Published: 01 Nov 2006
John Thompson and company are staking their claim as one of Silicon Valley's leading innovators. Will they succeed?
Silicon Valley is rife with companies famous for their technological innovations—Hewlett-Packard, whose founders essentially invented the valley's high-tech culture; Xerox, in whose famed Palo Alto Research Center lab was born much of the foundation for today's personal computers; Intel, whose co-founder Gordon Moore prophesied the huge technological gains of the last three decades—the list goes on and on. One company that would make almost no one's list of great innovators, Symantec, is in the midst of a quiet technological and cultural makeover designed to change that perception and cement the company's spot atop the security industry. Executing on a strategy of innovation and acquisition is Big Yellow's challenge.
Since its inception in the 1980s, Symantec has existed literally and figuratively in the shadow of its older and more established valley brethren. Sitting mere miles from the headquarters of HP, Xerox PARC, Intel and other members of the industry's ruling elite, Symantec has been best-known for its acquisitive tendencies and penchant for morphing and changing strategies every couple of years. Within a decade, the company evolved from a maker of basic computing utilities and productivity software into an antivirus vendor that also had some utilities, and then completed the transformation into a one-stop-shop for enterprise and consumer security products.
A new evolution is under way, one that began with the company's audacious acquisition last year of storage and backup leader Veritas, but is being pushed forward by a wave of internal innovation and product development unprecedented in the company's history. The goal is to turn Symantec—already a $5 billion company—into one of the dominant players in the software industry, on an equal footing with Sun, Oracle and even Microsoft.
Of Veritas and Vista
Symantec CEO John Thompson, a veteran of more than three decades in the software industry, has no illusions about the challenges facing his company. He knows that Microsoft is seriously attempting to make third-party antivirus software obsolete by building its own virus and spyware protections into Windows Vista. He knows that IBM, the company where he spent more than 20 years and whose culture of discipline he has brought to Symantec, is making noise in the security market with its recent acquisition of Internet Security Systems. And, he knows that critics in the financial community, his customer base and most of the security industry are convinced that the Veritas deal was a huge mistake, one that could prove to be as crippling to Thompson and Symantec as the HP acquisition of Compaq was to HP's then-CEO Carly Fiorina.
Thompson, a supremely confident man who leaves little to chance, has no patience for such criticism. (See "One-on-One")
Click here for a sample of Symantec acquisitions since 2003. (PDF).
"One of the things my team and I get paid to do is to think about where markets are going and what customer needs are likely to be; to try to anticipate that and move in that direction," he says. "That's clearly what we were doing with the Veritas transaction. Could we have done a better job of articulating the why more clearly, more concisely, more frequently and with greater vigor and zeal? No question about it. But because we were first movers, because we were far ahead of conventional wisdom, people tend to react more negatively. But, that's OK. We're certainly prepared to stick to our knitting, to stick to our beliefs and philosophies and move forward from there."
Jon Oltsik, senior analyst with Enterprise Strategy Group, believes the chance Thompson took with the Veritas deal appears to be paying off.
"It's been a big job integrating two $5 billion-plus companies. It's been overwhelming. [Symantec has] taken a lot of heat on this, and the upside has taken a while to emerge," Oltsik says. "Storage, security and data management are headed down the same path, and Symantec has been a pioneer [in this market]. It's all in the enterprise risk management area. There's more upside than downside, and I think you're seeing that now with the EMC and RSA deal."
Gordon Eubanks, Thompson's predecessor as CEO, knows a bit about integrating large acquisitions and pushing a company through often painful transitions. Eubanks says that managing such changes is all about having a clear goal and executing on the moves necessary to achieve it, regardless of outside praise or criticism.
"When the market is leveling, big players get into it and you have to make a change, the key is to pick an area where you can be successful, there's growth and you can be a leader," Eubanks says. "It isn't good enough to say that the market is big and, if I just get 10 percent of it, I'll be OK. That's a losing strategy. It never works because you don't have the scope and the scale. [Symantec] can't just stay where it is. That won't go on forever against Microsoft, and John knows that. He's a very smart, prepared and capable guy."
While customers and analysts like the direction Symantec is headed, there are still a number of challenges ahead for the company. Not the least of these is the looming specter of Microsoft and its OneCare security suite. OneCare is available now as an on-demand service for consumers, and it will be an integral part of Windows Vista. The offering includes both antivirus and antispyware software, placing it squarely in the path of the most lucrative part of Symantec's portfolio.
But it likely will be some time before OneCare makes much of a dent in the market, thanks to the large leads that Symantec, McAfee and others have on the desktop.
"Symantec definitely has a challenge from Microsoft on the desktop, but it's going to be more slow and steady than people think," Oltsik says. "I think Symantec is better off than people think. It's going to take enterprises in particular a long time to upgrade to Vista."
Q&A with John Thompson
John Thompson has transformed Symantec into one of the world's leading security companies. Next, he's bracing for a serious challenge from Microsoft, one Symantec expects to counter with innovation.
What role does innovation play at Symantec?
Inside the company, we have a couple things that we try to foster and facilitate. You want your engineers thinking about not just what your customer's problems du jour are, but what the threat changes might be that warrant changes in the product. Complementing that is an organization called Symantec Research Labs, where our engineers are thinking about problems that are two to three years downstream.
Outside the company, we make a number of small investments in early-stage tech companies that are all around the security paradigm. For example, I think we may still have an investment in a voice security company, not because we have any interest in voice, but because we have an interest in our customers securing their infrastructures.
We'll also make investments that are much closer to what we do—for example, Mazu Networks, which does distributed denial-of-service attack [defense]. We have the capabilities and technologies to do that, but why not invest in other companies that might be doing the same thing? We might learn something and get early insights that give us an avenue into the next phase of external innovation, which is all about M&A.
Symantec will buy three to five companies a year ranging in size from small companies where we are principally focused on the technology, to a large company where the transaction involves business content that we want to add to our portfolio, or a company that represents a whole new business opportunity.
Has it become more difficult to find innovative companies for M&As and partnerships because of all of the recent consolidation?
No. If you think about what's happened in the security domain, particularly between 1997 and 2001, it was probably the largest area of venture investment in IT. Hundreds of millions, even billions, of dollars were invested in hundreds of companies that had an idea or a technique to secure the Internet. And many of those companies still exist but don't have the liquidity path they thought they'd have years ago. And, many of them may find that ongoing venture funding is getting harder to secure as the industry consolidates and slows down. But, there are still companies out there that have interesting technologies and might find their way into a larger company; the benefit they get is larger scale route-to-market distribution and marketing muscle that can come only from a company like Symantec.
Overall, have you been pleased with how things have gone with the Veritas acquisition?
Absolutely. It hasn't been without its challenges—make no mistake about that—but we are pleased. We have seen a changing threat landscape that has impacted the security business: From 2002 to 2004, we saw almost 100 high-profile viruses; last year we saw only six. That's an amazing change. But, the threats that we see now, while more frequent, are more stealth-like, so the amplification of a problem in the marketplace isn't the same.
It got to the point where, in the 2004/2005 timeframe, these things were being talked about on drive-time radio. This prompted a lot of consumers and small businesses into the marketplace and propelled our business forward. That being said, we have a very solid security and data center management business.
A lot of the talk we hear from security and software vendors in general is about the on-demand model. Do you see a time when enterprise software is delivered exclusively on-demand, and the shrink-wrapped business goes away?
We have to maintain the simple view that, when a large corporation spends $10 million deploying software products and managing its environment with those software products, the company is not willing to walk away from that for the "next new thing" for prudent financial reasons. As industry leaders, we have to anticipate where markets are going and think about the next new thing, and we have to keep ourselves balanced in the businesses and investments that our customers have made today versus where we'd like to lead them in the future.
There are portions of the Symantec portfolio that lend themselves to a service delivery model: online backup, online archiving, online mail management. But, for example, if you look at the mail management market, about 50 to 60 percent of it is software-based, about 30 percent is appliance-based, and the balance of that capability is delivered as a service. The appliance part is growing faster than either of the [other] segments, but there will come a time when companies—particularly mid-market companies—will say, "Gee, why do I want to manage an Exchange server or a Notes server? Why wouldn't I want to have someone manage that process for me, and deliver to me mail that is free of spam and free of malicious content? Then, I can focus on the business of my business instead of the business of managing my mail infrastructure."
That's a terrific opportunity. There are services like this that are certainly becoming more relevant as people start to think about disaster planning and disaster recovery, and clearly that's an opportunity for Symantec. But, the notions of software or services aren't mutually exclusive. People will use those as complementary techniques, not unlike what some do with our managed security services, where they will rely on us to manage some portion of their network infrastructure and manage the rest of it themselves. And that complementary in-house versus outsourced capability for many large companies is very much in vogue today.
To Buy or Build
This new attitude and strategy at Symantec is not so much about securing systems and networks as it is protecting the data that resides on those machines and ensuring that only the appropriate people, applications and processes have access to it. The Veritas purchase fits neatly into that line of thinking, as do a number of advanced projects the company has in the works.
To help shape Symantec into the enterprise software provider he wants it to be, Thompson and his executive team are relying on their tried-and-true method of innovation through acquisition. But they're also putting much of their faith in the company's growing internal research team.
That team is the domain of Stephen Trilling, vice president of research and advanced development who runs the company's four research groups: core research, university, government and advanced concepts. Each group has its charter and operates somewhat independently, but they also work together occasionally and share ideas constantly. The more than 50 researchers the company employs get the chance to work on a lot of complex and interesting projects, but Trilling makes it clear that his is no pie-in-the-sky lab with indeterminate milestones and vague goals.
"We want every part of what we do to bring value to our customers," Trilling says. "Developing an entirely new product is expensive. We have millions of customers who expect a high level of quality. We keep tight reins on the projects, but we give people the freedom to innovate."
Probably the purest example of this idea is the advanced concepts research group. This team is designed to operate like a startup: Find a need for a product in an uncertain market, build it and ship it to a few adventurous customers to see how it holds up, and then see whether one of the Symantec business units is interested in adopting it.
