Skip to main content

Permissions

Add user
Done

Start your AI search

AI search
Outbound call compliance Gamification for customer service Outsourcing services

How to write an RFP for security awareness and training

Requirements, questions, and evaluation criteria specific to security awareness and training procurement

8 min read

RFPs are critical for security awareness and training due to the complex blend of technical capabilities, behavioral science, and compliance requirements. A well-structured RFP ensures that the chosen solution effectively addresses the human element of cybersecurity, aligning with organizational culture and risk tolerance.

What makes security awareness and training RFPs different

Security awareness and training RFPs differ significantly from typical software procurements because they focus on changing human behavior, not just implementing technology. These RFPs must address the psychological aspects of learning, engagement, and reinforcement. Furthermore, the rapid evolution of cyber threats, particularly AI-driven attacks like deepfakes and sophisticated phishing, necessitates a flexible and adaptive training platform.

The integration of open-source intelligence (OSINT) for personalized simulations and the ability to measure and manage human risk add layers of complexity.

  • Integration with existing security infrastructure (SIEM, EDR, IAM) to correlate training performance with real-world security incidents.
  • The platform's ability to deliver personalized, multi-channel simulations (email, SMS, voice) that mimic real-world threats.
  • The vendor's approach to behavioral analytics and risk scoring to identify and address high-risk individuals and departments.
  • The solution's content freshness and relevance, including its ability to address emerging threats like deepfakes and AI-generated social engineering.

RFP vs RFI vs RFQ

Here's when to use each document type when procuring security awareness and training software.

RFI

Request for Information

Use early in your search to understand what vendors offer and narrow your list. Gather general capabilities, company background, and high-level pricing ranges.

RFP

Request for Proposal

Use when you know your requirements and want detailed vendor solutions and pricing. This is your main evaluation document for shortlisted vendors.

RFQ

Request for Quote

Use when requirements are fixed and you just need final pricing. Often used after RFP when you're ready to negotiate with finalists.

For security awareness and training, an RFI is useful for exploring available solutions and understanding emerging trends in human risk management. An RFP is essential for a thorough evaluation of vendor capabilities, content quality, and integration potential. An RFQ is less suitable due to the complexity and customization required for effective training programs.

Technical requirements checklist

Use this checklist when defining your RFP scope.

Simulation Capabilities

  • Phishing simulation (email)
  • Smishing simulation (SMS)
  • Vishing simulation (voice)
  • Quishing simulation (QR codes)
  • USB drop simulation

Content & Training Modules

  • Interactive training modules
  • Micro-learning content (2-5 minute modules)
  • Deepfake awareness training
  • AI-generated social engineering defense
  • Mobile-friendly content

Reporting & Analytics

  • Phish-prone percentage
  • Reporting rate
  • Click rate
  • Risk scoring by user/department
  • Compliance reporting (PCI DSS, HIPAA, GDPR)

Integration Requirements

  • SIEM/SOAR integration
  • EDR integration
  • IAM (Identity and Access Management) integration
  • HRIS (Human Resource Information System) integration
  • Email gateway integration

Automation Features

  • Automated threat remediation (search & destroy)
  • Automated user provisioning/syncing
  • Automated campaign scheduling
  • Automated risk scoring updates
  • AI-driven simulation personalization

Questions to include in your RFP

Platform Architecture & Technology

  • Describe your platform's architecture, including scalability, redundancy, and security measures.
    Ensures the platform can handle the organization's needs and protect sensitive data.
  • How does your platform leverage OSINT to personalize simulations and training content?
    Personalized content is more effective at engaging users and preparing them for real-world threats.
  • Explain your platform's approach to automated threat remediation (search & destroy) and its integration with email security gateways.
    Automated remediation minimizes the impact of successful phishing attacks by removing malicious emails from inboxes.
  • Detail your platform's support for multi-channel simulations (email, SMS, voice, QR codes).
    Attackers use multiple channels, so training must cover all potential entry points.

Content & Training Effectiveness

  • Describe your content development process, including how you keep training materials current and relevant to emerging threats.
    Outdated content is ineffective against modern attacks.
  • How does your platform incorporate micro-learning principles to improve knowledge retention?
    Micro-learning helps combat the forgetting curve and reinforces key concepts.
  • What specific training modules do you offer to address deepfake awareness and defense?
    Deepfakes are a growing threat, and employees need to be trained to identify them.
  • How does your platform measure training effectiveness and demonstrate behavior change?
    Metrics are essential for proving ROI and identifying areas for improvement.

Risk Management & Behavioral Analytics

  • Explain your platform's risk scoring methodology and how it identifies high-risk users and departments.
    Risk scoring allows for targeted intervention and resource allocation.
  • How does your platform integrate with SIEM/EDR systems to correlate training performance with real-world security incidents?
    Integration provides a holistic view of human risk and helps prioritize security efforts.
  • Describe your platform's approach to handling repeat offenders and providing personalized remediation.
    Personalized remediation is more effective than generic training for users who consistently fail simulations.
  • How does your platform support a "no-blame" culture and encourage employees to report suspicious activity?
    A "no-blame" culture increases incident reporting and improves overall security posture.

