Demand good proposals: Tips for writing an RFP

When you publish a Request for Proposal (RFP), you're looking for responses that tell you clearly and concisely how a security vendor is going to solve your problem. Too often, though, you're left reading through page after page of marketing filler laced with company acronyms, with little or no sense of what it means to your environment -- heck, you can get that off the vendor's Web site.

IT security professionals don't have time for this. Some proposals are so painful to get through that organizations would simply eliminate them outright regardless of how well the solution might fit.

The RFP response is an opportunity for vendors to earn your business. Write the RFP as concisely as possible and include a description about your mandates for responses. It's time to define some ground rules. Vendors won't stop playing wasteful marketing games until users set expectations on what is acceptable.

Below are five guidelines that will improve prospects for proposals that actually respond directly to your requirements.

1. All questions and requirements must be addressed directly
   This means the vendor needs to avoid the marketing rhetoric and acronyms, and simply address the specific needs presented in the document. A vendor that can't meet a certain requirement should be honest and state this in plain English. Fulfilling this requirement requires conciseness, not unbearable detail -- figure five to seven pages of text in most cases. A well-prepared and thorough RFP response (supported by graphics and figures) may be longer than seven pages; the point, however, is that useful content is good, marketing double-talk is bad.
   
   
2. The response should include details about architecture and deployment
   Vendors love to talk about features and benefits but often forget to address the physical layout of their solutions or the effort required for implementation projects. Where do the components sit? How will a distributed solution communicate? Are there security concerns? Are there deployment options or complexities to consider? Can a solution tier administration? Can it be implemented in either a distributed or centralized fashion? Can it be configured so it is efficient in terms of network bandwidth? Remember, the vendors are the technology experts here, so they should be creative and meticulous.
   
   
3. Text must be supported with graphics
   A proposal should weave together graphics and text in an effort to make the document both succinct and thorough. Insist that vendors include graphics that illustrate how it addresses requirements. For example, distributed solutions should be supported by topology maps that help users visualize the product architecture. Management tools should include screen shots that specifically address user needs.
   
   
4. Comprehensive pricing is required
   Software and maintenance costs are only a piece of the puzzle. What about additional hardware like servers, switches or management consoles? Will you need a back-end database? How about professional services and user training? Again, demand that vendors "walk a mile in your shoes" and provide details, not a runaround.
   
   
5. A business solution must speak to your needs
   The RFP response should reveal that the vendor understands your business issues, addresses them effectively and can deliver near-term ROI. State your business problems clearly and demand that the vendor respond in kind.

About the author
Jon Oltsik is a senior analyst at the Enterprise Strategy Group, and previously VP of marketing and strategy at GiantLoop Network and senior analyst at Forrester Research.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Security Buyer's Guide,   Application and Platform Security,   Enterprise Vulnerability Management,   Security Patch Management,   Vendor Management: Negotiations, Budgeting, Mergers and Acquisitions,   Information Security Management,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Security Buyer's Guide Keystroke dynamics makes BioPassword Internet Edition a viable authentication option Access security with KoolSpan's SecurEdge NetChk Protect 5.5 Biometrics: Best practices, future trends 2006 Products of the Year: Emerging Technologies Secure Sphere 2.0 Scan & Deliver: SLAs force service providers and outsources to hit the mark ... or hit the road Secure remote access: SSH Tectia Manager Spycatcher Enterprise 3.2 Configuresoft's Enterprise Configuration Manager v4.7 Security Patch Management Microsoft gives Internet Explorer a major security overhaul Information security book excerpts and reviews What patch management metrics does Project Quant use? Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Vendor Management: Negotiations, Budgeting, Mergers and Acquisitions Database activity monitoring lacks security lift IBM to acquire database security firm Guardium Cost of security, IT management add up at healthcare facilities, study finds Part 2: Marcus Ranum on the state of information security Part 4: Marcus Ranum on the state of information security M86 buys Web security gateway vendor Finjan McAfee survey finds faults in midmarket enterprise security Cisco acquires SaaS security vendor ScanSafe Email archiving vendor sues Gartner over Magic Quadrant Analyst calls Barracuda-Purewire deal proof of cloud dominance RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.