Nortel just launched their Voice Security Technology Blog.

The focus here will be on voice systems with an appropriate level of security to meet business needs and reducing risk to an acceptable level.

This charter, in many ways, dilutes the very reason for starting a voice security blog in the first place. What is an “acceptable level” of security for unified communications? This is defined differently by each customer’s security policies (or lack thereof). In fact, many customers feel that no security is an “acceptable level” and that the risk isn’t worth any cost.

The truth is, there will never be a “business need” for security until it impacts the business. This is the natural order of security in the enterprise and it is no different with voice and unified communications.

Interestingly, Nortel’s first real post on their Voice Security Technology Blog is about risk management, not voice security. Assessing risk is not new to enterprise companies. But, risk can come in many forms. “Business needs” often disregard the risk in the communications architecture over much more obvious competitive, market and economic risks. I argue that the traditional way to assess business risk (as recommended by Nortel on their blog) doesn’t apply to the speed of technology change today.

If you do not have the data on which to judge the impact of the vulnerability consider adopting a suitable risk management framework – and then you can manage your risk exposures appropriately.

So, while the risk management committee is meeting to determine the risk of a vulnerability in your enterprise network, hackers all around the world are running, not walking, to release into the wild the first tools that exploit that vulnerability. And in some cases the tools may exists before the exploit is announced. Is this really an effective way to address voice security? Isn’t it better to err on the side of caution instead of trust?

Customers today still believe that their data, their networks and their communications systems are not important to hackers. In all honesty, they are largely correct. However, they completely underestimate the modern hacker and script kiddie’s insatiable desire to conquer and brag.

Traditional voice vendors continue to ignore the white elephant in the corner of the room. They put too much trust in their signaling and media encryption and not enough emphasis good security design practices. Security experts agree that a multi-layered approach is the best method for designing a secure system. Never should you depend on a single point product in your infrastructure to keep your systems safe.

In network design, a single point of failure is bad design. In security, redundant appliances running the same code-base is also bad design if it’s the only protection between you and your business-critical systems.

Many would have you believe that all vulnerabilities have to be fixed now — when in reality their assessment through a risk management process will categorize them for a particular organization appropriately – and direct the needed level of response and risk mitigation.

Understanding risk is important, but why does it have to be a manual process driven by a committee and paperwork? Integrated security must evolve to mitigate vulnerabilities in realtime through software intelligence. A multi-layered security strategy can and will buy you time, but it doesn’t mitigate the need to fix the issue that needs mitigation. The more holes you leave in the dam will impact the structural integrity of the dam. And before you know it, you’ll have a flood on your hands.

Nortel seems to be working from the Microsoft playbook on security. Microsoft chose to ignore the security of their flagship operating system for many years. They finally addressed it with Windows Vista, but it was too-little-to-late. This didn’t work too well for Microsoft and it won’t work for Nortel. In the long run, this strategy will hurt the very customers Nortel is trying to support.