Cybersecurity's changing face
Symantec CEO John Thompson says the rapid evolution of cyberattacks is forcing a new calculus of considerations among customers as well as software security providers.
Even before Sept. 11, these were especially hectic times for Thompson, a charismatic executive who joined Symantec after 28 years at IBM. During his tenure at Big Blue, Thompson earned a reputation as an unflagging salesman. He was so good, in fact, that Lou Gerstner handed him the unenviable task of promoting OS/2 even when it was clear that IBM's operating system was losing the war against Microsoft Windows. Thompson was unable to stem the tide, but he made it awfully interesting for a while.
Since taking the helm at Symantec in April 1999, Thompson has carried out his own push to convert the company from a developer of desktop PC utilities into a major contender in the security software and appliance market. Wall Street likes what it's seeing. Analysts expect Symantec to reach $1 billion in revenue this year. Meanwhile, the stock is trading near its 52-week high--and this during one of the worst bear markets in the history of the technology industry.
But now that computer security has been elevated to near the top of the national agenda, Thompson is making the most of the opportunity. Arguing that the country is at a security crossroads, he says the United States must lock down its critical systems. What's more, he urges the creation of a Smokey-the-Bear-like campaign to educate people about security issues.
CNET News.com recently spoke with Thompson in his offices in Cupertino, Calif., about Symantec's latest initiatives to simplify security and about his promotion of an Internet safety campaign.
Q: What do you think is the largest issue today for the security industry?
A: What I think is going on today is that the growing complexity and frequency of the threats are driving customers--and, quite frankly, suppliers and vendors in this space--absolutely bonkers. Just keeping up is becoming a challenge for many of our customers.
So the evolution of the threats has made it that much harder maintaining the pace?
If you assume for a moment a continued doubling, you reach the point where there are not enough people in the world to handle the number of vulnerabilities or threats that (can hit) a network. The numbers are fairly staggering...and customers not only don't have a plan at this point in time to handle that volume, they don't even have the skills to build a plan to be able to handle that volume.
When you consider the large jump in threats, are we looking at a real jump or just a jump in minor variants of the same threats that we already know how to deal with?
The number is less important in my mind than the complexity...The original viruses were simple things; they hit your desktop, and they caused your screen to flash. Over the last few years, while the rate has been increasing, the complexity has been on an even steeper slope, starting with Love Bug followed by Melissa.
How has the recurring need for information about threats affected the way you run the business?
The single biggest investment that we will make this year on the development side of our business is in what we call response, which is the ability to keep our customers informed of threats that we see and to make sure our products are responding in a manner that delivers the level of protection our customers expect of us. So, if we were to grow development spending by, say, 10 percent this year, more than a fair share of that would be directed toward response infrastructure investments as opposed to, say, building a new product.
| "This country produced less than 25 Ph.D.s in the last three years in computer security...We just don't have enough." |
When one of these things hits the network, (we) have somewhere between four and six hours to not only detect it, but solve it and get it propagated to hundreds of millions of machines around the world. And (our people) run around with their hair on fire for that four- to six-hour period of time. It's kind of like the art of combat.
Do you still need to explain to customers why they need to keep up their security, or is that something which is understood by now?
I think it is becoming more understood. More often than not, the problem with the security environment for a lot of companies is not whether they have the technology. It's whether they have employed the discipline to keep their virus definitions up to date, to constantly assess the vulnerabilities of their servers or systems, to make sure they apply the latest patches to a given set of operating systems or applications. And it's that discipline that seems to break down that allows vulnerable systems to become victims of a hacker attack or a denial-of-service attack or even a simple virus.
So, what you are saying is that we don't have enough people trained in security?
There are not enough security professionals in the world. I mean, this country produced less than 25 Ph.D.s in the last three years in computer security...We just don't have enough.
Are companies doing enough about the problem?
Customers will have to start thinking about security as they are thinking about new applications. You have to have that as a part of the business plan when you start out. If I'm going to create a new link to my supply chain, how do I make sure that it's a secure link? And how do I make sure that I let people in that I want in and keep out people that I want to keep out?
Are companies and their execs more worried about security since Sept. 11?
I don't know that worried would be a fair term. The awareness level is certainly higher now. But I don't see people running around throwing dollars at the security market because they are worried. What we have got is C-level executives asking more questions. And as we have more high-profile breaches to networks occur, it begs the question, Well, what are we doing?
Every time that we have a major virus incident, it seems like someone writes an article about whether the user is to blame. Can we educate these people? Can we educate the executives?
I have been an advocate of the concept of a national awareness campaign on safe computing. I'm happy to see that Richard Clarke (the adviser to the president on cybersecurity matters) and several companies in the industry have come together on that theme, and there is now a big campaign under way on computer security to raise the awareness of the simple things that people can do to protect themselves. Many of the problems today are not because of technology or lack thereof. They are human error...The technologies are there, but we have not raised high enough the conscious level of the public to go do something about it.
