Buy vs. Build? 5 Considerations for Vulnerability Management
Share with Your Network
Earlier this summer, Gartner predicted growth of IT spending will reach $4.2 trillion by the end of 2021, trumping 2020’s annual spend by almost 9%. Spending on cloud computing and other tech services is forecasted to reach almost $1.2 trillion by the end of the year.
With skyrocketing IT initiatives and digitization, leaders everywhere are evaluating their options, including investments in vulnerability management (VM). And when the time comes to determine a way forward for VM, the conversation often circles around one question:
“Do we buy it? Or do we build it?”
An important decision
With bad actors growing increasingly sophisticated and aggressive, enterprises need to think carefully when choosing the components that will make up their Security environment.
Vulnerability management (VM) is a prime example. VM isn’t just about closing vulns; it’s about managing and lowering risk. That, combined with the increasing number of vulnerabilities, is why you see the industry as a whole shifting towards a risk-based approach, integrating data-driven, predictive analytics in vulnerability prioritization decisions. Gartner cited the emerging importance of risk-based vulnerability management as a top security project for 2021.
Why risk-based? Because 70% of Windows systems, 40% of Linux/Unix systems, and 30% of network appliances have at least one open vulnerability with known exploits. That means plenty of opportunities for attackers. It also means that by focusing on remediating the vulns that pose the highest risk to your enterprise, you’ll do a better and more efficient job of protecting those assets and the data that resides on them.
Assessing your situation
The unique conditions of a business often shapes the buy-vs.-build discussion.
- The size of a company’s attack surface is a driving factor in its relative risk profile. Large companies with distributed workforces can be uniquely exposed to threats.
- Financial services or healthcare businesses can be attractive targets because of the data they run their business on. Companies that rely on a supply chain of any kind must take into consideration the security of their upstream and downstream partners, and look closely at how those companies’ systems interface with theirs.
- Available budgets and resources will of course influence every decision, and smaller companies may feel more of a constraint than their large enterprise counterparts. But the average organization has the capacity to remediate just one out of every 10 vulnerabilities regardless of size.
So when a buy-versus-build conversation arises, business and security leaders have some tough decisions to make.
5 things to consider when deciding whether to buy or build
No matter your budget, organizational size, or culture, you need to weigh the pros and cons of building versus buying. To help simplify this, we’ve gathered together the key considerations when you’re making your buy versus build decision.
1. Cost and capacity
Cost will always be a factor in any decision. Ambitious development teams can take on the challenge of building their own vulnerability management platform, but they run the risk of sinking tons of time, energy, and ultimately money into getting it just right. According to Gallup, one in six IT projects run over budget by 200% and take 70% longer than anticipated.
Another factor is the organization’s capacity to design and operate these systems. Companies that opt to build need to have in-house talent that can meet the demands of a modern vulnerability management solution. They’ll need people to handle development, data processing and normalization, reporting, identity management, permissions, UX, etc. And to predict which vulnerabilities are likely to be weaponized, data scientists will be needed to build predictive algorithms.
By purchasing (or more likely subscribing to) commercial vulnerability management software, the costs are well defined going in and are more predictable over time. In some cases, however, add-ons and premium services can increase overall TCO. What more you need from vendors, and how much of it, should factor into the equation.
In further contrast to the build approach, a commercial VM solution is typically developed by teams who specialize in all aspects of modern vulnerability management, including risk scoring, predictive prioritization, threat analytics and more. That can be very difficult and expensive to replicate in house.
2. Control and customization
Companies will often opt to build because they believe they’ll have more control over a VM solution they’ve built themselves. The thinking is that a bespoke solution can more readily incorporate customizations and specific industry considerations. Financial services businesses in particular can include access to the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry-only resource for shared knowledge of specific threats and vulnerabilities targeting financial services. Similar ISAC’s have data sharing agreements as well.
A significant downside (and inherent risk) of building a one-off VM environment is that vital platform knowledge is often locked up in a handful of builders or owners. If these individuals are out sick, are on vacation, or leave the company, updates or critical maintenance are difficult. Bottlenecks also begin to emerge, creating inefficiencies in day-to-day needs like reporting.