Integration & Deployment

  • Describe your platform's integration capabilities with our existing security infrastructure (SIEM, EDR, IAM, HRIS).
    Seamless integration streamlines workflows and improves data visibility.
  • What deployment options are available (cloud, on-premise, hybrid) and what are the associated costs and timelines?
    Deployment options should align with the organization's infrastructure and security requirements.
  • How does your platform automate user provisioning and syncing with our identity provider (Azure AD/Okta)?
    Automated user management reduces administrative overhead and ensures accurate user data.
  • What level of professional services and support do you provide during implementation and ongoing maintenance?
    Adequate support is essential for a successful implementation and ongoing operation.

Pricing & Licensing

  • Provide a detailed breakdown of your pricing model, including all licensing fees, implementation costs, and ongoing maintenance charges.
    Transparency in pricing is essential for accurate budgeting and TCO analysis.
  • Do you offer outcome-based or risk-based pricing models, and how are these models calculated?
    Outcome-based pricing aligns vendor incentives with the organization's security goals.
  • What are your payment terms and cancellation policies?
    Understanding payment terms and cancellation policies protects the organization's financial interests.
  • Are there any additional costs for content localization, multi-channel support, or advanced features?
    Hidden costs can significantly impact the total cost of ownership.

Compliance & Legal

  • How does your platform help us meet regulatory requirements (PCI DSS, HIPAA, GDPR) and prepare for audits?
    Compliance is essential for avoiding fines and maintaining customer trust.
  • Describe your platform's data privacy and security measures, including data encryption, access controls, and data retention policies.
    Protecting sensitive data is crucial for maintaining compliance and avoiding data breaches.
  • Can you provide a sample Business Associate Agreement (BAA) if we handle protected health information (PHI)?
    A BAA is legally required for handling PHI and ensures compliance with HIPAA.
  • How does your platform handle "Right to be Forgotten" requests and anonymize data for employee training records?
    GDPR and other privacy regulations require organizations to comply with data deletion requests.

Compliance and security requirements

Depending on your industry, you may need to require proof of these certifications and standards.

PCI-DSS

Required if handling payment card data. If applicable, request current PCI-DSS compliance certificate and AOC. Verify that the training content addresses PCI-DSS requirements for employee awareness.

HIPAA

Required for healthcare data. If applicable, request BAA template and HIPAA compliance documentation. Ensure training content covers HIPAA security rule requirements.

GDPR

Required if processing personal data of eu citizens. If applicable, request documentation on data privacy and security measures. Verify compliance with GDPR requirements for data processing and storage.

SOC 2 Type II

Required increasingly requested by enterprise clients to ensure data security and availability. If applicable, request the latest SOC 2 Type II report. Review the report to ensure the vendor meets industry best practices for security and operational controls.

CCPA/CPRA

Required if processing personal data of california residents. If applicable, request documentation on compliance with CCPA/CPRA requirements, including data subject rights and data breach notification procedures.

Evaluation criteria

Here is the suggested weighting for security awareness and training RFPs.

Content Quality & Relevance The quality, accuracy, and relevance of the training content to modern threats and industry best practices.
25%
Platform Functionality & Features The breadth and depth of the platform's features, including simulation capabilities, reporting, and automation.
20%
Integration Capabilities The platform's ability to integrate with existing security infrastructure (SIEM, EDR, IAM).
15%
User Experience & Engagement The ease of use, interactivity, and engagement of the training modules and simulations.
15%
Total Cost of Ownership (TCO) The total cost of the solution, including licensing fees, implementation costs, and ongoing maintenance charges.
15%
Vendor Support & Expertise The vendor's level of expertise, responsiveness, and support during implementation and ongoing maintenance.
10%

Some weights were adjusted based on your priorities.

  • Increase if complex integrations are required.
  • Increase if replacing a legacy system with limited integration capabilities.

Red flags to watch

  • Emphasis on "Gotcha" tactics

    A vendor whose marketing focuses on tricking employees rather than coaching them may create a punitive culture that discourages incident reporting.

  • Lack of multi-channel simulation support

    A platform that only supports email simulations is leaving a significant portion of the attack surface unprotected (SMS, voice, QR codes).

  • Limited content localization options

    Generic, non-localized content is less effective at engaging employees and addressing regional threats.

  • No integration with existing security tools

    A standalone platform limits data visibility and hinders the ability to correlate training performance with real-world security incidents.

  • Vague or incomplete pricing information

    Lack of transparency in pricing may indicate hidden costs or complex fee structures that inflate TCO.

  • Static content library with infrequent updates

    An outdated content library is ineffective against rapidly evolving threats, particularly AI-driven attacks.

Key metrics to request

Ask vendors to provide benchmarks from similar customers.

Phish-prone percentage reduction

Indicates the effectiveness of the training program in reducing susceptibility to phishing attacks.

Reporting rate

Measures the percentage of simulated phishing emails that are reported by employees, indicating a security-conscious culture.

Click rate

Measures the percentage of simulated phishing emails that are clicked by employees, indicating areas for improvement in training.

Time to value (implementation timeline)

Indicates how quickly the organization will see ROI from the investment in security awareness training.

Number of users trained per month/quarter

Demonstrates the scalability and efficiency of the training program.

Correlation between training performance and real-world security incidents

Provides insights into the impact of training on reducing actual security risks.