Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

How to Avoid Common Cybersecurity RFP Pitfalls: Part 1

At Trustwave, we see scores of requests for proposal (RFP) in all shapes and sizes, originating from nearly every conceivable industry, seeking solutions to their specific security challenges and desired business outcomes. To help those issuing the RFP and the vendor on the receiving end, I’ve drawn up some simple guidelines to follow that will help your RFP process run smoothly.

It’s no secret that RFPs are a common way for organizations to collect critical data required for their procurement processes, but for vendors, responding to an RFP rarely inspires joy. Instead, the RFP process often necessitates cross-organizational collaboration and significant internal resources from a responding vendor. 

The real problem is the company issuing the RFP regularly if inadvertently, introduces inefficiencies into the RFP process that ultimately results in the issuing organizations receiving neither the information nor the outcomes they are trying to achieve. 

As we all know, the RFP process is always evolving, and at some point, the project’s requirements will evolve or even drastically change. Often, a change at the workshop stage will uncover additional requirements that may differ from the initial RFP and potentially change its scope entirely.

So, before putting out an RFP, consider the following steps that will help avoid some common pitfalls that could lead to an eventual negative outcome:

Decision By Committee

Committees are great for solving many problems but not necessarily for the RFP process. Try to ensure that the people involved in the process understand what is being sought.

Here is a simple guideline to follow that will help create a proper RFP.

  • Is the correct and relevant information in your document? Procurement best practices for buying printer ink do not always translate well to security services; ensure all relevant parties are represented.
  • Are the key requirements captured and communicated clearly in the document?
  • Does the final document concisely outline your needs, or is it a wish list? 
  • There have been countless RFPs in which a ‘mandatory’ requirement was, in reality, only a preference. 
  • Be accurate and specific: you could miss out on a best-fit vendor’s bid due to a simple discrepancy in information.
  • Ensure to detail any additional requirements added to the RFP after internal discussions.

One Document, 10 Authors

Multiple authors seldom lend themselves to a well-written document.

In the end, ensure the document flows well and is worded concisely. 

Even at the Super-Mega-Corporate-Corp, the supplier is still only human, so a human should be able to read and understand your RFP. If you use a team to build your RFP, are requirements being repeated? We often see the same question asked in different parts of the document, which can confuse both the responder and the issuer. 

Make sure the document answers the pertinent questions. For example, are you driving the conversation to the business problem or the risk you want to reduce, or are you writing a wish list? Make sure to note the value of the RFP and its responses to your organization.

Beware of Third Parties 

Sometimes it might seem logical to bring in a third-party consulting firm to help your RFP process. But beware, this process can sometimes lead to a very costly document the size of War and Peace.

Additionally, an outside source may lack the necessary understanding of your environment to create an efficient RFP, so make sure the documentation mapped out unequivocally fits your needs.

However, with all that being said, good consultants are worth every penny, so be sure to vet any organization you hire.

Stakeholder Involvement

One error clients often make is not involving the correct stakeholders from the start of the process. For example, if procurement personnel are not involved from the beginning, vendors often find themselves having to start from scratch. This situation is often created because the procurement person does not understand the solution. 

However, if procurement is brought in and included in the workshops and presentations at the start, they will understand the process, negating any unnecessary repetition.

The same holds true for the legal team. If this team is reviewing the service descriptions, it need to understand the service and the business outcome to help avoid confusion.

Is Accuracy Everything?

Complex security solutions such as MDR (endpoints, servers, infrastructure, etc.) span your entire estate, so obtaining an accurate count can be difficult, but this might not be as important as you think. 

This may sound counterintuitive but don’t worry about the counts being accurate. Instead, providing the same numbers to every vendor is more important to ensure their estimates are apples-to-apples comparisons across respondents, even if the pricing is estimated.

Make certain to clearly document and call attention to any assumptions you’re making within the RFP to avoid confusion or miscommunication.

While this is by no means an exhaustive list, it illustrates how a vendor/service provider might receive RFP and the challenges they commonly face when attempting to put forth a thorough and competitive response. 

More often than not, the individuals representing vendors and suppliers want to keep their clients happy and help them succeed. If everyone is committed to improving communication throughout the RFP process, we could create efficiencies and increase successes across industries.

Try implementing a few of these suggestions when building your next RFP, and you may find yourself with better, more accurate responses that ultimately lead to your desired outcomes.

The Trustwave Advantage

Trustwave’s experts are on hand to offer guidance on a wide range of services, including:

If you would like to talk to our dedicated RFP team on your current or future RFP plans, feel free to get in touch at 

Read part 2

Latest Trustwave Blogs

Phishing: The Grade A Threat to the Education Sector

Phishing is the most common method for an attacker to gain an initial foothold in an educational organization, according to the just released Trustwave SpiderLabs report 2024 Education Threat...

Read More

Unlocking Cyber Resilience: UK’s NCSC Drafts Code of Practice to Elevate Cybersecurity Governance in UK Businesses

In late January, the UK’s National Cyber Security Centre (NCSC) issued the draft of its Code of Practice on Cybersecurity Governance. The document's goal is to raise the profile of cyber issues with...

Read More

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More