Ten Questions to Ask Any PKI Consultancy Before You Engage Them
Public Key Infrastructure is a specialist discipline, and the gap between a genuine specialist and a generalist who lists PKI among many capabilities is wide. It is also difficult to judge from the outside, because the language sounds similar and the credentials can look alike. The most reliable way to tell them apart is to ask the right questions, and to listen carefully to the answers.
The ten questions below are the ones we would encourage any organisation to put to a prospective PKI consultancy. They are deliberately vendor-neutral, and we would be entirely comfortable answering every one of them ourselves. The aim is not to steer you towards a particular provider, but to help you engage one with confidence.
1. Is PKI your specialism, or one capability among many?
Some firms treat PKI as a subset of a broader security or IT practice. Others focus on it exclusively. Neither is disqualifying, but the distinction matters, because PKI rewards depth. Ask how central PKI is to the firm's work, and how much of its delivery is genuinely PKI-focused rather than adjacent.
2. Are you vendor-neutral, or aligned to a particular product?
This is one of the most important questions to ask. A consultancy tied to a single vendor has an incentive to recommend that vendor's technology regardless of whether it is the best fit. A vendor-neutral consultancy is free to recommend what is right for your environment. Ask directly whether the firm is independent, and how it ensures its advice is not shaped by product allegiances.
3. Who will actually do the work?
The people who win the engagement are not always the people who deliver it. Ask who will be assigned to your work, what their PKI experience is, and whether you will have continuity of personnel through the engagement. A firm should be able to tell you about the specific expertise it will bring, not just its collective credentials.
4. How deep is your bench?
A consultancy that depends on one or two individuals carries a risk: if they are unavailable, so is the expertise. Ask about the size and depth of the team, and whether support and delivery draw on a pool of specialists rather than a single point of failure.
5. Can you show relevant, comparable experience?
PKI environments differ, and experience in one setting does not automatically translate to another. Ask for examples of work comparable to your requirement, whether by sector, by scale, or by the nature of the challenge. A genuine specialist will be able to point to relevant engagements, whether design, build, migration or health check.
6. How do you approach an engagement?
A credible consultancy has a structured method, not an improvised one. Ask how it would approach your requirement: how it establishes a baseline, how it scopes work, how it manages risk and governance through delivery, and what you would receive at each stage. A clear, repeatable approach is a strong signal of maturity.
7. How do you handle the boundary between advice and delivery?
Where a consultancy both advises and delivers, there is a potential conflict: advice that conveniently leads to more delivery work. Ask how the firm keeps its advice independent of its delivery revenue, and whether it is willing to recommend against work it could otherwise sell. The answer tells you a great deal about how it will behave.
8. What happens after go-live?
Delivery is not the end of a PKI's life; it is the beginning of its operation. Ask what support the consultancy provides once a solution is live, whether it offers ongoing assurance or managed services, and how it hands over to your own team. A firm that thinks only as far as go-live has not thought far enough.
9. How do you stay current with a changing field?
PKI is not static. Certificate lifetimes are shortening, standards are evolving, and the post-quantum transition is approaching. Ask how the consultancy keeps its expertise current, and whether it can advise on where the field is heading, not just where it is today. Strategic foresight is part of what you are paying for.
10. Will you be straight with us?
Finally, and least technically, ask whether the firm will tell you what you need to hear rather than what you want to hear. The most valuable consultancy is one that will identify uncomfortable findings, challenge assumptions, and give you an honest assessment, even when it is not the easiest message to deliver. You are engaging expertise; candour is part of it.
Why we are comfortable with these questions
We have set these questions out because we would welcome every one of them. Unsung is a UK-based, specialist cybersecurity consultancy focused exclusively on Public Key Infrastructure, with a team of more than 20 dedicated PKI experts. We are strictly vendor-neutral, which means our advice is shaped by what is right for your environment rather than by any product we might propose. We work across advisory, delivery and managed services, and our approach is structured, evidence-based and consistent.
The strongest reason to ask these questions is that a good consultancy will answer them openly, and a weaker one will struggle to. If you would like to put them to us directly, or discuss a PKI requirement, contact us. You can also read more about our PKI consultancy and the range of services we provide.

