Best practices to establishing a voice security strategy and roadmap

Published: August 13, 2019

In our previous article on building a strong voice security strategy, we explained that one of the many objectives of doing so is to protect client or customer identities, data and service. The domain areas of most importance include enterprise telephony, contact centers and consumer phones. Now we will focus on providing a set of recommendations and industry best practices to establish a voice security strategy and roadmap.

Perform a voice security requirements analysis

To get started with your voice security strategy and roadmap, you should first perform a voice security requirements analysis. This would involve having one or more discovery sessions with your business leaders to identify and understand specific-business needs and to develop a consensus on success criteria. To help ensure success, stakeholders from across the organization should be involved, including those who “own” your various IT and communications systems marketing, legal, sales, IT, security, and other departments or business units).  

Business leaders, with assistance from the legal team, should detail existing threats, attacks, fraud and scam attempts, targeted transaction types, known as “bad actors”, and quantify the degree of exposure. In some industries, such as the financial services or retail sectors, fraud losses are well known. In others, it may be more subjective, manifesting itself as known customer or employee experience issues, without an associated dollar figure. Ideally, the analysis will drive a clear definition of the business requirements and an updated voice security policy for your organization.

Once the business requirements and updated policy has been drafted and agreed upon, a gap analysis of the organization’s current voice security maturity level is needed. This analysis will compare the updated policy to the current policies and evaluate compliance with current policies.  

Threat vector and vulnerability analyses will likely be very useful in this gap analysis that should look both at the technology in place and the potential deficiencies that may exist. New resources and skill should be identified (along with any potential acquisition plans) to meet the updated requirements. And, you should evaluate whether additional workforce training is needed to proactively identify and mitigate security risks. The gap analysis will form the basis for the development of the voice security framework, the next step in the voice security strategy and roadmap.

Establish the voice security framework

The voice security framework helps ensure the safety of customer’s critical data and voice communications and is the next important step in developing your voice security strategy and roadmap. While a base framework can be derived from industry best practices, each organization has a different and unique make up. The framework should be tailored accordingly and take into account an inventory of all existing voice platforms, applications and tools used in the organization. The framework should also incorporate organizational specific standards and policies, and include the requirements captured from business leaders during the requirements analysis phase. 

Develop the voice security architecture and design

Once the voice security framework is established, a sound voice security architecture and design, reflective of the framework, needs to be developed. The architecture provides a high-level relational and logical understanding of how the different components, integration points, systems, tools and technologies are linked with each other. 

This low level design provides the detailed physical-level understanding of the components, which will be important during the development and implementation of the voice security plan for the organization. Together, architecture and design are powerful tools with which the voice security posture can be clearly articulated for both IT and Business stakeholders. 

Verify and validate against business requirements

The voice security strategy and roadmap is an initiative for the entire organization, not only for IT or security. Therefore, after the design and architecture are developed, it is important to perform a voice security analysis as part of a separate verification and validation step where you should document how the voice security architecture and design will meet the business requirements.  

Also identify any risk, lost functionality, or new processes that may place additional requirements on employees or customers. It’s important to document your findings and inputs in a voice security risk plan, thereby ensuring transparency and visibility across all levels of the organization while helping to establish appropriate steps to mitigate or address risks, as needed.  

Create the implementation plan

Your voice security strategy and roadmap cannot be considered complete without a clear plan and understanding of how the aforementioned steps will be implemented and operationalized. The implementation plan should clearly articulate the timeline and milestones, constraints, dependencies, and a communication to the workforce on the rollout. 

Roles and responsibilities should be defined for the stakeholders, in order for seamless transition into the future state – with minimal disruptions and delays.  The implementation plan should include steps for continuous monitoring, disaster recovery, failover, and escalation procedures. Having these plans visible, known and accessible can help improve enterprise security readiness and achieve desired business outcomes. 

Learn more on establishing a voice security strategy.