Public-Key Infrastructure (PKI) provides critical enabling technologies -- such as authentication, data privacy, data integrity and digital signatures -- for new classes of e-business applications. In the current economy, however, organizations require not only a technology case but also a strong business case for their investment in PKI. In other words, what is the return on investment (ROI) for PKI?
This is not always an easy question to answer. PKI is a security infrastructure, after all, and the ROI for infrastructure of any kind can be difficult to quantify. Some companies don't try, and have implemented based more or less on a leap of faith. At some point, however, we can observe that ROI for infrastructure often becomes unnecessary to quantify, because the capabilities it enables are both mission-critical and well understood. For example, when is the last time any large business required an ROI analysis to decide whether or not to invest in enabling infrastructure such as telephones, facsimile machines or e-mail? ROI for PKI is presently viewed as somewhere between too difficult and not necessary, between a leap of faith and a matter of course.
How much does PKI really cost? To develop a meaningful total cost of ownership (TCO) for PKI, consider all relevant costs in the following high-level categories:
Process Cost estimates should be captured for a reasonable period of time, typically three-to-five years. In considering the TCO framework, however, here are three obvious, but important, caveats:
Use incremental analysis. TCO calculations should include only those investments that are incremental to those that have already been made.
Use the line-item veto. PKI is a sophisticated technology with many available options, and obviously not all options are required for every business process. If a particular cost element doesn't apply to your business environment, don't include it.
Keep cost in perspective. TCO is a perfectly appropriate metric for PKI ROI calculations, but cost is certainly not the sole criteria for selecting a PKI vendor. Other important vendor selection criteria include product functionality, technical architecture, strategic vision, financial strength, reputation and trustworthiness, service and support. You should also remember that people with hands-on experience in PKI implementation are generally available -- if not you, then someone in your organization, or a trusted e-security supplier or a respected professional services organization. Get them involved. Financial returns
What financial returns does PKI really provide? To develop meaningful financial returns for PKI-enabled applications, focus first on the business process, then establish appropriate metrics, and then look for all relevant returns in the following high-level categories:
Mitigated risks In considering this framework, the following simple, step-by-step approach should be kept in mind:
Focus on the business process. Infrastructure in the absence of a specific business process returns nothing. Moreover, returns from PKI are generally difficult to separate from the returns from the business processes themselves. The primary focus -- once it has been determined that the security capabilities provided by PKI are important business requirements -- should therefore be on the financial returns from the successful implementation of a particular (PKI-enabled) business process. This approach also accommodates the reality that financial returns are typically application-specific, company-specific, industry-specific and so on.
Establish appropriate metrics. With a proper focus on security-enabled business process, the next step is to establish the appropriate metrics for determining potential financial returns. The metrics chosen will logically be a function of not only the particular business process under analysis (i.e., Is it an internal process? A customer-facing process? A partner-facing process?), but also the specific business objectives we have in mind (i.e., Are we aiming to increase revenues? Lower costs? Increase compliance? Mitigate risks?).
Establish a baseline for the current state. Having established an appropriate set of metrics, the next step is to use them to establish a baseline for the business process under analysis, based on the way things are today. This is the "business as usual" scenario.
Compare to the desired future state. The same metrics can then be used to compute the financial impact of implementing a new or improved business process that meets the specific business objectives we have in mind. This is the "business as a result of" scenario, i.e., the desired future state that will result from the successful implementation of a new or improved PKI-enabled business process. If this straightforward approach sounds familiar, it should come as no surprise -- it's a time-honored method for establishing value. You can observe that PKI is not uniquely complex or difficult to analyze in this regard. On the contrary, this general approach to computing financial returns for PKI-enabled applications is the same one you've already used for virtually every other significant IT investment. By properly framing the ROI discussion in the context of the key e-security enablers for a particular e-business process, we can very quickly begin to quantify financial returns using a straightforward, widely accepted approach. About the author
Derek E. Brink is the chairman of the PKI Forum, an international, not-for-profit alliance comprising technology and service providers, integrators and end-users whose purpose is to accelerate the adoption and use of PKI and facilitate interoperability through multi-vendor testing of industry standards and educational outreach. The Director of Product Marketing at RSA Security, his work has included market and competitive analysis, strategic planning and product marketing for the company's public-key infrastructure, authentication, services and intrusion-detection offerings.