Does the nation really need to spend money telling people to upgrade their virus definitions? That helps companies like Symantec, but is it really the answer?
I'm an old guy--old enough to remember Smokey the Bear campaigns. We had this huge problem in our country, where in the summertime, because we were a smoking nation, people would ride along, and they would flip their cigarettes out the car windows and...boom! Before too long, you would have a huge forest fire. So the Smokey the Bear campaign raised the consciousness of the country to, "Gee that's a bad thing; you have to be careful."
| "The value that many start-ups bring to the table is that they are able to innovate out of the public eye, out of the public-equity eye." |
But if someone doesn't care about security, should we force them to care?
I don't think regulations solve this problem. The fact that a virus got on the network and bothers your and my personal machine doesn't undermine the economic might of our country. It is a nuisance, but it doesn't bring down the U.S. economy. And so solve the problem where the biggest impact lies--in the corporate world, where the real critical assets, the economic might of our country, are invested.
People have questioned the numbers that you used for damages. Is the threat really that dire?
Even if you cut them in half and it wasn't $13 billion dollars, it was $6.5 billion. That's still a lot of money. It is a known fact that the number of vulnerabilities doubled from 2000 to 2001. Let's go solve that problem.
Most companies' security departments are shorthanded--if they exist at all. Do you see that as a problem? Perhaps the problem isn't that we need to be spending more money on security but that we need to make security easier to manage.
Well, now you are on my theme. That's what customers are screaming for. If I have 100 PCs in an organization, and I don't want to have to have two or three people dedicated to the security of those PCs, that doesn't make any sense. So give me the most secure solution you can that minimizes and mitigates the complexity and cost of that solution.
So do you think server-side software is on its way out and security products will come in easy-to-use appliances?
Market research would suggest that appliances are going to take on an ever-increasingly important role in a security environment because they bring a level of simplicity to the problem.
Several companies are getting into managed security. Symantec has said that it intends to stay out of the services business. Are you going to let partners do those security services?
What we have said is that integration services are not our business. What we would rather have is our partner networks build those integration services around our products...Many customers or some customers will reach a point where they don't want to buy a software product; they will want to buy a secure environment. And what that means is that they will turn to Symantec and say, "Look, I don't know what I don't know, and I don't know what I don't need, and I don't know what I need. Why don't you come in, analyze my environment, pick the products I need, and then manage the whole thing." Boy, I'd love to get a few more like that.
Doesn't that put Symantec in the insurance business? That is, won't companies want some level of assurance that Symantec will do the job right? They want to hold someone liable or at least have a service-level agreement.
I don't know about the liability, but you have a service-level agreement, that's for sure. We are never going to position this company where it is liable for a breach of a network, unless we are negligent.
Won't companies want that assurance though? Others have partnered with insurance companies. Will you?
| "The thing that we do know is that security is a process; it's not about a product." |
Security start-ups seem to be doing really well right now. Most have no trouble getting money from venture capitalists. Are you worried about the competition? Or do you think there is some sort of secondary bubble going on here in the security market?
Oh, we must see a couple hundred business plans a month. In challenging economic times, people turn to trusted brands and financially strong companies to do business with...The value that many start-ups bring to the table is that they are able to innovate out of the public eye, out of the public-equity eye. And Symantec has had a long, long history of being a good incubator for companies who have already innovated something and then they want to scale it. So I welcome companies to the fray, particularly if they are going to create innovative things and they might see Symantec as a logical partner to help them scale as they get ready to go to market.
You have a lot of competitors: Network Associates, Check Point, Cisco. Now Microsoft seems to be looking at the security business. Are you concerned?
No. I think there are lots of very well-capitalized companies that have a renewed interest or a new interest in the security space. There are lots of companies that--now that they have seen the light--might want to invest more of their financial capital and human capital in addressing security threats and exposures. That's just the nature of the IT industry.
This year, we will be over a billion dollars in size. And of the security companies out there, we will be better than most. We will compete with the little guys and the big guys. I have never run from a fight in 53 years.
OK. We seem to be going two ways with security. One is locking down devices, reducing functionality that might be dangerous to the point where a device is arguably secure. The other way is to put layers and layers of security around a computer or network and then manage the security. Do you think that one way will become the way to do it?
Yeah. The thing that we do know is that security is a process; it's not about a product. It is about a process of applying best practices appropriately for a device or a network. There is no way to prescribe the best answer for an entire network. You have to go in and analyze the assets that are on that network, analyze the risk that might be associated with the loss of those assets and the consequences of that loss, and then prescribe which of those alternatives make most sense. But on top of that, it is the iteration of, "I looked at it last month. I now need to relook at it to make sure that what I perceived then still holds true." And that's where most security processes break down. We forget to iterate. 