They usually appear in the form of Excel spreadsheets or Word documents with a list of questions posed to a vendor about a potential cybersecurity procurement: Does the product work with big data? Is the solution compatible with Microsoft 365? Will I need to increase on-site storage for log data?
The vendor then checks off the yes-no boxes, and sends the responses back to the customer prospect. If the checked boxes and accompanying explanations work for the prospect, then the vendor advances to the next stage of a big sale.
This describes the typical request for proposal (RFP) process – one that hasn’t really changed for years, but should. For too long, companies have viewed cybersecurity procurement as a rote, procedural exercise. Too often we see RFPs that ask about new products to replace their existing ones, instead of focusing on outcomes that will actually help them effectively and affordably protect themselves.
Still, these RFPs are primary drivers behind a $167.1 billion global cybersecurity market that’s projected to grow to $326.4 billion by 2027. By preventing attacks, Ponemon reports that organizations realize they save on average anywhere from about $400,000 in the case of a thwarted ransomware attempt to $1.37 million by avoiding a nation-state threat.
Ironically, RFPs are all about acquiring products, but the collection of products to the point of tool overload contributes to the lack of confidence. IBM reports that three of 10 organizations use more than 50 different security products and technologies and 45 percent rely on more than 20. An abundance of disconnected solutions results in inefficiencies, as companies with at least 50 tools are – compared to those using less – 8 percent less likely to detect a cyberattack and 7 percent less likely to successfully respond to one. With MDR, EDR, XDR and other acronyms being tossed around in higher frequency, it’s critical that organizations have clearly defined questions to avoid falling into the same cyclical trap.
So how do we resolve real security issues? Start with the RFPs – specifically by dispensing with the “check-the boxes” mentality in favor of honest, meaningful answers. To have this discussion we need to see questions focused on achieving impactful outcomes as opposed to simply adding or replacing products. Here are four questions that prospect companies should ask in their RFPs, but often don’t:
- Can the service provider help us manage triage?
If the company struggles with triage, it’s far from alone. Sumo Logic reports that two of five organizations deal with at least 1,000 alerts a day and 14 percent receive no less than 10,000 a day. It’s no wonder that 83 percent of security team members experience alert fatigue. The prioritization of responses has emerged as a major hurdle. Companies must shift from a strictly product-centric view in RFPs to one that embraces a human element – instead of seeking only to buy products, organizations should consider bringing in outside talent through managed services. With these services, companies benefit from expert analysts who understand the slight nuances of every triage situation, and continuously and effectively receive and prioritize events. For example, consider the pros and cons of SIEM vs. MDR when thinking about how much you can really manage in-house.
- Please describe the service provider’s onboarding and baselining processes. Are precise timelines available?
Via the current RFP structure, customer companies grow frustrated at how long it takes to baseline tools within a new environment, and migrate log and threat data to a new platform. What’s needed are turnkey approaches which eliminate lengthy onboarding and baselining — producing value within minutes of being deployed.
- We’re drowning in false positives – what can the service provider do to stop them?
The seemingly endless volume of false positives forces organizations to make a no-win choice: Either tune tools so the company gets a lower level of false positives yet increases risk, or lower the risk while leaving team members with more false positives than they can handle. Frankly, neither path leads to a manageable situation so why not leave it in the hands of an outside provider? To be most effective, it should have round-the-clock professionals who can remove the false-positive burden while investigating high and critical incidents before they are escalated to the customer’s security team.
- Does the service provider continuously update its threat intelligence feeds?
New threats emerge in the wild every day. Security teams can’t rely on yesterday’s intelligence to thwart tomorrow’s attacks. With intelligence that finds the most up-to-date threats across all organizational deployments, companies will never stand unprepared with the familiar, yet uncomfortable “what’s next?” feeling.
Unfortunately, organizations frequently approach RFPs like buying a car: look at make, models, and engine sizes to replace what already exists. Then, a couple years later, they do it all over again.
But what if they came at RFPs with a different perspective – with a focus on who will drive the car? By acquiring greater expertise “behind the wheel” companies can ensure better performance. For cybersecurity, this translates to turnkey solutions, more streamlined and productive processes in reducing false positives and prioritizing alerts, and an enduring sense of confidence that the company now believes they are prepared to face present-day and future threats.
Dan Pitman, senior solutions architect, Alert Logic