Picking a public key infrastructure (PKI) vendor can be tricky. Your choice will provide the foundation for your company’s security and, right or wrong, you’ll have to live with it for several years.

Brad Hildreth, a Gartner research director and cryptologic engineer with 15 years of experience with the National Security Agency, said the process of choosing a vendor for any large project can be costly. He said that 20 to 40 percent of the initial costs will be incurred during the decision-making process. On a $1 million acquisition, that amounts to at least $200,000.

Hildreth outlined a three-phase approach for choosing a PKI vendor:

  1. Conduct an internal needs assessment first.
  2. Analyze the vendors based on weighted criteria.
  3. Use the criteria to choose a vendor and negotiate a discount.

Information for this article was taken from a presentation made by Brad Hildreth at the Gartner “Information Security in an E-Business World” conference. TechRepublic Web editor Loraine Lawson covered the conference, which ran June 5-7. If you would like to purchase Hildreth’s complete research on choosing a PKI vendor, visit Gartner’s Web site .
Start with your needs first
It seems obvious, but many companies start at the wrong place, according to Hildreth. Instead of assessing their needs, they begin by requesting information from the vendors.

The result: A stack full of marketing materials that provide little to no insight into how the vendor will help your company.

Instead, start by assessing and prioritizing your needs, he said. This will help you rank the vendors later and combat any challenges by executives or vendors to your decision. “You can say, ‘This is the process we used. We started with the process. This is the end, [and] at the beginning of the process are our needs,’” he said. “Now you have vendors protesting an hour as opposed to months.”

Analyze the vendors
Your needs assessment will also help you when it comes time to write your Request for Proposal. Make sure you limit open-ended questions, Hildreth said.

“Keep them to a minimum because with an open-ended question, the vendor can go click, copy marketing stuff, paste, and now you’ve got to read all that stuff and try to make heads or tails out of it,” he said. “Instead, ask a yes/no question.”

Hildreth also suggested companies evaluate vendors by strategic and tactical criteria.

Tactical criteria include the vendor’s architecture, functions, and costs. Tactical requirements ask, “Will this vendor meet my needs?”

By contrast, strategic criteria examine the company’s vision, viability, trustworthiness, and services. Strategic requirements, he explained, ask the question “Do we want to partner with this vendor?”

Hildreth suggests formulating these requirements into a weighted hierarchy, allowing you to make decisions based on which criteria are most important to your company. You will also want to take the time to check references and acquire independent opinions on the vendor, he added.

Negotiation and selection
Ranking your needs and assessing vendors by those needs gives you bargaining power when you sit down to negotiate a deal.

If, for example, a company meets your top criteria but falters against another vendor in a key area, you can use that as leverage to obtain a discount, Hildreth said.

Another key point is to deal with someone who has decision-making authority. If you’re negotiating with someone who has to go check with a boss or partner, walk away and try again later, he said.

But be aware that it may be difficult to evaluate costs, because the vendors charge differently. You’ll want to look at initial costs, ongoing costs, and training costs.

“Remember,” Hildreth wrote in his presentation documentation, “that the quality of a PKI vendor selection depends upon the quality of the selection process used. The way to choose the best PKI for an enterprise is to use a structured, hierarchical decision-making process.”
How many of you are looking at investing in PKI in the next year? Please share your experiences and questions by e-mail, or post below.