Building the Internal Business Case for a PKI Engagement
Most security leads already know their organisation's Public Key Infrastructure needs attention. The harder task is not identifying the problem but securing the budget to address it. PKI rarely competes well for investment against more visible priorities, precisely because it works quietly until it does not, and because the case for funding it is usually made in technical language to an audience that thinks in financial terms.
This article is a practical guide to closing that gap. It sets out how to build an internal business case for a PKI engagement that a budget holder will approve: how to frame the risk in terms the board understands, how to articulate the cost of inaction, how to anticipate the objections a PKI proposal attracts, and how to scope a first step small enough to be signed off quickly.
Why PKI struggles for funding
The difficulty is rarely that decision-makers dislike security. It is that PKI is abstract, invisible when healthy, and easily deprioritised in favour of initiatives with a clearer commercial story. A certificate authority that has not failed does not announce its own fragility, and a security lead asking for money to fix something that appears to be working faces an uphill argument.
Compounding this, PKI is often explained in the wrong register. Talk of trust hierarchies, revocation services and key ceremonies does not resonate with a finance director. The successful business case translates the technical reality into the language of operational risk, cost and business continuity. The sections below set out how to do that.
Step one: bring the right people with you
A business case argued by the security team alone is easy to characterise as a technical wish list. One backed by a small, cross-functional group is far harder to dismiss, because it demonstrates the proposal has been considered from every angle that matters to the board.
The stakeholders worth involving early are:
- IT and operations, who can confirm the practical impact of PKI failure on the services they run.
- Finance, who can help frame the numbers credibly and will be reassured that the spend has been pressure-tested rather than presented as an open cheque.
- Risk and compliance, who can connect the proposal to the regulatory and audit obligations the organisation is already committed to meeting.
- A specialist PKI partner, who can provide the independent, expert assessment that gives the case its authority and takes the argument beyond internal opinion.
The last point matters. An independent expert view carries weight that an internal request often cannot, particularly when the board is being asked to accept that a quiet, functioning system nonetheless carries material risk.
Step two: frame the risk in business terms
The centre of any business case is a clear-eyed assessment of what is actually at risk. For PKI, the exposure is rarely theoretical, and it maps directly onto outcomes the board already cares about.
The most immediate is availability. A single expired certificate or a misconfigured revocation service can take a customer-facing service offline without warning, and these failures tend to arrive at the worst possible moment. This is not an abstract concern; the operational impact of expired certificates is well documented, and it is the most tangible way to make a board feel the risk. Our article on the real cost of expired certificates sets out how these outages occur and what they cost.
Beyond availability sit two further exposures the board will recognise. The first is integrity and trust: a compromised or poorly governed PKI undermines the authentication and encryption the whole organisation depends on, and the reputational damage of a trust failure is difficult to contain. The second is compliance: PKI intersects with obligations under frameworks such as eIDAS, PCI DSS and the security expectations of sector regulators, and an estate that cannot demonstrate control is an audit finding waiting to happen.
Framed this way, PKI stops being a technical curiosity and becomes what it is: a foundational dependency whose failure has direct operational, reputational and regulatory consequences.
Step three: articulate the cost of inaction
Decision-makers respond to the cost of doing nothing at least as strongly as to the benefit of acting. The business case should make that cost explicit, even where precise figures are not available.
The cost of inaction on PKI accrues in several ways. Unplanned outages carry direct revenue and productivity losses, alongside the cost of the emergency response they trigger. Remediation undertaken in a crisis is invariably more expensive than the same work planned in advance, because it is done under pressure, often out of hours, and frequently with external help engaged at short notice. Audit findings left unaddressed escalate, attracting scrutiny and, in regulated sectors, potential penalty. And an estate allowed to drift further out of good practice becomes progressively more expensive to bring back into line.
Where hard numbers are available, they should be used. Where they are not, the qualitative argument still holds: the organisation is carrying an unquantified liability, and the purpose of the engagement is to quantify and reduce it before it materialises. That framing, the choice between a modest planned investment now and an unbounded cost later, is one a finance director understands instinctively.
Step four: anticipate the objections
A PKI proposal attracts a predictable set of objections. Anticipating them in the business case, rather than being caught by them in the meeting, is what separates a proposal that succeeds from one that stalls.
- "It is working, so why spend?" The answer is that the absence of visible failure is not evidence of health. The engagement exists precisely to establish whether the confidence is justified, and to surface the risks that only become visible when they cause an outage.
- "This looks expensive." The counter is scope. A first engagement need not be a large programme. It can be a bounded, fixed-cost assessment that produces evidence, which is addressed directly in the next step.
- "Will this disrupt operations?" A well-scoped engagement is designed around the organisation's constraints and does not require operational change to deliver its findings. This can be stated plainly and agreed up front.
- "Why an external partner?" Because independence and specialist depth produce an assessment the organisation cannot readily generate internally, and because a defensible, third-party view is exactly what the board needs to make the decision with confidence.
Step five: scope a first step small enough to approve
The single most effective move in securing PKI investment is to make the first decision small. A large transformation programme is difficult to approve in one step, because it asks the board to commit significant budget on the strength of an argument rather than evidence. A bounded first engagement inverts that: it asks for a modest, fixed commitment that produces the very evidence needed to justify anything larger.
This is where a PKI Health Check is the natural starting point. It is fixed in scope and cost, requires no operational change, and produces a clear, independent findings report that grades risks by severity and sets out prioritised recommendations. For the security lead, that report is the ideal instrument to take upward: it replaces internal assertion with external evidence, quantifies the risk the board was asked to accept on trust, and provides a defensible, prioritised basis for whatever investment follows.
In other words, the first engagement does not just address a slice of the problem. It builds the business case for the rest of it. Our health check engagements across engineering, healthcare and systems integration have each produced exactly this: an evidence-based report that informed a remediation roadmap and an investment case the organisation could act on.
Step six: make the case in the board's language
The final step is delivery. The strongest business case can still fail if it is pitched in the wrong terms. When the proposal reaches the decision-makers, it should lead with business impact rather than technical detail: the operational risk being carried, the cost of inaction, the modest and bounded nature of the first step, and the way that first step de-risks every decision that follows. Technical depth belongs in the supporting material, available if asked for, not at the front of the argument.
Aligning the proposal to the organisation's wider objectives strengthens it further. If the organisation is pursuing digital transformation, cloud adoption or Zero Trust, a sound PKI is a prerequisite for all of them, and the engagement can be positioned as an enabler of those goals rather than a standalone cost.
How Unsung helps
Unsung is a UK-based specialist PKI consultancy with a team of more than 20 dedicated PKI experts serving government, defence, financial services, healthcare, transport and critical national infrastructure clients. We work on a strictly vendor-neutral basis, so our assessments and recommendations are shaped by what is right for the organisation rather than by any product allegiance.
For a security lead building the internal case for investment, the most useful thing we provide is independent evidence. A PKI Health Check gives you a bounded, credible first engagement and a board-ready report that turns an internal concern into a defensible business case. From there, our wider PKI consultancy and delivery services can address whatever the findings identify.
If you are preparing to make the case for PKI investment and would value an independent view to support it, contact us to discuss how a health check would map onto your environment.

