SAN FRANCISCO — Request for Proposals (RFPs) are a cornerstone of the IT business, and increasingly involve cybersecurity components with long lists of questions that vendors need to answer.
In a session at the RSA Conference tilted, “Monty Python and the Holy RFP (Request for Proposal),” Mary Ann Davidson, the Chief Security Officer at Oracle, talked about her experiences dealing with complicated RFPs that sometimes defy rational explanations.
Davidson noted that while she always takes RFPs seriously, humor is a good way of shining a light on the eccentricities of life. For her, the 1975 classic film “Monty Python and the Holy Grail” is full of humorous examples that can also be used to illustrated challenges in the security RFP process.
1. Don’t Ask for Shrubbery
In the Monty Python film, King Arthur is confronted by the Knights Who Say Ni, who demand a shrubbery from him in order to pass.
Davidson noted that the demand for a shrubbery was purely arbitrary and didn’t necessary serve a finite purpose. For those building RFPs, she suggests not to ask for shrubbery, but rather to work in questions that ask for items that are actual concerns and not arbitrary items.
“Sometime companies ask for a shrubbery, but that’s not really what they want,” Davidson said. “Spending resources on shrubbery uses scare resources that could be spent making security better for everybody.”
2. What is Your Quest?
In one of “Monty Python and the Holy Grail,” Arthur and his knights meet the keeper of the bridge of death who asks everyone who wants to pass a series of questions, with the final question being about a seemingly trivial fact.
Again Davidson emphasized the need for those writing RFPs to be specific and ask about specific product and services and not trivia.
“Customers want to trust providers and vice versa,” Davidson said. “You want to be able to ask the questions that matter.”
3. The Killer Rabbit of Caerbannog
In the Monty Python film, the Killer Rabbit of Caerbannog is a vicious creature that Arthur’s knights at first glance mistake for just being a cute rabbit.
“Things that look cute and fuzzy aren’t always cute and fuzzy,” Davidson said.
In the context of RFPs, some seemingly innocuous requests can in fact be quite challenging; for example, requiring a company to meet with an auditor. Davidson noted that she once had an engagement where a company sent an auditor, yet the auditor wasn’t given a scope of what to audit.
Another seemingly harmless request that she once received in an RFP is that all security policies should have a watermark on them.
“Nobody should contractually commit to something that is vague or cannot be done,” Davidson said.
Fundamentally, Davidson wants companies to ask relevant questions in RFPs that will help to answer questions that are not just one-offs, but rather are items of regular concern to the business and its risk management practices.
Davidson recommended that organizations ensure that all vendor security questionnaires have a clear, prioritized risk management concern behind each item.
“And don’t forget to say Ni!” Davidson said as the audience laughed.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.