Buy, build—or a better option?
Many cybersecurity teams struggle with a common question: Do we buy security tools and infrastructure from a vendor, or build what we need in-house?
How cybersecurity can move beyond an old dilemma
Many cybersecurity teams struggle with a common question: Do we buy security tools and infrastructure from a vendor, or build what we need in-house? But what’s often overlooked is that this issue has already been solved in many other areas of general tech—with our industry lagging behind.
The buy–build conundrum in cybersecurity
Security practitioners need high-quality tooling and infrastructure. Until now, there have only been two real ways to meet this need—each with advantages and disadvantages.
Organizations that buy security solutions get:
Robust, proven technologies (+)
Less development and maintenance work (+)
Scalable solutions and workflows (+)
But they must contend with:
Hard-to-customize solutions, making tailored implementations difficult (-)
Black-box tools that make it impossible to achieve provable security (-)
Increased costs and vendor lock-in (-)
In short, though the quality of purchased solutions is generally sound, this route carries serious operational and business risks. Lack of control over the stack places limitations on an organization’s security operations and internal workflows. And over time, the total cost of ownership (TCO) of vendor-supplied tools can become excessive. For managed security service providers and startups, infrastructure costs may even threaten profitability.
For this reason, many security teams opt to build some capabilities internally (whether that means assembling what they need from open-source components or literally coding custom solutions themselves).
This approach offers undeniable benefits:
Full control of and ownership over mission-critical solutions (+)
The ability to customize stack, operations, and workflows for optimal security outcomes (+)
Cost savings and access to capabilities that might otherwise be unobtainable (+)
But the trade-offs here can be significant:
Skilled team members must spend substantial time and effort on building solutions (-)
The hidden, long-term cost of ongoing infrastructure maintenance (-)
Increased complexity in the stack and problems integrating with other tools (-)
Thus, while the savings and control are attractive at first, this approach carries other kinds of costs over time. Teams overwhelmed by the challenges of maintaining in-house tools may lose focus on security operations. Managed security services providers frequently encounter problems when they try to scale a business built on a DIY stack.
Often, there is no clear right answer to the buy or build dilemma, and security leaders may feel forced to pick the “least bad” alternative. And that’s why it’s time for a better option.
The public cloud for cybersecurity
The irony of our situation is that these problems have already been solved in other areas of technology. For example, consider the case of a large retail pharmacy chain looking to deploy a prescription provisioning and point-of-sale system. In the past, they would either have had to conduct an extensive search to identify a vendor with an ideal solution, or hunt for an open-source stack to meet their needs. But today, they would simply assemble the required compute, storage, queueing, databasing, and so on from public-cloud components offered by AWS, Microsoft Azure, Google Cloud Platform, or another provider.
We take this for granted these days. The public cloud model has been so successful that some of the problems that used to face engineering, development, and IT groups now seem almost quaint. For our colleagues in other technical fields, there’s no longer a need to buy certain solutions outright, or build them independently, because core IT capabilities already exist on demand—ready and waiting to be consumed, with pricing based on usage.
LimaCharlie’s basic premise is that this is exactly what’s missing in cybersecurity. The SecOps Cloud Platform (SCP) is our vision for the future of the industry.
The meaning of “core capabilities on demand”
To be clear, when we talk about access to core cybersecurity capabilities, we’re not implying that there is a one-size-fits-all solution that can meet all needs, or suggesting a rip-and-replace approach to security infrastructure.
We’re making a far more modest claim: Namely, that the foundational capabilities required to secure and monitor any organization are now well-understood enough to be delivered via a public cloud. This would include things like deploying bi-directional endpoint capabilities through a multiplatform agent; alerting and correlating log telemetry regardless of source; automating real-time analysis and response in any environment; observing, transforming, and routing telemetry data regardless of source or destination; and more.
Note that these are not esoteric capabilities. In 2024, they’re simply table stakes for modern SecOps. There’s no need for teams to reinvent the wheel by attempting to develop them independently. Nor is there any reason to rely on legacy vendors when these capabilities are available as mature, integrated, cloud-native primitives—on-demand, API-first, and pay-per-use.
Benefits of the SecOps Cloud Platform
When foundational security capabilities are made available through a SecOps Cloud Platform, tremendous benefits emerge:
Teams can assemble the stack they need, customize it as much as they want, and manage everything from a single, scalable, well-integrated platform—without getting bogged down in development work and infrastructure maintenance.
Organizations of every size, from large enterprises to managed security service providers and startups, can eliminate tool sprawl, free themselves from vendor lock-in, and reduce costs.
Pay-per-use pricing makes it possible to scale usage up or down as needed. There are no mandatory long-term contracts, fixed minimums, or capacity planning as there are with traditional vendors.
Modular, on-demand capabilities allow organizations to use only those elements of the platform that they truly need (or that they are currently ready for). The SecOps Public Cloud can be adapted and integrated into a team’s operations safely and gradually.
MSSPs and MDRs are able to work with mature tools that they control—and are not forced to rely on vendors who are also competitors.
Security teams in every kind of organization can focus on their true mission: improving security operations and delivering better security outcomes for stakeholders.
The future of our industry
We believe that cybersecurity practitioners will one day join their peers in IT and reap the benefits of the public cloud model. This is still an idealistic vision—but one that’s gaining momentum with each passing year.