relationship. What will our relationship look like in one year, two years, three years, right? Because you’re purchasing a solution, you want to make sure that you’re going to get the support and that you’re going to continue to have the benefit of the innovation that that provider is going to bring to your organization.
[David Spark] Excellent question. Geoff, what’s the one question they should ask?
[Geoff Belknap] I think Keith put it really well, and my question is very similar. It’s just how are you planning to support me and to support this relationship over the term of the contract or the lifetime of the installation of the service we’re buying? Because that’s really what matters, right? I have heard horror stories from companies that I won’t mention, where they show up…
[David Spark] Well, why not? This seems like a perfect time to mention them. [Laughter]
[Geoff Belknap] Gosh. David, I try to be very neutral on this program.
[David Spark] I love that you say, “I’ve heard horror stories I’m not going to mention.” As if, “Oh, let me end my career right now by listing off all these companies.” [Laughter]
[Geoff Belknap] Do I want… You know what it really is is I’ve got about 800 comms and marketing people from my company and my parent company that will light up my inbox if I misbehaved on this program. But I’ll tell you what, folks. You can find me in person or on LinkedIn or any number of places, I’m happy to uncensor myself. But let me just say a large log analytics company is well-known and of ill repute for being there and being all in when it’s time to buy that product and then trying to find them at any moment in the lifetime of that deal that is not three months before the renewal is near impossible. And I think relationships like that are really unfortunate, and I know that there are salespeople that absolutely don’t work that way, but that’s the thing I want to know. Where are you going to be? So, I sign this contract tomorrow, three months from now, do you still know my name? Do you still exist? Are we talking? Are we analyzing how we’re using this product? Are we making it better? What’s the relationship look like? That’s what I want to know.
[David Spark] Excellent point, both of you gentlemen.
Closing
24:26.085
[David Spark] All right. We’ve come to the portion of the show where I’m going to ask you which quote was your favorite and why. Keith, I will start with you. Do you have a favorite quote?
[Keith McCartney] Yeah. I really like the quote from Pete Mistry from Okta. “My personal approach has been very much to ensure that we are influencing the decision-making tree within an organization before the actual RFI and RFP.” Agree with him completely. Again, this is about relationships, this is about making sure that the long-term value is going to be realized from the engagement rather than just the “Okay, we got the deal. Let’s head out and leave the customer to deal with the rest of it.”
[David Spark] All right. Very good. I agree as well, and we talked a lot about this on the show. All right, Geoff, your favorite quote and why.
[Geoff Belknap] My favorite quote’s going to be from Michael B. over at Progress who said, “Good RFI and RFP docs should lay out the problem and ask for approaches to solve it. You’ll be pleasantly surprised at the diverse approaches presented and likely end up with a solution far more advanced than what you would get otherwise.” And I think this just underscores, like I said, and I came in pretty hot, I don’t know if anyone figured this out through the podcast, I’m not a big fan of RFPs. But if you need to do an RFP, and I recognize there are plenty of situations where that’s necessary or even positive, this is a fantastic way to steer that to a beneficial outcome. Ask for solutions. Don’t ask for exactly what you want to buy. Tell people the problem you’re trying to solve and let them tell you how they suggest you solve it. I think that’ll be a fantastic approach.
[David Spark] I’m in agreement as well. I love that quote as well. And thank you, everybody. Thank you first of all, Keith, for coming on the show. By the way, I loved this conversation, this was a fascinating conversation, and I hope our audience enjoyed it as well. Huge thanks to our sponsor TrustCloud. Again, check them out at trustcloud.ai/cisoseries. Keith, are you hiring over at DNAnexus?
[Keith McCartney] We do have a couple of positions that are coming open, so hit me up on LinkedIn.
[David Spark] All right. Check him out on LinkedIn. We’ll have a link to his profile on LinkedIn. And Geoff, well, if you don’t find a job to work with Geoff on LinkedIn, surprise, surprise, LinkedIn has tons and tons of job openings there as well.
[Geoff Belknap] A very fine website.
[David Spark] Thank you very much, everybody, for listening to this very episode, and more importantly for contributing to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe, so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site, CISOseries.com, where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to Defense in Depth.