June 04, 2004

Trust Cannot be Outsourced

The PKI sector successfully pushed the notion that trust could be outsourced. This was a marketing claim that was never quite shown to be the case, in that PKI itself never delivered a workable business model. So maybe the PKI vendors will bounce back in another life, and show us what they meant.

I think not. Outsourcing trust to a PKI vendor is like outsourcing taste to a brewery, you may as well let the brewer drink the beer for you.

This conundrum should be obvious to any serious business person. It is possible to outsource process, and it is possible to outsource substantial elements of due diligence (DD). But in the end, you make the decision, and the document you get from some rating agency is just one input into the full process.

The credit ratings agencies are perhaps the best example. Do they do your trust for you? No, not really. They provide a list of the customer's credit events. As well as that useful input to the process, a good business conducts other checks. A forecourt - car seller - might check the driver's licence, and it might pay more attention to some things on the credit report than others. Car dealers make assessments of integrity by looking and talking to the person. And ultimately they trust in the courts, police and driver and vehicle registration people to provide limits.

There's an easy test. If the trust is outsourced to a firm, the firm can make the decision for you. Does the credit agency decide to sell a car on credit? No chance. Does a third party PKI decide to let the customer in to transfer her life's savings? No way.

There are cases where decisions of trust are made entirely by other organisations. In which case, I'd suggest, the model is back to front. What's happened is that you've outsourced your business to the trust provider. Or, the decision maker has outsourced customer acquisition to you. That which owns the customer, is the business. You're now in the business of providing leads.

So if all this is true, why did PKI vendors make such a big deal of outsourcing trust? They weren't trying to put their customers out of business by acquiring their customers, that's for sure. No, it seems as if was just another powerful image of marketing. Also, as an evocative reason with no substance, it was a qualifier. If a customer "bought" the message that trust could be outsourced, they were likely to buy into PKI, also.

Posted by iang at June 4, 2004 09:24 PM | TrackBack