One thing we hear from enterprise IT sales reps is, “If we didn’t help write the RFP, they’re NOT buying from us. It’s a waste of my time.”
But if you didn’t receive an RFP to begin with, you’re definitely NOT going to win the deal. As Wayne Gretzky said, “You miss 100 percent of the shots that you don’t take.”
It’s true, some enterprises use RFPs to put their preferred vendor in a de-facto leadership position in the sales process. That said, you can still win RFPs, even if you didn’t influence how they were written. You do it by offering stronger security and compliance messaging.
What is an RFP?
An RFP, or request for proposal, is a business document meant to detail projects and solicit bids from vendors that can complete that project for a company. It is the preferred method of contracting outside vendors and companies for government agencies, but many large enterprises use this method as well. Think of it as a B2B job description.
PS: Create better answers to RFP security questionnaires in less time and start selling more by downloading A Step-by-Step Guide to Acing RFP Security Questionnaires.
The Issues with RFPs
According to a recent Deloitte global survey of 170 organizations, 87% of respondents faced a disruptive incident with third-party vendors in the last two to three years. This means that third party vendors, despite responding to specific RFPs, are not holding up their end of the bargain. However, it could also mean that the RFPs are faulty to begin with and do not have the proper language in them.
In regulated industries the requirement to verify and audit third-party vendor risk is etremely important. That’s because of added compliance liabilities that include heavy fines and sanctions. Vendor risk is most acute with cloud-based service providers, where application design, data-handling processes, third-party APIs and underlying hosting infrastructure all represent potential vulnerabilities. Compliance and InfoSec teams can and often do veto deals that don’t comply with their security requirements.
What You Need to Know About RFPs
The secret to RFPs is to go above and beyond them. Ensuring your own compliance is a better policy than waiting for someone else to do it.
While compliance can stop an evaluation, it can also help enable it. The sooner you positively and effectively engage the client’s InfoSec and risk teams in the sales process, the better.
You can take these proactive steps to improve your chances for closing a deal:
- Prepare a standard set of documentation you can provide all clients under NDA. This should include your complete information security program, data privacy program, GDPR, business continuity and disaster recovery plans along with product and financial documentation. (Hot tip: Tugboat Logic’s Information Security Program Export function allows you to summarize your system of record as part of this report.)
- Plan a product review call with key security stakeholders and have your engineering and IT teams walk them through how your solution is designed, PII is collected in your application, and how data flows in and out of your application infrastructure.
- Ensure your documentation is up to date. Develop a regular review cadence with your team to ensure your information security program is current.
Dominate the RFP Process by Owning It
You don’t need to take a passive or defensive role in your customer’s due diligence process. Better preparation and active engagement will help you win more deals.
Here is some final guidance to RFP response success:
- Take the RFP seriously. Provide more than a yes or no answer.
- Ask your team for help explaining your security capabilities.
- When in doubt about a client requirement or request, ask for clarification on whether its applicable to your product or service. For example, an RFP question may ask, “Do you encrypt all sensitive data in your application?” This could be clarified in your response as, “Yes, but only for structured data in account settings since all other sensitive data comes from a public source such as social media.”
- Ensure your RFP responses are supported by your information security policy to increase credibility with the client.
- Use an automated RFP solution to reduce time and provide consistently high-quality answers. Automated tools have the added benefit of sustaining an accessible record and, in the case of Tugboat Logic, a link back to your information security program. That way, you can track gaps and address commitments made to clients over time.
Final Thoughts on RFPs
So audit and security readiness are key? The best next step is to start that process not just for future RFPs but for your business in general. Tugboat Logic’s platform helps with audit preparedness and evidence gathering.