Prioritizing Security When Selecting A Video Conferencing Solution...

Apr 10, 2020 9:08:08 AM


Before the recent COVID -19 pandemic, most companies looked at unified communications and collaborations (UC&C) solutions as important technology often used by sales and marketing teams as part of their process, but not necessarily a critical part of the business infrastructure. With work from home (WFH) becoming the mandated norm, businesses have come to look at UC&C solutions as mission-critical tools, allowing managers and leaders to communicate with their employees and employees to conduct some semblance of normal business.

All things being equal, businesses would do well to use or augment their existing infrastructure for video conferencing. Those licenses have likely been purchased, and it makes sense to continue to use products that people are already trained to use.

But things are not equal.

In the past weeks as the pandemic continues to spread, and various states have mandated stay at home orders, there have been plenty of news reports demonstrating that not all of the UC&C solutions are created the same. This isn’t to say that some of the solutions are “bad,” but I believe it is fair to say that some have differing priorities when it comes to what is most important in their software lifecycle.

For businesses and enterprises evaluating unified communications and collaboration solutions, security should be a key consideration and starting point. For complete transparency—these are the criteria I have personally used in my previous IT and security roles before becoming a security researcher.


This may be the most obviously important factor from the user-experience perspective, but it is also a “table stakes” criterion. The solution needs to be able to connect and host video conferences without failures, latency, and delays (this was a significant problem for many, if not most, of the providers immediately after the WFH and virtual classes began). Call recording, screen share, and recorded chat are all necessary, as are presenter controls and dial-in options. From there the sky is the limit, though virtual lobbies, third-party integrations (with Outlook and video systems), video endpoint integration, participant insights, call transcription and virtual whiteboards are differentiators.


A good video conferencing solution must be easy to use on pretty much any device. The interface should be intuitive, and a client should be available for any/every platform. Most of the solutions will claim they can be used on every kind of device through their web portal, and while this is likely true, most solutions require a client to take advantage of all of the solution features. There may also be significant security concerns with a web-based or web-only solution.


There are generally two types of pricing: free and licensed. Licensed solutions run the gamut in pricing based on the number of meeting participants, geographic scope (paying for international dial-in numbers), length of meetings, and number of enterprise users. Many licensed solutions also offer a free account or trial, with limited functions, participants, meeting length, and very little in the way of support.


Last on this list is the security of a UC&C solution. Security should be the foremost consideration in choosing a UC&C solution after moving past the standard feature checklist (which the majority of top solutions have in common).

Evaluating UC&C solutions based on their ability to protect your employees and enterprise is the best way to narrow down the list:

- Secured Out of the Box: Many UC&C solutions on the market concentrate on the user experience and interface at the expense of security. When a vendor realizes the security of their solution is lacking, fixes are reactive and generally not well thought out, and usually consist of bolt-on fixes and patches, requiring updates and procedural changes. Look for a solution from a company that has a track record as a security leader in the industry, with a platform of millions of secured installs and a commitment to focus on security first.

- Support is Critical: Many UC&C solutions provide little in the way of support, and the free versions generally provide none. An enterprise-ready UC&C solution should have proven and dedicated support capable of responding to requests. When considering the mission-critical nature of UC&C solutions, look into a vendor’s ability to respond to vulnerabilities and their response times to resolve security gaps.

- Addressing Data Privacy: How is the data transmitted and communicated within a session stored, maintained, and used? Are the chats kept private? Is the information encrypted when stored? Is the session encrypted? Can anyone just “bomb” an open session? As information technology professionals, we are all keenly aware of the necessity of maintaining data security and privacy, and many enterprises had engaged in data privacy initiatives prior to the COVID-19 pandemic. Enterprises cannot abandon these data privacy efforts because of the pandemic and must ensure that their UC&C solution is aligned to their data privacy goals.

- Newer is NOT Necessarily Better: There are plenty of UC&C solutions on the market today. Some are literally in their infancy as far as installed base, and those vendors are still working out the bugs in usability and security, while other solutions offered by more established leaders in the industry are in many cases, able to provide greater levels of security and stability. The latter are always worth considering when making an investment in mission-critical infrastructure. Plus, it gives comfort to management and executives knowing that they are selecting a proven solution.

There has never been a time when unified communications and collaboration solutions have been as critical to the success of the enterprise as they are now. Understandably, there is an immediate need to select and deploy this type of solution to ensure business continuity in this time of crisis. However, IT and security managers must be thoughtful when choosing a UC&C solution, making sure to place equal or greater emphasis on the level of security it affords, as the extra functionality it offers.

Chris Steffen

Written by Chris Steffen

Christopher Steffen, CISSP, CISA, is the vice president of research at EMA, covering information security, risk, and compliance management. Before EMA, he served as the CIO for a financial services firm, focusing on FedRAMP compliance and security. He has also served in executive and leadership roles in numerous industry verticals. Steffen has presented at numerous industry conferences and has been interviewed by multiple online and print media sources. Steffen holds over a dozen technical certifications, including CISSP and CISA.

  • There are no suggestions because the search field is empty.

Lists by Topic

see all

Posts by Topic

see all

Recent Posts