SafetyDetectives interviewed Maurice Harary, Co-founder and CEO of The Bid Lab, a consulting agency handling RFP bidding processes for 100s of businesses and government agencies with over $100M in winnings so far.
He packed this interview with tips for business owners who want to learn how to find the best security assessment vendor, and the most important trick for cybersecurity agencies to nail the next RFP questions.
What’s The Story Behind The Bid Lab? How Did The Idea Develop Over The Years And How Does Your Mission Differ From Others In Your Industry?
My wife Jordan and I began our careers on different paths. I was working on the RFP team at IHS Markit and Jordan was forging her way in the automotive industry. We both climbed the corporate ladders in our respective fields until one fateful day Jordan’s dealership group was vying to add another rooftop to its portfolio, which required a (you guessed it) Request for Proposal. While her firm resolved to hire an outside consultant to complete the RFP, Jordan was learning just how widespread and industry agnostic the procurement process really was. The day before the RFP was due, Jordan received the final copy to review and was dumbfounded by what she saw. Not only was the RFP littered with grammatical errors and spelling mistakes, but it also referenced outdated information and did not follow the prescribed format.
Jordan called me right away frantic about the state of the bid, and I knew it was going to be a looong night.
From dusk until dawn, we wrote content, redesigned formatting, remediated inaccuracies and prepared a proposal that Jordan would be proud to stand behind. Then, after finally taking some time to sleep, we realized what had happened and what had been in front of us the entire time. Jordan’s writing expertise coupled with my RFP knowledge was a winning combination. Right then and there, The Bid Lab was born.
Since then, we have grown our business of helping small businesses grow through the RFP process by focusing on providing an unparalleled experience in a field of competitors that just do the bare minimum to get the job done. We use our expertise to provide a positive experience, and focus on what makes a small business special when it comes to selling to the government or large enterprises. We pay particular attention to our clients’ resources and have a business model that gives them control of their spend and amount of work we do for them.
What Kind Of Questions Do You Include In Your RFPs That Pertain To Cybersecurity?
RFPs often ask questions that can be broken down into three categories: past events, current ways to remediate against cyberattacks, and future trends an organization is anticipating. To that end, each can be broken down as follows:
- Past Events: RFPs want to know if you have been targeted and attacked in the past, and how you may or may not have dealt with it. Cyberattacks are unfortunately becoming commonplace, so this question is becoming increasingly asked. It’s important for people to be transparent about an attack, and focus on the remedial efforts rather than the losses incurred.
- Current Strategies: The lengthiest parts of the cybersecurity questions in RFPs are usually about the various ways you currently protect your firm from a cyberattack. What access control policies do you enforce? What are you doing to avoid your team from exposing the firm to a cyberattack? What insurance do you have in the event a cyberattack does occur? Procuring entities want to ensure that onboarding you as a vendor doesn’t invite a weakness in their own cybersecurity wall of defense.
- Future Trends: Cyber threats are constantly evolving, so it is important that you frame your cybersecurity efforts as consistently improving. Thinking of yesterday’s problems won’t necessarily defend against future vulnerabilities in cybersecurity. Ensure you outline plans for improvement and any trends you are regularly addressing.
What Can Vendors Do To Proactively Address The Cybersecurity Questions In Rfps?
Many times, companies and organizations reuse their existing cybersecurity questions for bids. So if you are interested in a particular company or entity, see what kind of information their previous RFPs request so you can compile the necessary information even before an RFP is issued.
It is also best to track your responses, especially your weakest responses, in a centralized repository that you can provide to your development team to prioritize future enhancements. For instance, if you are consistently asked about two-factor authentication and you don’t have a solid answer for this, it is something you should consider recommending to your development team.
Finally, ensure you speak with your prospects about what they prioritize, including, nice-to-haves and absolutely critical must-haves. To this end, you can ensure you are prioritizing your clients’ must-haves so that implementing your solution doesn’t raise red flags from their IT teams. Then, use the nice-to-haves list to proactively develop even more security features for future clients who may allocate them as must-haves.
And What Are The Implications For Answering Those The Wrong Way?
At the very least, a weak response will slow down the sales cycle as you will surely get flagged by the client’s internal IT team during the due diligence process. You always want to make the IT review as seamless as possible, and any incorrect or incomplete answers will require further information gathering, remedial efforts, or requesting an exception. At the most, responding with a weak response can even get the deal thrown out in favor of a vendor that has a buttoned-up response that meets their minimum requirements. Yes, your solution may be cheaper or better, but if it presents a cybersecurity risk, it may not be worth it to your client.
How Important Is Honesty When Responding To Your Questions Related To Cyber Security?
This is absolutely critical. You should never lie about your cybersecurity posture to advance a deal. Sooner or later, the truth will come to light, and you don’t want to be liable for a cybersecurity breach. Always tell the truth.
What’s Your Suggested Checklist For Selecting The Right Security Assessment Vendor?
It really depends on your own organizational security risk appetite. If your current cybersecurity practices aren’t strong, then placing an undue burden on a potential vendor may not be relevant to your procurement. For instance, a marketing vendor may not have the longest checklist for security because the stakes are low in the event of a cyberattack. That being said, a technology procurement should at the very least meet your current cybersecurity standards, and ideally surpass them to ensure you don’t invite a new gap in your own defenses.
Would You Say That Your Customers Are Mostly Aware Of The Impact That Cybersecurity Can Have On Their Business?
I think every client is aware of cybersecurity in their business to a certain extent. Cybersecurity has seeped into everyone’s daily lives, from recaptcha blocking you from easily accessing your paid-for websites to passwords constantly needing updates. Spam calls and phishing attempts are so widespread that everyone has been threatened with a cybersecurity event whether they acknowledge it or not. That being said, clients should always have a formal cybersecurity program and process in place for their organization before they are asked about it. Being reactive to cybersecurity events is unfortunately a way some people learn about how important it is.