When RFP Questions Cross the Line of Reasonability
In my business, responding to RFIs, RFQs and RFPs are a part of my daily work life. If you want to win the business, you must accept these requests as a mandatory function during the sales cycle.
20 years ago, questionnaires focused almost entirely on the business application up for bid; features, functions, bells, whistles, and the like. Technology questions primarily centered around the technology platform – Windows, Solaris, SQL Server, Oracle, web vs. client-server, etc.
In today’s cyber security threat world, IT has essentially commandeered the process, and now RFPs are often heavily weighted on security questions. Frankly, many recent RFPs that have crossed my desk barely touch on the relevant and in-demand application features, in favor of addressing IT Security issues. In a few cases, it has been hard to find the actual application questions buried in one of many Excel tabs (worksheets).
But that is fine. I get it. Virtually all of our clients focus on system security as the highest priority, and rightfully so. You can’t open a newspaper (remember those) without reading of some serious breach, most recently coming from the Democratic National Committee. WikiLeaks. Snowden. Breaches are rampant. And because our systems collect and archive HIPAA, PHI, and PII data, security is LBi’s Job #1.
So IT has come front and center in managing technology based RFPs, and they should — as long as the requesting business unit covers 100% of their business requirements in the questionnaire.
RFPs should address all of the organizations pertinent issues, without placing an unfair burden on the responding vendors. How many questions are reasonable? If a company is putting out bids for 128 Gig thumb drives, certainly a few hundred questions may not seem fair or even necessary. On the flip side, ERP bids logically might include many hundreds (or even thousands) of questions. Third party add-on solutions such as HR Help Desk, Talent Management systems, Time and Attendance, etc. probably will fall somewhere in between.
Now how about those questions? Here is my all-time favorite actual question from a recent RFP:
“What is the distance of the backup facility from the primary location?”
How about this one:
“Is the facility a shared tenant building? If yes, please describe floors occupied and who tenants are, that occupy contiguous space with you.”
“If offsite paper destruction is performed, when was the last time you inspected the process?”
Let’s please be honest. Nobody in the IT department invented these questions, and they may not even really care about the answers. But they certainly impressed their boss. My bet is they (and thousands of similar questions that have crossed my desk) came from some CISO (Chief Information Security Officer) manual or training course.
My last two RFPs included well over 1,000 questions each, many similar to the ones above. Fair? Maybe… depending on the critical nature and scope of the system being put out to bid. My litmus test would be if IT really created these questions, and they really intend to read and process each vendor’s responses, and IT strongly feels these questions are 100% relevant to the business application or service, then OK. Otherwise, you are burdening your potential vendors with costly time consuming busy work. All the while losing focus on the business unit’s critical technology needs.
The vendor that actually has the time to research and respond to each of these types of questions accurately (trust me, no one has these answers at the tip of their fingers), may not necessarily be the most qualified partner. Worse yet, you just may discourage some qualified vendors from even responding at all. Some of the finest software vendors absolutely refuse to respond to RFPs unless they perceive them as worthy of their time and effort.
The best security questions to ask are about vendor certifications, past records of performance, vendor guarantees (not just warranties), SLAs, and appropriate hardware and software protection. If a vendor has certifications (and/or compliances) for HIPAA, PHI, PII, PCI, SOX, Safe Harbor, SSAE16 Type II and similar, then that should cover most companies’ concerns and security requirements. If the solution includes VPN access, data encryption at rest, virus and malware protection, Intrusion detection, certified disk destruction, and other system security features, then you are really covered.
Now if you really, really require the distance from the primary facility to the backup facility, or if there could potentially be a double secret trap door in the data center, then we are here to oblige. We want to earn your business. But please respect ours.