Physical Risk Software: Should You Build or Buy?

It’s the job of physical security to protect your most critical assets: your sites, your property, and most importantly, the lives and safety of your people.

So when it comes to physical security software, is it better to build your own platform, or invest in one that’s been developed already? Do you trust your most important data to a vendor or should you attempt to build an application yourself? In the age of Software as a Service (SaaS), this might seem like a dated question, but it’s one that we see some clients wrestle with. The security industry is understandably risk-averse, so it might seem like building your own physical security platform is a safe move.

However, it’s important to understand the risks that come along with building your own platform. This article will take a deeper look at the pros and cons of each approach.

Building your own physical security platform

Pros

Control: When you create your own software, you have full control over the development process, project timeline, and the features that are being included in the platform. Your team can customize the software to your own requirements, and integrate it with the tools you already use.

Cons

Cost: While control is a pro when it comes to building your own software, it's also a con. You have full control over the product, so when things go wrong, you own those problems. And fixing those problems can cost both time and money. In fact the entire development process is costly, and it’s not just a one-time cost; your product will need constant updates and maintenance over its entire lifecycle. You’ll need a team to maintain, secure, and refine the platform.

Time: Development is also time-consuming. It might be months before your project is complete and you’re ready to track risk with your platform. In that time, any number of incidents could happen.

Expertise: Your team might include physical risk experts, that doesn’t necessarily mean they know how a platform should be designed. Your organization needs to invest in developers who can build a database, for example, and who understand both your grand vision for the software and how to bring it to life.

Subscribing to a physical risk platform

Pros

Time: Often when organizations need to assess risk, they need to do it quickly. When you subscribe to a platform, you can typically get started with risk assessment quickly. Even if you’re working with a vendor to customize the product, implementation time is still quick compared to building a product from scratch.

Cost: Subscribing to a platform is cost-effective, especially if that software meets your requirements out of the box. You’re not just paying for the software; you’re also also paying for ongoing support from the vendor, including training, troubleshooting, constant improvements, and patching. A subscription is also more scalable than bespoke software. As your organization grows, you can simply move to another price tier.

Knowledge: When you subscribe to a platform, you’re outsourcing the development and security of an app to a team of experts, which allows you to concentrate on what you do best: physical security.

Cons

Customization: You don’t necessarily have as much control over the product as you would if you designed it yourself. However, these days, most SaaS solutions will work with you to customize a product to your organization’s unique needs.

Security controls: You do not have direct control over the vendor’s cybersecurity controls. However, this may be good news for some organizations, because the burden of complying with security regulations is shouldered by the vendor. Businesses that need advanced levels of cybersecurity controls, however, can often negotiate with the vendor.

ACAMS: A cautionary tale

In 2005, the Department of Homeland Security developed its Automated Critical Asset Management System (ACAMs). It was developed to be a secure web-based inventory of critical assets, so that organizations could better understand their risk. Millions of dollars were spent developing the system, and barely anyone used it. At the time, there were other products on the market that could have done the same thing while saving the federal government time and money. Eventually ACAMS was shut down in 2014.

When deciding whether to build or buy, it’s important that your team takes a long hard look at your needs, your budget, what’s available on the market, and whether you truly need to develop your own application.

Want to learn more? Subscribe to the Circadian Risk newsletter to get more news about physical security and risk.

About the Author

Daniel Young

Founder & Chief Innovation Officer

Daniel has been a security and risk advisor for more than 10 years, and is passionate about helping companies to better understand their risks to undesirable events on a daily basis. Dan previously served as the Regional Bioterrorism Coordinator for District 1 in Michigan, where he was instrumental in preparing communities for catastrophic incidents. He has also acted as the Private Security Liaison for the City of Lansing’s Critical Infrastructure Team, which identified and documented deficiencies in the city’s critical infrastructure.

He is a Co-Founder of the CSO Risk Council, a think tank of seasoned security professionals and thought leaders with extensive experience in managing the physical security and risks of large enterprises consisting of multiple sites and whose mission is to create a better process to develop and share innovative solutions and pertinent information with organizations to improve safety and security risk by providing a forum to discuss best practices and recommendations for specific risk scenarios and to network with other enterprise security professionals.