One way commercial solutions address this is by making them highly configurable and by supporting custom scripts and integrations via APIs. And leading solution providers also tend to listen closely to customers to help them find ways to create the environment they need, and often will incorporate common customer-requested features into upcoming releases.
3. Maintenance and enhanced insights
One of the most compelling reasons for buying over building is avoiding the burden of maintenance. Relying on a third-party vendor dedicated to ongoing support, regular updates and new releases, and long-term product innovation, rather than trying to take it all on in-house, allows AppDev teams to invest their efforts elsewhere and relieves Security and IT of the headache of ensuring their custom environment remains a step ahead of the next threat.
Organizations that use commercial solutions also gain the advantage of an entire user base to glean insights and predictive threat and exploit analytics. Technology like machine learning and artificial intelligence can improve over time and with larger data lakes to pull insight from. Even if in-house teams had the capability to enhance their systems, they would still be pulling from their own limiting data pools or purchased threat intelligence feeds greatly limiting their actionable insight and visibility.
Those insights pay off in various ways. Specific vendors offer users tailored vulnerability risk scores powered by data science and defined by real-world threat and vulnerability intelligence and the company’s own appetite for risk. Risk scores empower users to focus on patching the vulnerabilities that will lower risk the most. The formulas and calibrated models for these risk scores are finely tuned again and again by experts whose sole job it is to train and perfect these models. That could be a heavy lift for an in-house team.
4. Connectivity and cloud
Since each company’s IT ecosystem is unique with its own makeup of applications, vendors, and end users, building a vulnerability management solution makes the task of connecting these tools more desirable and in some cases, more achievable. There’s also a build-buy-build approach that some companies choose to take by building a solution, layering purchased capabilities on top of that, and then building further or customizing on top of that.
However, it’s now a standard practice for vulnerability management vendors to offer APIs and integrations with popular solutions such as scanner, workflow and ticketing platforms, satisfying a good percentage of a company’s needs and utilizing existing security tools.
The most advanced VM solutions are often cloud based. This means it’s easier to scale your VM environment as your enterprise and your needs grow–you simply add more licenses.
Concerns about cloud security once caused IT and Security to be hesitant to transition their data to the cloud, instead opting for an on-prem or hybrid solution. But vendors of leading cloud VM platforms know what’s at stake, and the best of them are well protected. If you’ve got specific concerns or requirements relative to cloud security, talk to the vendors on your consideration list.
5. Adoption and advocacy
As more and more companies rally around risk to drive down their risk profiles and create a more security savvy culture, user experience (UX) becomes paramount. Intuitive design enables a wide range of users and stakeholders to access the data they need, when they need it. This democratizes security by simplifying a previously complex task, and helps drive widespread adoption. It’s rare for a company to be able to build their own sophisticated, robust vulnerability management tool that’s ALSO easy to use.
One instance where this is particularly true is reporting. For reporting to be effective, it must be meaningful and easily digested by people who don’t work in Security or even IT. Designing intuitive dashboards and aggregating KPIs that matter most to leadership and stakeholders will define success and create converts out of non-believers.
Accessible, intuitive and meaningful platforms help drive adoption and advocacy for future security initiatives. For organizations that aim to create a culture around risk reduction, that’s not a nice-to-have. It’s an imperative. If you’re considering building your VM tool, ask yourself if your development team is capable of hiding all the complexity of modern vulnerability management, while simultaneously surfacing helpful insights that let stakeholders understand what you need to do to improve your risk profile.
It all comes down to managing risk
Lots of questions and considerations enter into the buy-vs.-build conversation. The questions can be both practical and esoteric: What am I trying to do now? How will this evolve in the future? How can I leverage my security investments? Where are my resources best served? (For tips, check out our recent blog highlighting 7 Questions to Ask Every Vulnerability Management Vendor.)
Whether you land on a buy, build, or hybrid approach, make sure that on the other side of this initiative, the solution you end up with is the one that helps manage risk in the most effective and efficient way possible.
To find out how you can reduce risk while leveraging your existing security investments and optimizing your resources, register for Kenna Katalyst, a virtual workshop designed to kickstart your risk-based vulnerability management program.