Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.

How Do I Decide Whether to Buy or Build in Security?

To build or buy — that is the question. Security teams have to consider maintenance costs and compliance questions when they go down the build-it-yourself path.

Neal Bridges, CISO, Query.AI

April 4, 2022

2 Min Read
Hands working together to build a tower out of blocks.
Source: Andrey Popov via Adobe Stock Photo

Question: How do I decide when to buy or when to build in security?

Neal Bridges, CISO at Query.AI: It's easy to see the appeal of building your own security stack, as there are more options for open source code and projects than ever before. But for many companies, buying is the better alternative — especially when you consider the fact that long-term maintenance and costs associated with building your own security infrastructure can be a detriment to your security posture.

When determining the best option for your business, there are two major things to consider.

First, you must ask yourself whether your team is capable of maintaining an implementation from a "build-it-yourself" style of project. With this approach, you won't be getting a formal support contract, regular patches, or compliance-driven assurance of third-party risk. Therefore, all the risk transference moves to your security team versus the vendor. This might be an acceptable trade-off for smaller companies (less than $1 billion in revenue) that rely on cybersecurity insurance as a risk deference option, as the punishment for noncompliance is less painful. But for larger companies that face compliance driven mandates from outside entities, this most likely isn't a risk you want to take.

The second consideration is accepting that a build-it-yourself scenario requires any new features — which otherwise would be developed or advanced by paid entities — be handled in-house as new development or be forgone completely. We know and accept that cybersecurity is increasingly agile and changes regularly. Many companies rely on the deep security vendor R&D budgets to keep up with those trends so that their security teams can focus on the threat — not researching and developing those solutions themselves. If you do take it on in-house, it could require either additional headcount on your security team or additional time overhead from the current team.

In summary, I think build versus buy comes down to answering this question for yourself: Am I willing to put in the time and money to invest in my own team's capability, or do I want to outsource that risk?

About the Author

Neal Bridges

CISO, Query.AI

Neal brings more than two decades of cybersecurity experience to his role as chief information security officer for Query.AI, where he is responsible for leading the company’s security strategy and operations, and guiding product development efforts to help customers achieve their desired security outcomes. Throughout his career, Neal has helped federal and commercial organizations develop and execute cybersecurity strategies, and has built teams at multiple Fortune 100 companies. He’s also successfully led go-to-market strategies and spearheaded multi-million-dollar merger and acquisition activity to achieve company growth objectives. Neal is the founder of Cyber Insecurity podcast where he discusses the latest cyber news and trends, and gives career advice to listeners who are new to the cybersecurity industry. In his spare time, Neal enjoys going off-roading in his Jeep, and researching how Web3 is going to change the way we use the internet.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights