To Build or Buy a Cybersecurity Solution? That is the Question

Considering the complexity and constant demands of maintaining a robust cybersecurity program, making decisions around what to build in-house and what to purchase can be perplexing. There is a constant struggle within any organization to balance cyber budgets amidst increasing threats. The burden for small organizations is even greater.

Deciding where to focus your own time and money when it comes to testing, defending, and reporting depends on your cybersecurity strategy and priorities. However, everyone is interested in solutions for managing security posture that are affordable, efficient, and robust. But should you build or buy a solution to achieve those goals?

The Requirement — Dealin’ with the Data

As cybersecurity has matured as a discipline, the tools and platforms we use have become more focused and numerous. Think of all the ways that you identify security risks in your environment:

• Recurring vulnerability scans
• Network penetration tests
• Application penetration tests
• Purple team assessments
• Incident response reports
• Security Operations Center reports
• Framework-based assessments (i.e. CIS 20, NIST, etc)
• Third-party regulatory audits
• Bug bounty reports
• And more

Having some or all these methods for assessing risk is good, but they also each generate a lot of data. The value of these tools is greatly diminished if the results they produce are lost or forgotten. Security professionals need to organize these results into a living risk register, and they need to accurately track each risk from identification through remediation. You don’t want to gamble your security posture on poorly managed data.

Today, most organizations realize that these are tasks that go far beyond what they can accomplish with spreadsheets. Even more powerful project management tools like Jira lack the customization necessary to support management of a cybersecurity program. So managers are left with the decision: Build the solution, often combined with open-source software, or purchase a platform customized for this very specialized purpose.

Affordability — Count the Real Cost

Budget is probably the first thought in any CISO’s mind when it comes to purchasing a cybersecurity service or platform. Who wouldn’t want additional software, automated systems, or outside consultants to take some of the load off? However, everyone knows that just because something would be nice to have doesn’t mean they get to have it. Since many cybersecurity teams are capable of building their own systems, programs, and platforms, the CISO has to weigh the cost of outsourcing or purchasing.

The first item for consideration is the total cost of ownership associated with the platform. Comparing a monthly or annual license fee to the initial cost to build a customized solution is not comparing apples to apples. Many factors must be considered including the cost of managing updates, feature requests, and training — all of which are likely covered in a product purchase.

Cost analysis must also include human capital. How many people are needed to create, run, and be experts on the product? This calculation applies to building something yourself or buying a product or service. Determining real cost means considering the size of the team and their roles and priorities compared with the subscription or service options.

There are also hidden costs that can take the form of lost investment when building an in-house program. For example, when the creator moves on from your organization and no one else has the knowledge to maintain that once perfect solution, the process effectively restarts to either bring someone else up to speed on the custom solution or seek an external product purchase.

Determining the real cost of building versus purchasing a platform to meet the need is complex, and just because something is affordable doesn’t mean it provides enough value. However if the value an outside provider can supply in terms of functionality, time savings, and stability surpasses the real cost of building systems yourself, it may be an invaluable purchase.

Efficiency — Time Really is Money

A second consideration is efficiency. How much time does your solution, whether created or purchased, save you and your team? This point is actually really about money too because human capital is often the most expensive. Whether your team is small or big, the efficiency of the cybersecurity professionals and how much of their time they can spend doing the real cybersecurity work determines how far your budget can stretch and how well you are protected.

Take reporting, for example. If a skilled professional is spending copious amounts of time transferring data and preparing reports in basic software programs like Excel or Word, then that person isn’t able to spend time doing the testing, analysis, and defending that actually keeps the organization protected.

Reports are important. Data management is key. But how can you automate these processes to maximize efficiency and keep the focus where it should be? Building a custom system that meets your specific needs is an option, but then you have personnel building the systems to make the systems more effective rather than actually protecting the data.

Purchased options that eliminate the drudgery without pulling significant time to create or customize are one way to improve efficiency and save money by letting the skilled professionals focus on the skilled work.

Building a solution yourself certainly requires skill, but is that where you want to spend your or your team member’s limited time? Answering that question really comes down the unique needs of your enterprise and if there is a product on the market robust enough to meet them. At the end of the day, each of us have to ask the question, “What is my time worth and where is it most effectively spent?”

Robustness — Anything You Can Build, Has Someone Built Better?

Every organization is unique in its needs based on the industry and its security capabilities. Most teams have factors to consider that aren’t solved by a one-size-fits-all solution — as great as that might be. Thus the incentive to build something yourself is high because you can design the features you need without paying for those that you don’t.

However, building isn’t as straightforward as it sounds. Whether you build from scratch or scrap together open source materials into your own Frankenstein creation, what you build begins to shape — or limit — your practice. Those “unnecessary” features in a purchased product may not seem so pointless as the landscape changes and your capabilities increase over time. One thing that doesn’t change in cybersecurity is the continuous creativity of the adversaries. An in-house solution can encourage security measures that simply maintain the status quo.

Another factor to determine the quality of a solution is the security of the program or system you are constructing or purchasing. If you are spending significant time working on or are concerned about the security of the solution you’ve created to assist you in maintaining security, it might be time to buy.

Finally, when determining what to create and what to purchase, you must factor in what you already use. How will an additional solution integrate with the various tools your organization already relies on? Building a custom solution to work with existing tools offers a precise approach but can become burdensome when those programs or platforms go through changes and updates.

The reality is that unless building a program or platform is your primary focus, creating something as robust as what you can purchase is going to be a challenge. Perhaps you will build something so amazing that you will eventually quit your job and start providing your service to everyone else … but probably not. Rather you need to protect your organization and serve your stakeholders now by establishing a comprehensive cybersecurity program. This program must be cost effective and efficiently utilize team members by all the means — built or bought — that you can.

How to Answer the Build or Buy Question

Here are the primary considerations for both sides of the debate:

To build: 

• When the solution you need is so unique that nothing exists to meet it
• When you have the team member or members with the unique skill set necessary to create what you need and the time to manage it
• When you team or organization is invested in the long-term maintenance and evolution of your build

To buy:

• When an existing product is so unique you can’t possibly build it yourself
• When the real cost of building yourself can’t compete with the value provided by a purchased solution
• When the product allows you and your team to prioritize the real cybersecurity over more menial tasks

Whether you build what you need or buy existing solutions, keep the big picture around cost and efficiency in mind and invest in what will help you win the war not just the battle.