Occasionally, one of the other research teams will transfer its projects to the advanced concepts group to get it customer-ready. One of the first products to emerge from this process is the company's forthcoming database security and auditing tool, an appliance-based offering that will hit the market in the next few months. The core research team created the technology and transferred it to advanced concepts, which got it into the hands of a few customers for evaluation.
The tool, Symantec Database Security, is essentially an out-of-band network sniffer that looks at a copy of the traffic going to and from the database. Like other similar tools, it has a learning mode in which it observes typical database traffic and learns which queries should be considered legitimate. It can then flag potentially malicious or abnormal database queries for follow-up. It also has a feature Trilling calls "extrusion detection" that can send up alerts whenever potentially sensitive data leaves the network. The first version will not be able to block malicious queries, however.
Although several vendors, including Lumigent Techno-logies and Tizor Systems, have had database security and auditing tools on the market for years, Thompson believes that building such technology in-house instead of going down the acquisition path has benefits for Symantec.
"[The research group] knew that no one was focused on that particular problem area and took a few of the technologies we had that were focused on the inside threat. The group said, 'Is there something we could do that would move our technology closer to where the data is being managed that would allow us to deliver better protection?'" says Thompson. "They came up with this idea, they prototyped it, they worked with some customers, and it's worked its way through the cycle and will become a part of a business unit. It's transferred from the research lab to the business unit, and they sustain it in the marketplace as part of the broader enterprise security strategy."
CareGroup Healthcare System, a Boston-based management company that runs three hospitals in the city, has been testing Database Security since its alpha phase, and administrators at the company are pleased with its simplicity and effectiveness. Thanks to HIPAA, the auditing and security requirements have multiplied exponentially in recent years, and Ayad Shammout, lead technical database administrator at CareGroup, was making do with a patchwork of native database tools and custom scripts he and his team had written over the years.
"We're trying to get to the point of maximizing security and availability without adding any overhead to the system. The big advantage [of Database Security] is that it runs in passive mode, so I don't have to worry if we add another server. It's automatically protected," Shammout says. "We've set up a custom policy that alerts us when someone queries a particular column or field with patient data in it, so we can go back and see who did that and when. It's very simple. You don't have to be a security expert."
A Billion dollar opportunity
Among Thompson's top lieutenants, Jeremy Burton is an anomaly. Most of Symantec's senior executives have been with the company for years; Burton came over as part of the Veritas acquisition. But he has quickly established himself as an integral part of the senior management and is the man mainly responsible for running what used to be the Veritas business. Integrating the company's data management, backup and storage business into Big Yellow has taken quite a bit of doing, but Burton and, more importantly, Thompson are satisfied with the results thus far.
Many observers, industry analysts and customers expected Symantec to integrate Veritas into the company in the literal sense, by actually combining products and technologies. However, that has not been—and likely will not be—the case for the most part. Instead, the company is working to bring together disparate approaches to problem-solving and product development, and is looking to apply various technologies to customer problems, whether they be security, storage or somewhere in the middle.
The common thread running through many of the initiatives is Symantec's focus on securing and managing the terabytes of unstructured data enterprises have sitting around in applications such as email and instant messaging. Burton, group president of the enterprise security and data management group, believes such data represents an enormous risk to enterprises, and also a huge opportunity for whomever can help them organize and protect it.
"The risk that exists in data stored on file systems and email is huge," Burton says. "There's a billion-dollar opportunity in building applications to go against unstructured data. You have to look at the data in real time and historical context, and understand the risk."
Seth Shestack, acting CISO at Temple University in Philadelphia, has the same concerns Burton does about the relative insecurity of tools like IM. Temple, like most universities, has several different networks—academic and research among them—and each has its own security and openness requirements.
"I would say it's impossible to protect everything, overall," Shestack says. "We use the island concept and protect each one individually. But we have things like IM that we have to allow because there's so much demand for it. I'm really looking at the IM security problem. We don't manage IM, and that's not something I'm comfortable with.
I'm interested in what we can do about that with IMlogic [which Symantec acquired this year]. Where these things fit together—integrated support from them—is great. It's a time- and money-saver.
"That's one of Symantec's strengths," Shestack says. "But it's another thing to fully integrate the products and merge the technologies."
One outgrowth of Symantec's effort to protect data in transit is a project aimed at developing an application that inspects HTTP traffic and identifies sensitive data or files leaving an organization. The project is still in the research phase, but Burton is optimistic about its future.
Also on the horizon is an increased emphasis on managed security and availability services. Both Thompson and Burton pointed to managed services as a key area of both investment and potential revenue growth for the company in the coming year. Symantec currently has a handful of managed security services, but as the costs of running data centers continue to shoot upward, executives expect many more companies to look for ways to reduce those costs by handing off some of the management duties to outside vendors. Burton points to online backup, antivirus, antispam and remote access as key areas where Symantec has an opportunity to make a serious dent.
"Delivering managed services for SMBs is going to be a big thing for us next year," Burton says. "We can probably do a better job of protecting data and do it at a lower cost than they can. We will have a following wind on the economics of this. The costs of storage and bandwidth are dropping, and it could be a billion-dollar business in the future."