Buy v. Build: Advice from a CTO

Driving rapid innovation and doing it efficiently–without risking security or impacting our user experience — has always been a key priority for me. 

In my 20+ years of experience leading teams of engineers in transforming and scaling tech for global user bases, from driving global expansion of products to scaling systems from 0 to 100 million monthly users, I have had to make many build vs. buy decisions. And my learning from past experience has been that when growing fast and scaling, the more my resources are focussed on our core business, the faster we can move. We can always bring an external piece of technology in-house once we have a strong business setup.

Before joining Okta, I had to make the decision between build vs. buy for login solutions a few times and I made the mistake of DIY the first time myself — and never again. 

Let me explain why. 

Great expectations 

Authorization starts simple. We need a login box: how hard could it be?

When you first start, it may seem simple to build your own and use open source, but right out of the gate as you move to live traffic, you are hit with tackling fraud and fake account issues and your teams are busy building solutions to solve it. 

On average, over 23% of all sign-ups are fraudulent, and certain industries see higher rates than that. Credential stuffing attacks account for 34% of overall traffic and authorization events. Capabilities like bot detection help significantly, and for that your teams will need complex machine learning models and rich data to build them right. False-positives in abuse detection punish real customers with unneeded friction. Is the system you’re building sophisticated enough to only introduce friction for fraudulent attempts?

Another source of fraud to consider is the use of breached passwords. Can your engineers build a solution that protects legitimate users from their own exposed credentials? After a breach of a third party, can you deliver a fast system response that bolsters the security of your users’ accounts? 

In many cases, the answer to these questions and more is…yes! You hired brilliant engineers. You believe in your team. If you ask them to, with enough time and resources, they can probably build it.

For me, it took one senior architect and an engineer three quarters to build an early solution. Could I have added more engineers to the project to get it out sooner? Maybe. But I did not have unlimited senior engineers to pull away from other projects. 

Unless you have a dedicated identity team, you’re probably taking engineers from other projects to build these systems. This can be especially critical in our current economic climate, where engineering productivity is top priority. While your customers are asking for more rich features in your core offering, your best engineers are busy solving these tough identity problems. This also means they are not contributing towards your company's growth.

Building is only the first step

After building comes maintenance, scaling, and constant improvement. If your experience is anything like mine, then this is where you start to discover just how critical the build versus buy decision really is. Your choice can help your team be more productive or actually bring them down to an absolute halt with busy work

Pretty soon, as you add more capabilities, it starts to get complex as you scale for millions of users and become enterprise-ready for your customers. You realize that building, maintaining, and of course scaling your customer identity solution has become a full-time job for you and your developers. You end up spending valuable developer time on identity and not your core business while opening yourself up to compliance, availability, and security risks.

At Okta, We surveyed around 350 engineering organizations to understand what applications have the most overhead and impact on their productivity when they decide to build it in-house. It gave us a look into what applications took the most heavy lifting and how engineers saw their commitment to build and maintain. Authentication capability was the second most time and work intensive application, just behind payment processing–another highly complex problem that, for most companies, isn’t part of their core product. 

And just like payment processing solutions, authentication is a solved problem.  

Authentication is a solved problem 

As industry and customers are understanding the identity space and its challenges, Identity is becoming a top-of-mind, strategic part of their road map.

So we return to that original goal: innovation without compromise. 

We know that keeping up with market trends is key to your business. It’s the key to ours, too. It is how we all drive growth. In my first build versus buy journey, I found myself compromising to attain the experience I wanted for our customers. Whether it was in overall developer hours or pulling attention away from core applications, there was always another hard choice to make. 

Your end users have endless online options. To stay competitive, many companies are rolling out new mobile apps, community platforms, ecommerce enhancements, omni-channel applications, and more. With the increasing volume of applications and services that companies now provide, customers need secure, speedy access to an ever-growing number of digital platforms. Identity is a living, changing field and your business may not have the dedicated resources to design and maintain an in-house solution without risking lost revenue, missed deadlines, security and compliance breaches, and losing customer trust. 

At Okta, we’re always developing new features and capabilities to make your business better, safer, and more efficient. To help drive developer productivity, we have added more capabilities to our Organizations feature that we launched last year, now with the ability to independently customize individual organizations with specific Single Sign-On federation needs or branded login experiences. In Q4, we added a new private cloud tier to support 360,000 requests per minute, almost four times more than the maximum we previously provided. We also launched Okta Workforce Enterprise Connections, a direct option under enterprise connections to enable Customer Identity Cloud customers to integrate with Okta Tenant as their identity provider with full dashboard and visualizations, no longer requiring you to add a SAML or an OIDC connection first.

Our customers have been finding great success with our rollouts. Bluetooth Special Interest Group (SIG) was able to implement their identity solution end-to-end in just a few days where they would have taken many months to get it out with their in-house setup. Arduino eliminated their identity update and maintenance resource drain while increasing conversions by 20% month-over-month.

We are proud to be a strong Identity partner for our customers, giving them an out-of-the-box, frictionless, secure, and highly extensible platform for both our customer applications as well as SaaS applications. We actively build a secure-by-design culture and have put security at the heart of everything we build. We focus on security throughout product development, making it part of our delivery DNA. Our global security and  engineering teams monitor activity and infrastructure 24/7, 365 days a year.

Getting Customer Identity right is hard, particularly when you’re reinventing it from scratch. Identity is our core product, and we want to help you deliver your innovative business using our innovative identity and authentication solutions–without compromise. 

Deciding whether or not to build or buy? Dig deeper with this whitepaper or reach out to one of our CIC experts.

These materials and any recommendations within are not legal, privacy, security, compliance, or business advice. These materials are intended for general informational purposes only and may not reflect the most current security, privacy, and legal developments nor all relevant issues. You are responsible for obtaining legal, security, privacy, compliance, or business advice from your own lawyer or other professional advisor and should not rely on the recommendations herein. Okta is not liable to you for any loss or damages that may result from your implementation of any recommendations in these materials. Okta makes no representations, warranties, or other assurances regarding the content of these materials.  Information regarding Okta's contractual assurances to its customers can be found at