skip to Main Content


Security Considerations – Weighing the Software Build Vs Buy Decision

by Merit Network

Cyber crime damages are expected to exceed $6 trillion annually by 2021.¹ When weighing the decision to purchase existing software solutions against building and maintaining a proprietary system, security concerns should be top-of-mind. From the 2017 data breaches at Equifax, to Target’s $19 million settlement over a 2013 cyber attack, it’s easy to believe that hackers only seek high-value, personally identifying information that can be stolen en masse. In fact, threats against small to mid-sized businesses are growing rapidly. Smaller organizations often lack resources to hire security personnel, such as a CISO or CIO to spearhead security and information assurance frameworks.

Administration, physical security, network security, server configuration, end user device policies, risk management processes, authentication, application security, information security and incident response approaches should be scrutinized when evaluating both in-house and outsourced software solutions. When scoping any new software solution, a risk assessment should be completed both internally and with any potential external vendors.

Administratively, it is necessary to begin by vetting the individual(s) that are responsible for cyber and infrastructure security within the vendor’s organization. Ensure that educated and credentialed employees hold the appropriate positions within the company. Request a copy of the vendor’s SOC 2 report, which provides an independent review of non-financial reporting controls in relation to security, information confidentiality and privacy. The vendor’s most recent vulnerability assessments or penetration tests should also be reviewed. Internally, your organization should also be conducting regular testing and assessments to identify and mitigate weaknesses in your security posture. It is also necessary to discuss any previous cybersecurity breaches with the potential vendor. Have they experienced a significant incident? How was it remediated? Insurance policies that cover a cyber incident or loss of any customer’s confidential or sensitive information should be in place, and verification should be requested. Finally, background checks on employees, both within your organization and within any potential vendors’ businesses should be conducted.

Physical security is also a concern, both with in-house systems and when considering any external cloud-based applications that store protected information. How do the organizations back up redundancies? Review the data centers where your information is being colocated – do you and/or potential vendors own their colocation spaces or are the facilities shared? If shared facilities are utilized, that facility should also conduct a risk assessment document. Reviews of the physical and environmental risks that any office facilities are exposed to, as well as procedures and evaluations are necessary. Any datacenter that will be utilized should have a SSAE16 or SOC assessment on a yearly basis. Review this documentation with internal resources, or request a copy from any potential vendor. Physical security requirements, both internally and externally, should be formalized in a written policy and reviewed on an annual basis. Visitors to any site that holds sensitive information should be logged, and no unescorted access should be permitted.

In regard to network security, your organization or the vendor’s should maintain a “deny all, allow by exception” policy for access. Firewalls, data loss prevention tools, DDoS monitoring systems and network traffic encryption processes should be reviewed annually for any information that will pass through a network. Security frameworks, such as the CIS Controls should be followed.² When evaluating building internally or sourcing solutions externally, ensure that both organizations have standardized procedures for applying security patches and updates to software and operating systems. Risk management processes should be reviewed on an annual basis. Multi factor authentication, encrypted protocols for remote access, separations between development and production environments  and code review processes should also be evaluated.

Administratively, when considering an external vendor, it is necessary to address the length of time that your data is retained on their systems, and your organization should review any potential data wiping techniques. Should your company decide to build their own software, policies regarding data retention and deletion should be written. If you “buy” SAAS or cloud software, what happens to your data in the event that your vendor is acquired or goes out of business?

An internal tabletop exercise and/or a requesting documentation from a potential vendor surrounding incident response planning is the final step when weighing the decision to purchase existing software solutions against building and maintaining a proprietary system. Do you and/or the vendor have an incident response plan in place? How does the vendor notify customers in the event of a data breach? Both organizations should be conducting yearly exercises to test and improve the incident response plan.

Outsourcing or moving to the cloud can save resources and allow organizations to scale smoothly, but the decision on what to move and when needs to be considered carefully. If we can predict anything, it is that security regulations and requirements will continue to grow and organizations need to be informed when adding an external resource to their information system architecture.


¹ Morgan, S. 2018. Top 5 Cybersecurity Facts, Figures and Statistics for 2018


² CIS Security Controls