Layer 8

Security is fundamentally about people, and everything we know about people is relevant to security. -- B. Schneier

My new RFP template.

To make it easier on all the security vendors out there, I’m now releasing my crescent fresh RFP Template.  Now they’ll have a much easier time responding.  And all you issuers of RFPs out there, feel free to borrow it too; it’ll save you time when you have to review the responses.

1.  Vendor information: Brag here about how STuDLy your company is and how you’re the only and the best and you really know how to treat customers right.  List some of your most impressive customers; the list should include something military (no matter if it’s the Waxahachie Department of Defense) and at least one bank (North American Regional Chartered Union Standard Bank and Trust, Ltd.).

2.  FUD section: Talk here about how important security is and how you take it seriously.  Throw out some wild and yet stale statistics about how many billions of dollars were lost because of some worm somewhere.

3.  Management program: Copy and paste an entry from a Project Management 101 textbook here.  Say it’s your own proprietary model.

4.  Details of services: Copy and paste some other vendor’s marketing literature here. 

5.  Security risk model: You must include at least one Fortress Analogy and one Onion Analogy.  Bonus points for any process graphic that is not circular.

6.  Omissions: Leave out sections of the RFP that you didn’t feel like doing the homework for.

7.  Qualifications: Refuse to give out any names of actual customer references or financial statements.  Instead, include the resumes of your five employees, the minority relative you sold the business to in order to get HUB credits, and the project manager who actually runs everything and keeps possession of the cell phone.

8.  Throw more verbiage at me: Include reams of photocopies of the user guides for whatever products you’re trying to rebrand as your own for your response.  Expect that this will compensate for the fact that you didn’t actually write anything technical in the earlier sections.

9.  Example service contract: Put in a sample statement of work and forget to redact the name of your last customer from it.

(Optional: Print the whole thing on some weird-ass textured stationery paper that bleeds onto my hands.)

Posted by shrdlu on Saturday, June 09, 2007
(5) CommentsPermalink blogmarks Favicon del.icio.us Favicon Digg Favicon Fark Favicon Furl Favicon Google Bookmarks Favicon StumbleUpon Favicon Technorati Favicon TailRank Favicon
Page 1 of 1 pages