Cybersecurity Insurance Checklist - Meet Insurance Requirements with BeyondTrust PAM Download for Free

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

The Build vs. Buy Decision: A Security Practitioner’s Point of View

June 27, 2016

  • Blog
  • Archive
Build vs Buy Throughout my career, I’ve had a repeated conversation at yearly budget planning time. This conversation comes up when I want to invest in a new capability and we either have a) some internal employees that think they are capable of writing scripts, b) are long term sysadmins (a special breed), or c) we have had a true development organization that has historically built operational tools. This conversation? Whether or not we should buy a tool or we should allow the team to build a tool. Choosing to build or buy a mature security solution is a difficult one. Especially so if you come from an organization that has not had an increase in information security budget while the risk landscape has been increasing. If you have budget to spend, you are deciding to invest your capital spending vs investing your internal operational or development resources to build a set of capabilities. The following points have helped me direct the conversation and might help you finalize your decision on where best to use the funds and people you have available. I don’t want to make this a CAPEX vs OPEX decision, because that’s up to your finance team, so I want to focus on situational reality.

Seven scenarios that support a “buy” decision... you should buy if:

1) You need a solution that has already been proven in “Fit for Use” testing and allows your company to focus on “Fit for Purpose” testing. This means you can be confident that the product is already fully functional because a mature product has likely been fully tested by many organizations out there, including government entities, and they have very likely tested the product in a much more rigid way than you ever could. Your “Fit for Purpose” testing can be on testing can be on your specific use cases or your highly-customized environments. 2) You work in a publicly-traded, government, or highly-regulated environment that must utilize software that has gone through full third-party validation and conforms to a known industry best practice set of guidelines such as Common Criteria, COBIT, ISO, or NIST. Auditors, Boards of Directors and regulatory bodies understand known purchased solutions as they can assume the product has already passed others’ scrutiny as well. 3) You prefer to rely on a few key strategic partners you can trust and delegate some of the responsibility to the partner/vendor. By setting your use cases and expectations early, and looking for the partner to provide services and capabilities that meet your needs, you can direct your focus toward projects/efforts that bring business value. In my view, developing something that others have already created is not the best use of resources or money and is not delivering the best business value. Focus your time on business efforts instead. 4) You have capital funds available and need to deliver against a financial model that includes multiple year pre-paid hardware, software, or maintenance in a capitalized financial model. 5) You wish to contribute back to the industry, but cannot do it directly. Developing a partnership with a software company is your opportunity to improve the industry. Information security professionals have an obligation to use their learnings to provide back their knowledge through use cases, education, and experience so that we can reduce the overall risk of data breaches or other impactful Provide your learnings back to the vendors, conferences, and partners so that they can learn and adopt and improve. 6) You are forbidden from using open source software, or there is a strong push against utilizing certain types of licenses outside of NDA and contract agreements. 7) You are expected to deliver certain types of software to meet auditor expectations. This might be software that is considered “expected” or “table stakes” that provides foundational services and should just be bought so that you can move on to deliver functionality rather than inventing and testing. It is important that once you purchase a solution or a tool, you should focus your energy on making it work. Rank your use cases, start to execute, and partner with your vendor through relationships and tickets if there are issues. I’m a fan of solutions that work together and have learned that filling your company with a ton of best-of-breed solutions that don’t fully integrate leads to lack of delivery. At some point in the future, I’ll write some more about best-of-breed versus strategic platform/solutions.

Six scenarios that support a “build” decision, you should build if:

1) Your organization has permanent development resources with the technology skill in information security. It is a non-trivial activity to build information security products. That said, you should only build capabilities that are enhancements or deliver automation on top of embedded or open source solutions that must be truly unique to your business line, complexity, or scale. Don’t bother building something that someone else has already built. “Not created here” is a bad disease in my book. 2) If funding is simply not available or if solutions are simply too cost-prohibitive to buy at scale, consider other options such as immutable VM, edge controls and protecting other important areas of attack, rather than each individual host. Open source solutions are possible here, but be careful because they might lack enterprise features you require. If preventative controls are out of reach, at least turn on all of the logging-based detective controls that come with your operating system. 3) Depending on your specific organization, you might have some specific requirements that need your unique skills in machine learning, user behavior, high speed data or processing analytics that it may make sense to extend a product or develop additional capabilities. I think of AWS, Google, Facebook or Microsoft when I think of these things. 4) You’re a university, partner with universities, or a startup that is developing or conducting advanced research that advances your company mission. 5) If you research and discover something unique and want to invest in a patent portfolio or have need for a certification that no one has yet to obtain. 6) If open source solutions have improved beyond all vendors in the space and it is a standalone product that is very specific to its use case, it might make sense to adopt the more mature open source tool. BIND, Linux, nmap are examples. In general, my personal preference is to purchase solutions and invest my time in delivering against the use cases my company requires. I understand the innate desire to create and develop solutions, but also know my limitations and know there are those who have invested much more skills, resources, and capital in solutions. Information security specifically is a non-trivial area and I do not believe it is an appropriate use of time to attempt to recreate what companies have invested millions to build. Very few organizations have the capability to create/build and deploy open source security solutions (not simply to use them), so I think it makes much more sense to partner with someone who has proven technology and hold them accountable for it working. No matter which you choose – build or buy – make sure you turn it on and look at the output! SOME protection is better than NO protection. Suites of products, such as those delivered by BeyondTrust, can be a great strategic investment for your company. These solutions combine vulnerability scanning (Retina), privilege management (PowerBroker), password management (Password Safe), and advanced intelligence (BeyondInsight) to deliver an integrated set of features that no other vendor provides. Rather than invest in building solutions that do not fully deliver the strategic capabilities your company requires, have a conversation with us on how we can partner with you to quickly execute.

Scott Carlson, Technical Fellow

As Technical Fellow, Scott Carlson brings internal technical leadership to BeyondTrust, strategic guidance to our customers, and evangelism to the broader IT security community. He also plays a key role in developing innovative relationships between BeyondTrust and its technical alliance partners. Scott has over 20 years of experience in the banking, education and payment sectors, where his focus areas have included information security, data centers, cloud, virtualization, and systems architecture. He is also a noted thought leader, speaker and contributor to RSA Conference, OpenStack Foundation, Information Week and other industry institutions.

Prior to joining BeyondTrust, Scott served as Director of Information Security Strategy & Integration with PayPal, where he created and executed security strategy for infrastructure across all PayPal properties, including worldwide data centers, office networks, and public cloud deployments. He led several cross-departmental teams to deliver information security strategy, technical architecture, and strategic solutions across enterprise IT environments. As a member of the office of the CISO, CTO and CIO, Scott spoke on behalf of the company at global conferences. In addition, he was responsible for infrastructure budget management, vendor management, and product selection, while also serving as the cloud security strategist for private OpenStack cloud and public cloud (AWS, GCP, Azure). Prior to PayPal, Scott held similar roles with Apollo Education Group and Charles Schwab.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Microsoft Vulnerabilities Report 2021

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.