In order to build trust and meet compliance standards, it’s essential for financial services firms to protect and secure sensitive data. But it’s not always simple to implement a security solution. When deciding whether to build or buy cloud security, some companies may choose to buy an off-the-shelf security option, while others may custom build a solution. The decision isn’t always straightforward and can depend on your industry, your organization’s needs, and other factors.
On a recent webinar with Salesforce and FairWarning, Stuart Tainsky, Senior VP of Administration at the PURE Group of Insurance Companies, revealed the build vs. buy decision he faced at PURE, and what they ultimately chose (and why).
PURE, an insurance carrier for high net-worth clients, requires sensitive data from their members, which is stored in Salesforce. They needed an additional solution beyond what Salesforce provided to give them better visibility into what was happening with that data on a regular basis, along with any anomalies.
To help you put Tainsky’s advice into action, here are five key takeaways from the webinar related to choosing a Salesforce cloud security solution and gaining visibility into your Salesforce environment.
1. Determine your organization’s security needs
Many organizations use Salesforce and other cloud applications to manage data, but their specific needs for security solutions may vary, even if slightly. The first thing to consider when facing the build vs buy question is what your organization needs from a security solution. What are the factors you absolutely must have? For example, is your top priority added visibility into user activity like exports and reports? Are you focused on detecting and putting a stop to leaked data? Do you need to keep track of unusual login activity?
PURE knew they needed strong security to protect the large amounts of sensitive data they were putting into Salesforce. In addition to boosting security, they also needed better insights into their system given how many users were interacting with sensitive data. This type of visibility would help them do the right thing for their customers, who entrust PURE with their insured assets. When determining their specific needs, then, PURE prioritized tools that could give them a better understanding of data leakage; unauthorized access or access outside their network or country; and, overall, a better sense of what was going on in Salesforce. With this information, they were able to better evaluate whether building was necessary, or if buying a solution could provide them with the necessary capabilities.
2. Consider ALL the costs (even the unexpected ones) of building vs. buying
There may be unexpected costs associated with building or buying a cloud security solution, depending on your organization’s requirements. Tainksy said that, when building, you need to not only account for development expenses, but also ongoing maintenance expenses, overall opportunity costs, and more – all of which contribute to the total cost of ownership (TCO).
For PURE, it was not only less expensive in the long term to buy a solution off-the-shelf, but it was faster and less disruptive to their team. From Tainsky’s perspective, the most significant ROI was speed to value; after comparing that with the opportunity cost, they found a clear winner in buying a solution. Buying a solution was simply faster, easier, and in the long run, would cost a lot less than building their own solution for Salesforce user activity monitoring.
If you’re concerned about missing out on the unique features of a highly customized solution, Tainsky observed that, unless you’re in a niche industry in which no one else does what you do, there’s likely already a security solution that can take you 90 percent of the way. And when you factor that in with the ROI of buying vs. building, it’s often clear: Buy and you’ll receive most of the features you’re looking for with less time and expense required.
3. No one cloud solution can do it all…
Tainsky noted that, while there you can buy many solutions that provide 90 percent of what you need, no one solution can do everything.
“With any security tool that you put in place […], it’s never going to tell you the full story,” he said. “But it gives you an understanding of partial points in the story that you’re able to combine with other activities.”
Security tools may not tell you exactly who is hacking into your data and when, but they can provide information that allows you to make educated decisions and have conversations with people about usage anomalies in cloud applications like Salesforce.
When it comes to building vs. buying, Tainsky noted that no matter the industry, most organizations have the same general needs for protecting and securing their sensitive data. PURE’s specialty isn’t data security — it’s insuring members. So their policy is to outsource and find excellent service providers who know the environment well in order to commoditize the technology they need. In the end, PURE was able to buy a solution while focusing their efforts on what they know best.
When evaluating vendors, Tainsky believes that no one vendor can do it all. Among the existing options, there is likely to be some overlap in technology. But that overlap can actually help boost security since it’s possible that not every vendor will catch every single event.
4. …But many software solutions can work together
Focusing on Salesforce and the existing options for cloud security and data protection, Tainsky observed that many organizations rely on multiple cloud-based solutions, leveraging the security knowledge and frameworks from a larger company’s environment. It’s not necessary to reinvent the wheel when you can adapt what other organizations have already created. It’s often a better choice, then, to use multiple solutions and tweak them to your organization’s exact needs rather than attempting to develop and build something that “does it all” from the ground up.
When asked about Salesforce Shield Event Monitoring’s native Einstein Analytics app, Salesforce Director of Product Management, Event Monitoring, Amanda Grady noted that, while Einstein Analytics can provide added visibility into a Salesforce org, it’s geared toward users who have experience building their own dashboards and trend lines. Other user activity monitoring solutions are better for acquiring simple, easy-to-read reports that identify anomalies in user activity and other security concerns.
5. Salesforce Event Monitoring 2.0 is coming
Grady spoke in-depth about the future of Salesforce Event Monitoring and what users of the cloud security tool can expect in 2019 and beyond. You can expect the pilot of real-time events, new EventLogFile additions, and transaction security UX enhancements in Spring 2019. Later, in the summer, the beta for real-time events will roll out along with Lightning URI events (real-time) and Apex support in transaction security 2.0. Finally, in winter and beyond, Salesforce plans to release real-time events in a generally available format, performance events in real time, and native reporting.