Build vs. Buy Cloud Security Software: 4 Must-Ask Questions During the Decision-Making Process



Build vs. Buy Cloud Security Software: 4 Must-Ask Questions During the Decision-Making Process

Balancing an organization’s immediate needs while considering long-term growth can be challenging, especially when deciding whether to build vs. buy cloud security software.

Cloud solutions can reduce costs and boost productivity, but storing information in the cloud can present security risks like data breaches, internal threats, and hackers. According to Vormetric, 85% of enterprises store sensitive data in the cloud, and 70% have serious concerns about doing so. This doesn’t mean organizations shouldn’t use the cloud, though; quite the opposite. Enterprises do, however, need to amp up their security programs to protect their data, securing the benefits of cloud storage while minimizing the risks.

Cloud applications make it easier to access mission-critical data anytime, anywhere – but they also increase your human attack surface, meaning breaches and data loss can also happen anytime, anywhere. Insiders can now access a wealth of confidential information both within and outside your company network, handily exporting data, for example, without detection.

Organizations need cloud security in place to protect their customer and corporate data. Plus, security increases trust in your organization, not only with employees but with customers and clients as well. Better security helps prevent data breaches and can ensure regulatory compliance. And with an estimated 80 percent of all IT budgets being devoted to cloud apps and solutions, securing your cloud solutions is the best way to safeguard data.

However, it’s not always as simple as choosing a software solution and calling it a day. When selecting software, organizations may have to decide whether they should build or buy. Building allows for customization, but buying offers solutions right out of the box. No single solution fits every organization, but this article can help you determine whether to build vs. buy cloud security software for your organization.

Build vs. Buy a Solution for Cloud: 4 Questions

When considering whether you should build or buy a cloud security solution, it’s important to first determine your organization’s top priorities and values. Do you want something that significantly reduces costs, can be scaled to your size and needs, and offers flexibility? Or do you need a customized solution that’s critical to your workflow that no other solution on the market can offer?

Ask yourself these four questions as you decide whether to build vs. buy cloud security software:

  1. What are the must-have features? Are they available in an off-the-shelf solution, or is customization necessary?
  2. What is your timeline? How quickly do you need to implement this solution?
  3. What is the build vs. buy cost analysis? Once you know what features you need and your implementation timeline, you can better determine the possible build vs. buy costs.
  4. What is the potential ROI? This is perhaps the most important question — which solution’s ROI justifies the expense?


In general, it’s recommended that you buy a cloud security solution if:

  • Your organization needs something that meets “fit for use” testing guidelines so you can align it with your company’s “fit for purpose.” With a fully functional product already developed, you don’t have to worry about getting it up and running; instead, you can focus on how to best use it to meet your organization’s needs.
  • Your industry or organization is in a highly regulated, governmental, or publicly traded field that requires any software to go through a full validation process. Many industries, like financial services, are required to use solutions that have already undergone rigorous testing and vetting to ensure they meet regulations and best practice standards. If the product is approved by one highly regulated company’s Board of Directors, chances are higher that your organization’s board will agree.
  • Using open source software isn’t an option, whether due to regulatory, licensing, NDA, or contract agreements.
  • Your organization has available capital funds and you need to provide a financial report that includes set costs for hardware, software, maintenance, and other expenses in a multi-year model.
  • You need a solution that you can use right away. Out-of-the-box solutions can be up and running in as little as 48 hours, whereas custom solutions may take months or years to build and perfect.

“Ultimately, customization can give you unique, tailored options that suit your organization, but even building can’t always provide you with exactly what you want.”


If your organization identifies with the following scenarios, then it may be more prudent for you to build a solution:

  • You have reliable resources for technology and information security development. Building a software solution is a major undertaking, and your organization will need to devote time and resources to building, enhancing, and maintaining your program. Ongoing maintenance increases the total cost of ownership (TCO) compared to buy solutions.
  • What you need doesn’t already exist. You don’t want to dedicate time and resources to building a solution if it’s already been built. If building truly enhances the capabilities in a way that’s necessary for your scale or flexibility needs, then proceed.
  • Your organization’s software contains core processes that are essential for the operation and differentiate your organization in the market. Your organization may be filling a gap in the marketplace with unique skills and specific requirements that set you apart from others, which is a solid reason to build.
  • Your company is specifically working to conduct advanced research and development. Organizations like universities or research institutions may conduct research or develop projects (including custom-built enterprise solutions) to advance their organization’s mission.
  • After researching and developing a unique solution, you’re investing in a patent portfolio. Intellectual property may require a fully customized solution to avoid patent or copyright infringement.

When deciding whether to build vs buy cloud security software, remember that many "build" projects just don't work.

Weighing Your Options for Building vs. Buying Software

Ultimately, customization can give you unique, tailored options that suit your organization, but even building can’t always provide you with exactly what you want. When you choose something out-of-the-box, the maintenance costs are minimal compared with building. Plus, the fact that other companies have put the software to the test can prevent any potential snags or development hang-ups at your company.

The ROI for customization typically isn’t worth the costs associated with development, maintenance, and other ongoing expenses that build software requires. Plus, most organizations have one or two people who specialize in the software, making maintenance and development of the software difficult if they leave or are otherwise unable to provide their expertise.

Customized technology certainly provides value, but in the end, it’s the solutions people and the processes that give it the most value. In fact, research shows that only 29 percent of in-house software development projects were successful, while 52 percent were challenged and 19 percent failed.

When deciding to build vs. buy cloud security software, flexibility and ability to leverage what other companies are doing can be more important than customization and innovation.

Salesforce Security Solutions

If you’re looking specifically at Salesforce security solutions, there are extra factors to consider, like whether you need to monitor privileged users, permissions and profiles, security controls, logins, or other types of user activity. Most financial organizations need to control and monitor access to meet regulatory requirements, security frameworks like ISO 27001 and NIST, and internal policies around customer data.

Salesforce has a robust AppExchange store with many applications already built by ISV strategic partners, so when it comes to deciding whether to build vs. buy cloud security software, most Salesforce users buy.

In particular, Salesforce users rely on Salesforce Shield, which contains three components to boost cloud security: Platform Encryption, Event Monitoring, and Field Audit Trail. This trio allows developers and admins to build trust, transparency, and compliance in their mission-critical apps.

Making the Final Choice

A “buy” solution makes it easy for organizations in many industries — including financial services and healthcare — to secure their data right away. In contrast, a “build” solution may take weeks or months to fully implement, and even then, it may need continuous maintenance.

Ultimately, organizations have to consider the pros and cons of each option as they pertain to their mission and goals. If you’ve asked yourself the essential questions and still aren’t sure which solution is best, consider this: what are your requirements for the software, and can you attribute “fit scores” to the programs you’re considering based on whether they meet those requirements?

If a program meets every requirement, you can assume the fit score is 100 percent. If the buy products you’re considering score 80 percent or higher, then buying is the right choice. If the products available on the market score less than 60 percent, you can either reevaluate your requirements or proceed with building.

Learn how strategic Salesforce ISV partner Imprivata FairWarning can provide Salesforce security and visibility within 48 hours at a fraction of the cost of “building” your own option.