Question: How do I decide when to buy or when to build in security?
Neal Bridges, CISO at Query.AI: It's easy to see the appeal of building your own security stack, as there are more options for open source code and projects than ever before. But for many companies, buying is the better alternative — especially when you consider the fact that long-term maintenance and costs associated with building your own security infrastructure can be a detriment to your security posture.
When determining the best option for your business, there are two major things to consider.
First, you must ask yourself whether your team is capable of maintaining an implementation from a "build-it-yourself" style of project. With this approach, you won't be getting a formal support contract, regular patches, or compliance-driven assurance of third-party risk. Therefore, all the risk transference moves to your security team versus the vendor. This might be an acceptable trade-off for smaller companies (less than $1 billion in revenue) that rely on cybersecurity insurance as a risk deference option, as the punishment for noncompliance is less painful. But for larger companies that face compliance driven mandates from outside entities, this most likely isn't a risk you want to take.
The second consideration is accepting that a build-it-yourself scenario requires any new features — which otherwise would be developed or advanced by paid entities — be handled in-house as new development or be forgone completely. We know and accept that cybersecurity is increasingly agile and changes regularly. Many companies rely on the deep security vendor R&D budgets to keep up with those trends so that their security teams can focus on the threat — not researching and developing those solutions themselves. If you do take it on in-house, it could require either additional headcount on your security team or additional time overhead from the current team.
In summary, I think build versus buy comes down to answering this question for yourself: Am I willing to put in the time and money to invest in my own team's capability, or do I want to outsource that risk?