IT leaders and managers familiar with Public Key Infrastructure (PKI) recognize it as one of the industry’s oldest tried and tested security tools. IT pros also recognize the cost and dedicated resources required to stand up and manage a PKI program in-house. As the digital evolution continues, so does PKI’s transformation and its importance within the enterprise security fabric.
Like all security initiatives, modernizing PKI within the security framework is key to mitigating risk and achieving compliance. But with the industry’s skill shortage and competing budget priorities, how can you bypass barriers to deploy a program that’s right for your team, the enterprise and its budget? Where do you start?
Let’s start at the beginning
PKI has stood the test of time, offering foundational security assurance to CISOs and CIOs, and standards validation in the eyes of regulators. Today it remains a critical tool used by teams to protect their organization’s digital identities across people, applications and devices. Yet despite its critical role within the cybersecurity framework, PKI has struggled to find a clear owner within the organization. Add to that, results from a recent survey where just 36% of respondents said their organizations have enough IT security staff members dedicated to PKI deployment.
As cyber risk and industry standards evolve, so does the role and program ownership of the CISO. Gone are the days of data center and application management. Today, CISOs are expected to understand and own the complexity of the organization’s tech stack and the SaaS and PaaS that supports it. Complex IT requirements like cloud migration and layered authentication projects across the IT ecosystem demand flexibility and process overlay to ensure a strong security posture that can scale alongside infrastructure needs.
Getting PKI right
CISOs taking the reigns of their PKI program have two options: build or buy. Historically, most leaders opted to build, assuming operational savings over time. Unfortunately, then, as it is now, CISOs have discovered that without appropriate resourcing and continuous care and feeding, PKI can degrade, leading to vulnerable keys, certificates, system outages or worse – a significant breach event. In addition to the added costs of network downtime, PKI events pose preventable network vulnerabilities and more spend to correct and recover downtime and losses.
PKI program failures – and how to avoid them
Unlike newer processes, PKI and its long history gives us countless real-life case studies of what has worked well and what hasn’t. One recent case study followed a financial institution as they opted to build an application to manage its PKI and growing number of certificates. While the company was able to leverage an existing data center and physical security, implementation alone took the company four months, requiring the dedication of multiple team members across development, engineering and IT. In addition to resourcing, the project racked up significant hardware, licensing and integration costs.
On the other hand, like many other security functions, more leaders see the advantages of outsourced PKI and are opting to ‘buy’ PKI via cloud deployment. The reasons are simple: streamlined deployment, better security hygiene, lower staffing costs, and more predictable (and manageable) program spend over time.
Keyfactor partnered with cybersecurity analyst, Simon Gibson, and GigaOm to help you explore the hidden costs behind PKI, both in-house and outsourced. Download the free report to gain tips to help you map your PKI requirements, build your budget and decide whether cloud-based and outsourced PKI is right for your business.