Calculating PKI Return on Investment – Why Is It So Difficult?

Companies invest millions of dollars into public key infrastructure (PKI) products and services; yet demonstrating a return on that investment can prove difficult.

As a result, PKI projects are often stuck in prototype phase, unable to break out into the mainstream. Despite offering a compelling value proposition by providing a trusted environment to authenticate users, validating transactions, and accelerating the use and deployment of e-commerce, PKI seems forever destined to be next year's technology.

Or does it? One of the reasons PKI benefits are so difficult to quantify is the technology's universal applicability. PKI adoption suffers because of its utility. Companies who successfully deploy PKI now face the challenging, yet enviable task of deciding where to apply it next. Companies who have not embarked on a pilot are waiting for positive feedback to help them decide where best to apply it in order to receive maximum benefit. Companies who have not been successful in pilot phase are understandably reluctant to move into production or consider another pilot, even if there is a better fit for the technology in their business.

The best applications for piloting PKI are those that can show an immediate return for a critical business function, such as automating identification and authentication for a trading portal or back office application. Regardless of whether or not you have piloted PKI before, it is worth taking the time to review how PKI technology will impact your business.

Key points to consider when conducting a PKI pilot:

Determine the key business drivers. What are the important factors affecting the business that the pilot must address? Remember that business drivers can be either 'hard' or 'soft.' Hard business drivers are usually quantified in terms of revenue, cost, market share or some other readily quantifiable metric. Soft business drivers are harder to quantify but no less important. They can be expressed in terms of customer satisfaction, employee turnover, health and well-being, or community involvement, for example.

Define the success criteria in advance. What is it that I want to achieve? How will I know when I have (or have not) accomplished the goals set out in the pilot? Specific goals can include reducing cost and implementation time, improving customer satisfaction, or reducing help desk calls. Try to be as specific and as quantifiable as possible. Success criteria like "the pilot will reduce help desk support calls by 50 percent and second and third level support involvement by 80 percent" are much easier to sell (and evaluate) than "the pilot will improve our competitiveness."

Identify the key players. Get their involvement in advance. Ask who will be affected by the introduction of PKI. Oftentimes the people most impacted are not the most obvious, like second and third tier support. Getting the key influencers on board early is the best recipe for success.

Scope out the possible return areas for PKI in advance. RSA has determined that there are four possible benefit areas for PKI: cost, risk, compliance and revenue. Cost is both the direct and indirect cost benefits associated with adopting PKI. Risk is the increase in uncertainty and possible negative impact of not adopting PKI. Compliance is the benefit to meeting real and de facto standards in a particular application or the avoidance cost of non-compliance. In certain sectors like financial, health care and government, the cost of non-compliance may be quite substantial. Revenue is the direct and indirect effect on the revenue stream of an organization. Again, try to be specific and attach numbers to your returns. Another excellent resource for reviewing possible PKI return areas is PKI: A Wiley Tech Brief by Tom Austin.

These classes of benefits make intuitive sense. However, there may be other classes of benefits that are specific to your organization that are not covered by one of these categories. Investigate and estimate what the return benefits to the project will be before investing in the project. Such benefits might include increased compliance with internal or external regulations, improved employee productivity, or the ability to redirect critical IT resources toward more strategic projects.

Track the returns as well as the costs during the course of the project, keeping an eye out for unanticipated benefits. Then, once the pilot is complete, you will have the costs and benefits already documented and ready to present to senior management along with your findings. One of our clients found an unexpected return in reduced help desk support calls, for example.

Decide what the success factors will be in advance as well. There are many ways to measure the success of a project, financial as well as non-financial. Oftentimes corporations have 'hurdle rates' that a project must clear before it can move into the next phase - i.e. from pilot into production. If everyone can agree on what defines a successful project ahead of time there will be less confusion after the fact.

The Future of PKI

Suppliers of public key infrastructure technology must adapt to the new economic realities of the post dot-com era in order to survive. PKI vendors that previously staked their entire business on the future of PKI are now struggling to incorporate the technology into applications that solve real business problems, such as identification, authentication and non-repudiation. RCL & Associates believes that it's time to put the 'I' back into PKI.

For enterprise customers the best applications of PKI are those that reduce operating costs, open up new markets, or increase customer satisfaction. Adoption will accelerate only when the business benefits outweigh the cost and time of adoption. Ultimately the end-users will decide whether or not the investment is worthwhile. The best sounding projects on paper can fail miserably in field trials if the adoption issues are not thought through. Rather than trying to force-fit an adoption that will inevitably meet with resistance, it is better to work the human issues at the same time.

Robert Lonadier ([email protected]) is the president of RCL & Associates, a Boston-based analyst and consulting firm specializing in providing implementation-ready counsel and advocacy services to senior management in information security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.