|
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] One-On-One
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
Q&A with John Thompson
John Thompson has transformed Symantec into one of the world's leading security companies. Next, he's bracing for a serious challenge from Microsoft, one Symantec expects to counter with innovation.
What role does innovation play at Symantec?
Inside the company, we have a couple things that we try to foster and facilitate. You want your engineers thinking about not just what your customer's problems du jour are, but what the threat changes might be that warrant changes in the product. Complementing that is an organization called Symantec Research Labs, where our engineers are thinking about problems that are two to three years downstream.
Outside the company, we make a number of small investments in early-stage tech companies that are all around the security paradigm. For example, I think we may still have an investment in a voice security company, not because we have any interest in voice, but because we have an interest in our customers securing their infrastructures.
We'll also make investments that are much closer to what we do—for example, Mazu Networks, which does distributed denial-of-service attack [defense]. We have the capabilities and technologies to do that, but why not invest in other companies that might be doing the same thing? We might learn something and get early insights that give us an avenue into the next phase of external innovation, which is all about M&A.
Symant...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
ec will buy three to five companies a year ranging in size from small companies where we are principally focused on the technology, to a large company where the transaction involves business content that we want to add to our portfolio, or a company that represents a whole new business opportunity.
Has it become more difficult to find innovative companies for M&As and partnerships because of all of the recent consolidation?
No. If you think about what's happened in the security domain, particularly between 1997 and 2001, it was probably the largest area of venture investment in IT. Hundreds of millions, even billions, of dollars were invested in hundreds of companies that had an idea or a technique to secure the Internet. And many of those companies still exist but don't have the liquidity path they thought they'd have years ago. And, many of them may find that ongoing venture funding is getting harder to secure as the industry consolidates and slows down. But, there are still companies out there that have interesting technologies and might find their way into a larger company; the benefit they get is larger scale route-to-market distribution and marketing muscle that can come only from a company like Symantec.
Overall, have you been pleased with how things have gone with the Veritas acquisition?
Absolutely. It hasn't been without its challenges—make no mistake about that—but we are pleased. We have seen a changing threat landscape that has impacted the security business: From 2002 to 2004, we saw almost 100 high-profile viruses; last year we saw only six. That's an amazing change. But, the threats that we see now, while more frequent, are more stealth-like, so the amplification of a problem in the marketplace isn't the same.
It got to the point where, in the 2004/2005 timeframe, these things were being talked about on drive-time radio. This prompted a lot of consumers and small businesses into the marketplace and propelled our business forward. That being said, we have a very solid security and data center management business.
A lot of the talk we hear from security and software vendors in general is about the on-demand model. Do you see a time when enterprise software is delivered exclusively on-demand, and the shrink-wrapped business goes away?
We have to maintain the simple view that, when a large corporation spends $10 million deploying software products and managing its environment with those software products, the company is not willing to walk away from that for the "next new thing" for prudent financial reasons. As industry leaders, we have to anticipate where markets are going and think about the next new thing, and we have to keep ourselves balanced in the businesses and investments that our customers have made today versus where we'd like to lead them in the future.
There are portions of the Symantec portfolio that lend themselves to a service delivery model: online backup, online archiving, online mail management. But, for example, if you look at the mail management market, about 50 to 60 percent of it is software-based, about 30 percent is appliance-based, and the balance of that capability is delivered as a service. The appliance part is growing faster than either of the [other] segments, but there will come a time when companies—particularly mid-market companies—will say, "Gee, why do I want to manage an Exchange server or a Notes server? Why wouldn't I want to have someone manage that process for me, and deliver to me mail that is free of spam and free of malicious content? Then, I can focus on the business of my business instead of the business of managing my mail infrastructure."
That's a terrific opportunity. There are services like this that are certainly becoming more relevant as people start to think about disaster planning and disaster recovery, and clearly that's an opportunity for Symantec. But, the notions of software or services aren't mutually exclusive. People will use those as complementary techniques, not unlike what some do with our managed security services, where they will rely on us to manage some portion of their network infrastructure and manage the rest of it themselves. And that complementary in-house versus outsourced capability for many large companies is very much in vogue today.
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]
To Buy or Build
This new attitude and strategy at Symantec is not so much about securing systems and networks as it is protecting the data that resides on those machines and ensuring that only the appropriate people, applications and processes have access to it. The Veritas purchase fits neatly into that line of thinking, as do a number of advanced projects the company has in the works.
To help shape Symantec into the enterprise software provider he wants it to be, Thompson and his executive team are relying on their tried-and-true method of innovation through acquisition. But they're also putting much of their faith in the company's growing internal research team.
That team is the domain of Stephen Trilling, vice president of research and advanced development who runs the company's four research groups: core research, university, government and advanced concepts. Each group has its charter and operates somewhat independently, but they also work together occasionally and share ideas constantly. The more than 50 researchers the company employs get the chance to work on a lot of complex and interesting projects, but Trilling makes it clear that his is no pie-in-the-sky lab with indeterminate milestones and vague goals.
"We want every part of what we do to bring value to our customers," Trilling says. "Developing an entirely new product is expensive. We have millions of customers who expect a high level of quality. We keep tight reins on the projects, but we give people the freedom to innovate."
Probably the purest example of this idea is the advanced concepts research group. This team is designed to operate like a startup: Find a need for a product in an uncertain market, build it and ship it to a few adventurous customers to see how it holds up, and then see whether one of the Symantec business units is interested in adopting it.
Occasionally, one of the other research teams will transfer its projects to the advanced concepts group to get it customer-ready. One of the first products to emerge from this process is the company's forthcoming database security and auditing tool, an appliance-based offering that will hit the market in the next few months. The core research team created the technology and transferred it to advanced concepts, which got it into the hands of a few customers for evaluation.
The tool, Symantec Database Security, is essentially an out-of-band network sniffer that looks at a copy of the traffic going to and from the database. Like other similar tools, it has a learning mode in which it observes typical database traffic and learns which queries should be considered legitimate. It can then flag potentially malicious or abnormal database queries for follow-up. It also has a feature Trilling calls "extrusion detection" that can send up alerts whenever potentially sensitive data leaves the network. The first version will not be able to block malicious queries, however.
Although several vendors, including Lumigent Techno-logies and Tizor Systems, have had database security and auditing tools on the market for years, Thompson believes that building such technology in-house instead of going down the acquisition path has benefits for Symantec.
"[The research group] knew that no one was focused on that particular problem area and took a few of the technologies we had that were focused on the inside threat. The group said, 'Is there something we could do that would move our technology closer to where the data is being managed that would allow us to deliver better protection?'" says Thompson. "They came up with this idea, they prototyped it, they worked with some customers, and it's worked its way through the cycle and will become a part of a business unit. It's transferred from the research lab to the business unit, and they sustain it in the marketplace as part of the broader enterprise security strategy."
CareGroup Healthcare System, a Boston-based management company that runs three hospitals in the city, has been testing Database Security since its alpha phase, and administrators at the company are pleased with its simplicity and effectiveness. Thanks to HIPAA, the auditing and security requirements have multiplied exponentially in recent years, and Ayad Shammout, lead technical database administrator at CareGroup, was making do with a patchwork of native database tools and custom scripts he and his team had written over the years.
"We're trying to get to the point of maximizing security and availability without adding any overhead to the system. The big advantage [of Database Security] is that it runs in passive mode, so I don't have to worry if we add another server. It's automatically protected," Shammout says. "We've set up a custom policy that alerts us when someone queries a particular column or field with patient data in it, so we can go back and see who did that and when. It's very simple. You don't have to be a security expert."
|
 |
|
