Even before the COVID-19 pandemic, enterprise organisations faced seismic shifts in how they meet data privacy and security requirements. Whether due to mandated regulatory controls, ever-evolving digital transformation projects, or changing market conditions, keeping up with data security was like hitting a fast-moving target.
Fast forward to 2021 and that task has become even more challenging. While some offices are opening up in the “post-pandemic” period, hybrid and remote working now seem permanent features for organisations that have re-appraised their operational models and adapted to COVID-related work requirements.
Despite their adaptability to staffers working remotely, however, many organisations remain wedded to outdated security protocols that don’t reflect this new work-from-home reality. If your organisation hasn’t changed data security priorities to keep up with the rapid shift to remote work environments, you may struggle to ensure that remote-work employees are secured and empowered to work from anywhere.
Post-pandemic security controls need a revamp
Indeed, the wholescale shift to homeworking creates obvious challenges for security teams. Cybersecurity control failures are now the top risk from the new working models, according to Gartner, along with ‘quick fixes’ that companies quickly implemented in response to the pandemic.
As Gartner notes, many businesses tripped themselves up from the get-go. The overnight scaling up of VPN access forced security teams to pivot from focusing primarily on securing on-premises operations to developing remote work access policies ‘on the fly’.
The seeming permanence of remote work as a workplace fixture means organisations must now safeguard a primarily remote workforce. This directly impacts the security considerations organisations must prioritise when preparing their data security requests for proposals (RFPs).
Want to avoid future security incidents? Then prepare appropriately for a data security RFP that will protect the global remote workforce. In terms of planning, the following four steps will help ensure an efficient and effective RFP process that uncovers — and meets — the specific needs your organisation should be prioritising.
Step 1: Determine your objectives
First, you should build a dedicated team that can: identify relevant needs, identify the business problems to solve, and define what determines success. This ‘discovery and consultation’ phase should involve all key stakeholders — starting with the security team and business team leaders — to ascertain requirements. These include what they need today, what they think they need, what they don’t know they need, and what they might need in the future. Capturing the broadest-possible range of user considerations will give you a 360-degree view of the challenge.
Step 2: Conduct research
Having established objectives, you can move to the vendor-research phase. By sourcing information from external peers and industry analysts, you can glean valuable insights on what clients like and don’t like about existing solutions.
Creating a shortlist of vendors you think could help with your problem will help streamline responses. It will also speed up the identification of other organisations that have used a vendor on your shortlist and ascertain their sentiments.
Step 3: Define the evaluation criteria and establish a scoring system
Having scoped the problem and researched top vendors, it’s time to define the evaluation criteria. By weighing what will be used, you can find the best match for your identified needs. In other words: exactly how well does each solution satisfy each requirement?
You can eliminate grey areas by compiling a list of yes and no questions or questions that vendors can respond ‘Does not Meet’, ‘Partially Meets’ or ‘Fully Meets’, with detail. But it’s not always fool proof, as vendors will need to explain how comprehensively they stand on each requirement.
Most organisations today, for example, should insist upon a solution that not only can prevent employees from storing company data in the cloud, but also can detect and alert when a user is trying to move files somewhere outside the company’s pre-set guidelines. It’s also crucial to have a solution that alerts admins the moment sensitive data is moved to shared storage, like a personal folder or file on their network or a removable device – like USB or NAS.
How to evaluate a vendor’s ability to address these types of identified needs? You can create a vendor scoring system, which lets you adjust weightings and will provide a much clearer indication of how well each solution satisfies each request. It will also ensure consistency in each vendor evaluation, independent of their responses to the technical criteria.
Step 4: Conduct further research
Having completed the RFP, you should decide whether and when to share this information externally. Keep in mind that vendors will tailor their approach to answering your questions, which is why creating a vendor scoring system ahead of time is so important.
Having engaged with vendors now is the time to conduct additional research into their customer references and employee or leadership churn rates. This exercise will help ensure alignment of their culture with your own and increases the chance of a successful long-term engagement.
Having consolidated and evaluated all responses, it’s time to review vendors and make the case for and against each one. You’ll want to eliminate all but two vendors, who can then be invited to proceed to the next and final stages: onsite presentation, risk assessment and pilot testing.
Set clear objectives to achieve data-driven protection
The pandemic has shifted organisation’s data security needs and considerations, and organisations want their RFPs to recognise and account for new security risks introduced by the work-from-anywhere change. Ultimately, enabling secure and seamless digital workplaces for employees around the globe begins with asking the right questions before establishing which vendor can best demonstrate the security capabilities that will be needed today – and into the future.
Tim Bandos, CISSP, CISA, CEH is CISO and VP Managed Security Services at Digital Guardian and an expert in incident response and threat hunting. He has over 15 years of experience in the cybersecurity world and has a wealth of practical knowledge gained from tracking and hunting advanced threats that target stealing highly sensitive data. A majority of his career was spent working at a Fortune 100 company where he built an Incident Response organization and he now runs Digital Guardian’s global Security Operation Center for Managed Detection & Response.