The Build vs Buy Decision

Authorization of user access to data and applications is more important than ever – and enterprises are looking to solve this in the best way possible. That includes weighing a “Do It Yourself” in-house scenario vs. outsourcing to a qualified vendor.

When making a Build vs Buy decision for IAM and dynamic authorization, you must take into account the hidden costs of DIY, including: human costs, costs of risk, cost of technical debt, competitive losses, and opportunity costs.

Human Costs: Building and Maintaining Effective Authorization Takes Specialized Expertise

Building your own policy decision engine and writing policies on your own takes a great deal of time and resources to successfully complete. Ask of yourself and your development team: “Do I currently possess the resources and expertise to make the software better, or equally as good, than those solutions currently available?”

According to, the average annual base pay for a Software Engineer is $104,463 and Senior Security Engineer Annual Salary is around $165,732.

Cost of Risk: Mistakes Are Expensive

The average cost of a data breach, according to Ponemon Institute, is $3.6M (1). Organizations without a mature approach to identity and access management see 2x more breaches and $5M more per breach in costs than those that do IAM correctly. (2)

Likelihood of Making a Mistake

If your core competency is not security development, it is very easy to leave out key features when building on your own. Broken access control is one of the Top 10 security mistakes developers make. (3)

In addition, many open source components DIY builds depend on are highly insecure. 67% of applications using open source component have vulnerabilities in those components. (4)

The modern software ecosystem has created a level of complexity that is increasingly hard to manage, and partnering with a security technology expert can help your organization keep pace with development without sacrificing security.

Cost of Technical Debt: DIY Authorization Won’t Scale With You

The cost of hard-coding security rules into APIs or microservices of applications translates into higher technical debt for two big reasons:

  1. Higher code complexity
  2. Pace of policy changes (means a constant need to change the code itself)

Higher technical debt inevitably leads to higher cost of maintenance. This could be a huge iceberg waiting to sink the project.

According to, 90% of the software’s TCO will be hidden in the maintenance phase. (5)

Read more about the Build vs Buy decision, including opportunity and competitive costs to consider, by downloading our infographic:

(1); (2);(3), (4)
Reports/USA/OSSRA17_Rpt_UL.pdf;  (5)

Other Blogs

3 keys to re-evaluate your authorization management
On May 27, I had the pleasure to join the KuppingerCole KCLive event with several industry peers in a panel discussion about  “Enabling the Future...
How OAuth is related to Attribute Based Access Control
What is Authorization? Authorization, also referred to as Access Control, is the process that follows authentication (which checks your identity and ensures that you are...
Modern Enterprise Authorization Management System
Gartner has an interesting article titled “Modernize Your Runtime Authorization” that highlights some aspects you need from a modern enterprise authorization systems. Over the years...