Buy or build software? Firms need to look at control, reversibility and risk

SHOULD you buy software or build it? I have lost count of how often I have been asked this question in procurement reviews and leadership offsites.

For most of my career, the answer rested on efficiency, cost and relevance. If a vendor could do it faster and cheaper, and the capability was not core to your organisation, you bought the software. If it was tightly bound to your mission, you built it. The framework was clean and rational, and for many years it worked.

I no longer think it is enough.

The question still includes cost and relevance, but it now also includes control, reversibility and risk. Who sets the terms of the dependency, and who can change them after you commit?

Can you leave if you need to, or has the exit become so expensive that you are effectively locked in? Something else changed too, and few noticed.

Software used to be a support function. Today, for most organisations, the software is the operating model. It encodes how you serve customers, comply with regulations and deliver services. When technology was peripheral, a bad vendor bet was a procurement headache. Now it can be an operational crisis.

I watched the old model take hold from the inside. In the late 1990s I was at the National Computer Board (NCB) in Singapore, helping to computerise the civil service. We built and operated things.

But the prevailing winds favoured a different philosophy, that the state should set direction and let the market deliver, and the NCB was reborn as the Infocomm Development Authority, a regulator and promoter rather than a builder. Singapore was not unusual. Everywhere, companies and governments learnt to see externalisation as progress.

Offshoring had outsourced work. Cloud and software as a service (SaaS) then outsourced systems. By 2023, the average large enterprise ran more than 470 SaaS applications, and the default answer to any tooling question became just subscribe to something. That was the right call most of the time.

SEE ALSO

Taiwanese brothers amass US$1 billion from boom in display chips

AI capex cycle drives institutional inflows and gains for Singapore’s listed tech manufacturers

Info-Tech Systems wants to leverage customers’ overseas expansion for future growth

Unstated assumptions

But the model carried unstated assumptions. Vendors would stay roughly as they were, licensing would remain predictable, and switching costs would be manageable. Those assumptions held for a surprisingly long time, until they did not.

Artificial intelligence is half of what changed. It has not made every company capable of recreating Salesforce from scratch. However, it has lowered the cost of the last mile, the internal tools, workflow engines and integration layers that used to need a dedicated squad and a year or more.

When I interviewed engineers and data scientists across my teams at GovTech Singapore, the numbers were hard to believe. One engineer built an Android app and an autonomous AI agent in two weeks, work that would once have taken two to three engineers a quarter.

Two data scientists, including one with no Web development experience, delivered more than 30 full-stack showcases in four person-months. Five years ago, I would have smiled politely at these numbers and changed the subject. Now I am building this way myself.

When building gets an order of cheaper magnitude, entire categories of software shift from “obviously buy” to “worth evaluating”. Companies are acting on this. Klarna read the maths and dropped Salesforce and Workday. 37signals left Amazon Web Services for its own servers, projecting savings of more than US$10 million across five years.

The other half is that dependence got more expensive. After Broadcom acquired VMware, European cloud providers reported price increases of 800 per cent to 1,500 per cent. That is not a typo.

Oracle now licenses Java by total headcount, charging for every employee whether or not they have ever touched the language. Microsoft is raising prices across its 365 portfolio, and it surely knows most customers will absorb the increase because switching costs more.

When a critical operating layer sits with a concentrated supplier, the terms can change faster than you can respond. Buying starts to look less like a procurement decision and more like an option contract written by the vendor.

Dependence can also be weaponised. When Western vendors withdrew from Russia in 2022, the software running its banks and airlines went with them. In 2025, the US briefly turned chip design software into an export control lever against China.

Most striking of all is the International Criminal Court. Its chief prosecutor found himself locked out of his Microsoft e-mail after US sanctions, and the court is now migrating 1,800 workstations to open-source infrastructure under European jurisdiction. That is what weaponised dependence looks like. It is not an abstract risk in a policy paper, but a prosecutor who cannot read his e-mail.

Governments feel this differently from companies. A firm can absorb a bad dependency as a margin problem.

When the software handles citizen identity, welfare payments or tax collection, a vendor changing terms is a continuity problem. Once services are delivered digitally, technology operations are no longer separable from policy. The software is how the policy is expressed.

The response is not to build everything. It is optionality. Buy the commodity layers where scale economics are real and build the thin layer that encodes how you actually operate. Use open standards, open source and portability rights so that even when you buy, you preserve the ability to leave.

For governments, own the platform, the data and the interfaces, and let vendors compete on top. Singpass, one of the teams I run, works this way.

The government owns the identity layer, the consent framework and the application programming interface standards, while banks, agencies and companies build services above it. If any provider leaves, the platform remains. The government is no longer a tenant. It is the landlord.

The 1990s taught us to outsource work. Cloud and SaaS taught us to outsource systems.

AI may now push us to reclaim selected capabilities, not because vendors have become useless but because building has become more feasible while dependence has become more consequential. What changed is not only that software became easier to build. It is that dependence became harder to ignore.

The writer is the chief technology officer and deputy chief executive at GovTech Singapore