Buy vs. Build? 5 Considerations for Vulnerability Management
Share with Your Network
This post originally ran on September 9, 2021, and has been updated.
Worldwide IT spending is projected to total $4.4 trillion in 2022, an increase of 4% from 2021, according to the latest forecast by Gartner, Inc.
With skyrocketing IT initiatives and digitization, leaders everywhere are evaluating their options, including investments in vulnerability management (VM). And when the time comes to determine a way forward for VM, the conversation often circles one question:
“Do we buy it? Or do we build it?”
An important decision
With bad actors growing increasingly sophisticated and aggressive, enterprises need to think carefully when choosing the components in their Security environment.
Vulnerability management (VM) is a prime example. VM isn’t just about closing vulns; it’s about managing and lowering risk. That, combined with the increasing number of vulnerabilities, is why you see the industry shifting towards a risk-based approach, integrating data-driven, predictive analytics in vulnerability prioritization decisions. Gartner cited the emerging importance of risk-based vulnerability management as a top security project.
Why risk-based? Because 70% of Windows systems, 40% of Linux/Unix systems, and 30% of network appliances have at least one open vulnerability with known exploits. That means plenty of opportunities for attackers. It also means that by focusing on remediating the vulns that pose the highest risk to your enterprise, you’ll do a better and more efficient job of protecting those assets and the data that resides on them.
Assessing your situation
The unique conditions of a business often shape the buy-vs.-build discussion.
- The size of a company’s attack surface is a driving factor in its relative risk profile. Large companies with distributed workforces can be exposed to threats.
- Financial services or healthcare businesses can be attractive targets because of the data they run their business on. Companies that rely on a supply chain of any kind must consider the security of their upstream and downstream partners and look closely at how those companies’ systems interface with theirs.
- Of course, available budgets and resources will influence every decision, and smaller companies may feel more constrained than their large enterprise counterparts. But the average organization can remediate just one out of every ten vulnerabilities regardless of size.
So when a buy-versus-build conversation arises, business and security leaders have some tough decisions.
Five things to consider when deciding whether to buy or build
No matter your budget, organizational size, or culture, you need to weigh the pros and cons of building versus buying. To help simplify this, we’ve gathered together the key considerations when you’re making your buy versus build decision.
1. Cost and capacity
Cost will always be a factor in any decision. Ambitious development teams can take on the challenge of building their vulnerability management platform. Still, they risk sinking tons of time, energy, and ultimately money into getting it just right. According to Gallup, one in six IT projects run over budget by 200% and take 70% longer than anticipated.
Another factor is the organization’s capacity to design and operate these systems. Companies opting to build need to have the in-house talent to meet the demands of a modern vulnerability management solution. They’ll need people to handle development, data processing, normalization, reporting, identity management, permissions, UX, etc. And to predict which vulnerabilities are likely to be weaponized, data scientists will be needed to build predictive algorithms.
The costs are well defined and more predictable over time by purchasing (or more likely subscribing to) commercial vulnerability management software. However, add-ons and premium services can increase overall TCO in some cases. What more you need from vendors, and how much of it, should factor into the equation.
In further contrast to the build approach, a commercial VM solution is typically developed by teams specializing in modern vulnerability management, including risk scoring, predictive prioritization, threat analytics, and more. That can be very difficult and expensive to replicate in-house.
2. Control and customization
Companies will often opt to build because they believe they’ll have more control over a VM solution. The thinking is a bespoke solution can more readily incorporate customizations and specific industry considerations. Financial services businesses, in particular, can include access to the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry-only resource for shared knowledge of specific threats and vulnerabilities targeting financial services. Similar ISAC’s have data sharing agreements as well.
A significant downside (and inherent risk) of building a one-off VM environment is that vital platform knowledge is often locked up in a handful of builders or owners. If these individuals are out sick, are on vacation, or leave the company, updates or critical maintenance are difficult. Bottlenecks also begin to emerge, creating inefficiencies in day-to-day needs like reporting.
Commercial solutions address this by configuring custom scripts and integrations via APIs. And leading solution providers also tend to listen closely to customers to help them create the environment they need and often will incorporate common customer-requested features into upcoming releases.
3. Maintenance and enhanced insights
One of the most compelling reasons for buying over the building is avoiding the burden of maintenance. Relying on a third-party vendor dedicated to ongoing support, regular updates and new releases, and long-term product innovation, rather than trying to take it all on in-house, allows AppDev teams to invest their efforts elsewhere and relieves Security and IT of the headache of ensuring their custom environment remains a step ahead of the next threat.
Organizations that use commercial solutions also gain the advantage of an entire user base to glean insights and predictive threats and exploit analytics. Technology like machine learning and artificial intelligence can improve over time and with larger data lakes to pull insight from. Even if in-house teams could enhance their systems, they would still be pulling from their limiting data pools or purchased threat intelligence feeds, significantly limiting their actionable insight and visibility.
Those insights pay off in various ways. Specific vendors offer users tailored vulnerability risk scores powered by data science and defined by real-world threat and vulnerability intelligence and the company’s appetite for risk. Risk scores empower users to focus on patching the vulnerabilities that will lower risk the most. The formulas and calibrated models for these risk scores are finely tuned again and again by experts whose sole job is to train and perfect these models. That could be a heavy lift for an in-house team.
4. Connectivity and cloud
Since each company’s IT ecosystem is unique with its makeup of applications, vendors, and end users, building a vulnerability management solution makes connecting these tools more desirable and, in some cases, more achievable. There’s also a build-buy-build approach that some companies choose to take by building a solution, layering in purchased capabilities, and then further customizing.
However, it’s now a standard practice for vulnerability management vendors to offer APIs and integrations with popular solutions such as scanner, workflow, and ticketing platforms, satisfying a good percentage of a company’s needs and utilizing existing security tools.
The most advanced VM solutions are often cloud-based. This means it’s easier to scale your VM environment as your enterprise and your needs grow–you add more licenses.
Concerns about cloud security once caused IT and Security to hesitate to transition their data to the cloud, instead opting for an on-prem or hybrid solution. But vendors of leading cloud VM platforms know what’s at stake, and the best of them are well protected. Talk to the vendors on your consideration list if you’ve specific concerns or requirements relative to cloud security.
5. Adoption and advocacy
As more and more companies rally around risk to drive down their risk profiles and create a more security-savvy culture, user experience (UX) becomes paramount. Intuitive design enables a wide range of users and stakeholders to access the data they need when they need it. This democratizes security by simplifying a previously complex task and helps drive widespread adoption. It’s rare for a company to be able to build their own sophisticated, robust vulnerability management tool that’s ALSO easy to use.
One instance where this is particularly true is reporting. For reporting to be effective, it must be meaningful and easily digested by people who don’t work in Security or even IT. Designing intuitive dashboards and aggregating KPIs that matter most to leadership and stakeholders will define success and create converts out of non-believers.
Accessible, intuitive, and meaningful platforms help drive adoption and advocacy for future security initiatives. Creating a culture around risk reduction is imperative. If you’re considering building your VM tool, ask yourself if your development team can hide all the complexity of modern vulnerability management while simultaneously surfacing helpful insights stakeholders can use to improve their risk profile.
It all comes down to managing risk.
Lots of questions and considerations enter into the buy-vs.-build a conversation. The questions can be practical and esoteric: What am I trying to do now? How will this evolve in the future? How can I leverage my security investments? Where are my resources best served? (For tips, check out our recent blog highlighting 7 Questions to Ask Every Vulnerability Management Vendor.)
Whether you land on a buy, build, or hybrid approach, make sure the solution you end up with helps manage risk most effectively and efficiently as possible.