Facepalm Files: Why buy when we can build? (Spoiler: We couldn’t)

Date: September 25, 2025 Reading time: 4 minutes

The setup

Back in those golden years between the 2000s and the 2010s, I was working at a healthcare management company that acquired ambulatory surgery centers and hospitals. We needed a scalable identity and access management (IAM) solution to manage identities and access across 160+ medical facilities in 20+ states. Our existing AD-based solution wasn't cutting it with the growing number of disparate systems and network domains. We even started vetting off-the-shelf IAM solutions, SailPoint among them. Then, a new CISO, "Louis," arrived with a grand vision. He had a development team that built security solutions in the past and confidently declared, "Why buy an IAM solution when we can build our own?" I had a bad feeling about it, but what did I know?

The facepalm moment

Louis' team was used to building point solutions like virtual desktop management and application whitelisting. Building an organization-wide IAM program, however, is a whole different beast, demanding a much broader understanding of the organization. I presented our requirements, emphasizing that this would be the largest, most invasive IT project we'd ever undertaken. I detailed the integrations, the compliance needs, and the sheer scale of users and systems involved. Louis just laughed and said, "I don't buy it." We spent the next 10-12 months working with his team, fleshing out requirements and reviewing their proposed designs. We had meeting after meeting, going over the same ground repeatedly. A year later, we had nothing to show for it. The project was at a complete standstill, and the existing solution was costing the company money. The clinical staff was impacted by the lack of a satisfactory solution and the inability to access the systems they needed in a timely manner. It was a mess. The worst part was the growing realization that we were reinventing the wheel, and poorly I might add, when perfectly good solutions already existed.

What happened next

I decided to create a Business Value Assessment. I summarized the effort to date, estimated the hours wasted by everyone involved, and recapped the shortcomings of our current solution, including lost productivity and licensing costs. The assessment showed that our failed attempt to build an IAM solution had already cost the company almost twice the year-one estimate from SailPoint! I thought I'd made my point crystal clear, but Louis was unwilling to admit defeat.

Frustrated and seeing no progress, I left the organization less than a year later. As the story goes, Louis was asked to resign shortly after my departure. And in a final twist of irony, the company decided to purchase an off-the-shelf IAM solution less than six months after Louis left.

The lesson

The whole debacle taught me a valuable lesson about IT solution implementation and Total Cost of Ownership (TCO). We should have gone with a pre-built solution from the start. Louis should have listened to the team's concerns and recognized the complexity of a full-scale IAM implementation. Organizations need to consider the big picture, including the long-term maintenance, support, and scalability costs associated with building a custom solution. They should avoid the trap of thinking they can always build everything themselves, especially when mature, feature-rich solutions are readily available. Sometimes, buying is not only the smarter choice-it's often the only viable one. Doing our research and going with SailPoint in the first place would have saved a lot of time, money, and frustration. It would have also avoided the disruption to our clinical staff and the wasted effort of Louis' development team. Don't underestimate the complexity of IAM, the importance of industry best practices, or the value of a solution that's been proven in countless other organizations.

The "build vs. buy" decision isn't just about initial cost; it's about long-term value and strategic alignment.

Moral of the story: Just because you can build it, doesn't mean you should.

That's it for another round of Facepalm Files. Looking for more insights? The Modern Identity Security for Dummies, SailPoint Special Edition guide is your ticket to success. Download today.