First, I'd take any such claim with a huge bag of salt.
That said, try to ascertain whether his idea is a method for solving an application problem or a technique/algorithm for solving a technical problem. So, for example, swiping a credit card and then authorizing the transaction on your mobile device is essentially a business method for solving a consumer application. There are at least 20 patents for this with minor variations. These patents are not worth much except for defensive purposes.
In contrast, the RSA algorithm is a technique for solving a technical problem - using asymmetric keys to establish a secure channel between two unknown parties over an insecure channel. Such an invention can underlie a wide range of applications in multiple industries - from user authentication to financial transactions, secure storage of medical records, espionage and so forth.
Based on what you say, it looks like your friend could have a real technique or algorithm. These patents can be very valuable if (a) it's in the hands of the right company and the company buttresses its product portfolio around this new data security technique; or (b) it's such a basic technique that dramatically changes data security that everybody needs to license it - in this case, licensing may be a better strategy than selling it to a one-product pony.
If I were you, this is what I'd do.
1. Before going to a biz dev guy or IP attorney, I'd get an academic in this area and - under NDA - get an opinion as to whether your friend's invention is indeed something new and a breakthrough. The academic may not be able to tell you about the business potential of the patent, but can at least verify that originality/significance of the idea.
2. Once I ascertain that it is indeed new or original, I'd try to understand precisely what "technical" problem this solves. This may involve multiple conversations with the inventor to try and tease out the technical problem from application ideas (e.g., making a buyer completely anonymous is an application problem, not a technical problem; being able to run SQL queries over encrypted data is a technical problem that can enable a lot of applications).
3. Once I understand what technical problem is being solved, then I'll make a list of what applications it could enable. If this list is sizable or significant, I'd do what Mr Basu above suggests - try to get a patent with international IP coverage. Ideally, you want a clean patent on the technique itself and a set of secondary patents around it for specific applications it can enable.
4. Having set the IP process in motion and with a list of potential applications, I'll open conversation with biz dev guys as have been suggested. If you go about it methodically, you'll find applications you or the inventor have never thought of [for example, an unusual early application of RFID was in the Australian boonies to identify which sheep was entering the feeding bin and control how much it food is dispenses or add any nutritional additives or medications for that sheep].
5. As you talk to biz dev guys from different companies, you'll begin to get a sense of what pain points in different companies/industries that your friend's patent can solve and the size of those opportunities.
This is the point at which you can decide whether to sell it one big buyer or license to several.
Sounds too complicated? If it's really such a sweeping idea that is as big as is claimed, then this process will enable you to extract the maximum value from it.
But then an academic may be able to ferret out some paper in some esoteric Russian journal (unlikely, but possible).