The direct costs are pretty straightforward. You need to buy software and you need to deploy it. Consider the cost of the software and be sure to include ongoing maintenance, since that won't be free in future years. Then there are direct deployment costs. Will an IT staff member be needed to install the software, or is there a software distribution engine that will take care of it?
Also factor in some training costs, because users need to understand what's been installed on their machines and how to use it. Relative to whole-disk encryption, also make sure users understand what to do if they lose their password. You don't want to get a call at 3:00 a.m. as your CEO is in a foreign land and has locked himself out of the machine.
Where it gets a bit squishy is in estimating the indirect costs like additional help desk resources because users forget their passwords and cannot access their machines. Or someone hits the wrong switch and blows away all his or her data. These things and more are going to happen, so make some estimates and then monitor the data closely as the products are rolled out.
Keep the cost model close at hand because it will be changing as you go through the pilot and early implementations.
For more information:
This was first published in November 2007