Public sector procurement of IT security services – 6 keys to success
23 August 2022 / Article
Cybersecurity is a high priority issue for most organisations, and the public sector’s need for IT security services has probably never been greater. IT service procurement processes require a high level of expertise, however, and pose several challenges for the client. So what sort of things should you bear in mind to ensure a successful cybersecurity procurement process? In this article, Helena Ankar and Marcus Mollison, Senior Bid Managers at Iver, talk about their experience of working with public sector procurement and the keys to success they have identified during successful procurement processes.
6 tips for a successful IT security services procurement process
1. Learn from similar organisations’ experiences
It’s important to start by doing the research and gathering information that could be of use during the procurement process. There is often a real willingness to collaborate in the public sector, so there’s a lot to be gained from benefitting from other organisations’ experience of previous procurement processes for this type of service.
“If you’re procuring in a municipality, look at how neighbouring municipalities have solved similar problems. If it’s in a Region, ask other regions and authorities about knowledge sharing of previous procurement processes. Looking at what others have done and asking questions like, “What did you do?”, “Why did you do it that way?” and “Is there anything you would have done differently, given what you now know?” can be of real value to your own procurement process”, says Marcus Mollison.
2. Specify requirements based on your own operations’ needs (classify your data)
As important as looking at what other organisations have done is, it’s equally important that you then go back to your own organisation and map your own needs. This ensures that the security services are specified in line with your own organisations’ needs.
“It’s incredibly common to see tenders where the security requirement bar has been set really high without, perhaps, putting any real thought into what you actually need – given your own organisation’s security requirements. Implementing the highest security level for all your data – when not all of it is sensitive – can become disproportionately expensive. An excessively high security level can also become unnecessarily complicated for system users. So that’s why it’s important to do your homework and learn what level of security you actually need for what data,” says Helena Ankar.
So how do you know what security level you need? The answer to this question entails looking at the type of data you handle within the organisation and classifying it by type. Helena Ankar explains;
Not all of the data an organisation handles is sensitive, so by classifying the data, the client can develop a fundamental understanding of the type of information being processed – where responsibility needs to lie, and what security levels you need for different types of data.
“This process is, quite simply, key to mapping your needs in full and knowing how to specify your requirements to suppliers so they can come up with the right solution.”
3. Include the human aspects of security in your procurement process
It’s easy to forget, when procuring IT security solutions, that IT is no longer a discrete part of an organisation and that it permeates every aspect of your operations nowadays. Which means when it comes to cybersecurity, there are a lot of parameters to consider. And this is something that, according to Helena Ankar, Senior Bid Manager at Iver, is sometimes forgotten when procuring these services.
“It’s very common for organisations to focus exclusively on system security in their procurement processes. But we know that by far the biggest risk to an organisation’s IT environment is its own personnel. So it’s extremely important to provide cybersecurity training for the users. Organisations would, therefore, benefit from including this in their requirement specifications and from asking suppliers to specify how they work with the users to enhance their security levels. It’s very easy otherwise for this crucial aspect to be omitted from the tenders you receive. And even if the organisation itself works with these issues, suppliers often have considerable expertise and input to offer that can complement your in-house work.”
4. Make the most of suppliers’ combined expertise
The public sector offers real opportunities for engaging in dialogues with suppliers before the tendering process starts – as long as it’s done in accordance with the Swedish Public Sector Procurement Act. Marcus Mollison, Senior Bid Manager at Iver, says that this is an important part of ensuring a successful procurement process.
“Public sector organisations have the potential to involve suppliers in the process and hold hearings with the various suppliers before the tendering process begins. This dialogue is valuable both for your own requirements analysis and in terms of understanding the market and the various solutions offered. And even if a pre-procurement dialogue costs both time and money, it’s worth it. Because a poor service provision package – which is what you’ll end up with if the procurement process isn’t handled properly – can be even more costly.”
Helena Ankar explains;
“Organisations have everything to gain from getting the help of suppliers as part of the security services procurement work. We provide security services for our clients on a daily basis. And we have dedicated security teams at different levels who can provide help and guidance. Ideally, the customer will have done their own homework on security but will still be open to the supplier’s proposals and expertise. Working together like that is the best way of identifying the right level in the security requirement specification.”
5. Generate clear, well-prepared decision data for the procurement process
Not only do you need to ensure that the requirement specification addresses the right issues, you also need to ensure that the preparation and formulation of the procurement process’ decision data is done in a structured, clear way.
“Clear enquiries get clear answers. Ensuring a structured formulation of your request for tender enhances the quality of the suppliers’ responses. And a clear structure also makes it easier to interpret the responses to your request for tender and to compare the responses from different suppliers,” says Helena Ankar.
6. Plan your procurement well in advance to avoid time pressure
Public procurement processes take time, so make sure you plan ahead and are quick off the mark in order to avoid time pressure. We all know this is the case, but there are a variety of reasons why we still often run the risk ending up under real time pressure.
“The tendering process can often be a drawn out one and some procurement processes involve time pressure right from the start. It’s often because an agreement with a previous supplier is coming to an end so there’s a tight deadline for your procurement process. It’s best to try and avoid this type of time pressure because there’s a risk it will have a negative impact on the outcome of your procurement process. You also need to bear in mind that you have to build in time for the implementation project before the old agreement expires.”
It’s also important that the tender is thoroughly worked out, right from the start. This way you avoid having to change too many things while the project’s in progress. If you have to make too many changes to the tender, you run the risk of a review procedure.
“The more time you allow your procurement process to take, and the more you enable a dialogue throughout the process, the better the results and service provision package you can expect to get,” concludes Marcus Mollison.
