Beware the Microsoft 'monoculture'

Symantec CEO John Thompson discusses Microsoft's entry into the security space, the Veritas merger and Symantec's future.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
8 min read
Without diversity in security software for Windows, computers running the Microsoft operating system will be sitting ducks, Symantec CEO John Thompson warns.

Ever since Microsoft in 2003 announced it would offer antivirus products, Thompson has been asked how Symantec will respond. Microsoft is going after consumers with its Windows Live OneCare security package, slated for U.S. release next month, and is targeting businesses with its Microsoft Client Protection suite, expected by year's end.

Symantec will beat Microsoft by building better products and taking advantage of its security reputation, Thompson has said repeatedly. On Wednesday, while speaking at a Gartner event, he added that mass adoption of Microsoft's security tools could have an adverse affect on security.

"If all of a sudden the whole world uses the monoculture of Microsoft and the monoculture of Microsoft security capability, I am not sure we would create a more secure world," Thompson said. "Diversity in the security platforms supplied on top (of Windows), we think is of great value in protecting that infrastructure."

After his talk at the Gartner event, Thompson sat down with CNET News.com to discuss Microsoft, Symantec's integration of Veritas Software and move to a more enterprise-focused vendor, as well as the future of Symantec and Thompson's own role at the company.

Q: You've said that Microsoft should make its products more secure, but that it would be dangerous if the world relied on Microsoft's upcoming security software. Would it become a major target?
Thompson: Look at what's happened in the Windows world. Hackers have decided that there is a very large, target-rich environment here. If all of a sudden now the infrastructure that is being attacked also becomes the common infrastructure for securing the environment and the attackers decide to attack that too, what does that say for computer users around the world who have embraced this monoculture?

I would argue the world is safer when you have diversity, not when you have a monoculture that is common that when one exploit is delivered, it can literally wipe out millions of machines around the world. Hence, we believe the world is safer with us and other security vendors adding capability on top of the Windows platform.

Microsoft should do more to protect Windows. They can and should protect the kernel of Windows, make it less vulnerable, and respond more quickly to vulnerabilities. They are doing a better job, but to suggest to the world that they are going to deliver all the security, we don't think that?s appropriate.

John Thompson videos

Video: Why Symantec will prevail
CEO John Thompson speaks about software and more with CNET News.com.

People always ask how you will counter Microsoft's upcoming entry into the security space. You've said that you'll beat them with your reputation and innovation. How are you going to out-innovate a company that has over $6 billion in R&D spending, more than your annual revenue?
Thompson: Microsoft spends its $6 billion on a wide array of things. They have a large R&D budget; it is spread very thin across a lot of initiatives. I would be willing to bet that the amount of money they spend on security is not nearly as significant as what we spend, because we're much more focused.

Another part of Microsoft's muscle, besides its R&D budget, is its marketing engine. It has got a big marketing budget and is going to go out there and market its new security offerings. How are you going to respond to that?
Thompson: When Microsoft does enter the market and has their aggressive marketing campaign, the whole world will benefit from that. It will start to create a level of awareness that, quite frankly, must occur.

We protect more people from more online threats than anyone else in the world, bar none. So there is a reputation value that we will certainly trade on as we think about our marketing activities and marketing campaigns over the course of the next year or so.

You don't take a company like Symantec through such a significant transformation without there being some challenges or pains.

Do you feel you have to ramp up your marketing?
Thompson: Certainly, there is no question about that. You can't have Microsoft essentially take all of the oxygen out of the air with their marketing campaign. So we have to have our own point of view that we bring to the market that stresses the history and longevity of Symantec in this space and leverages the more than 50 million users of our security products, leverages the fact that we have shipped more than 200 million copies of our antivirus product around the world.

There are wonderful statements that we can make about not only our pre-existing results in the marketplace, but the future of what we will deliver as the networked world continues to evolve.

Traditionally, Symantec has been a consumer-focused company. That has changed with the acquisition of Veritas. Was that in anticipation of more competition on the consumer side of your business?
Thompson: Not per se. It was all about our desire that dates back to my arrival at Symantec seven years ago to remix our books of business, having it mirror the market. In the world of software, two-thirds to three-quarters of all spending is done by large corporate and government buyers and the remainder is done by consumers and small businesses.

Click here to Play

Video: Symantec's relevance in a Microsoft world
Diversity is key to a secure infrastructure, Thompson says at a Gartner event.

If you are disproportionately weighed to one segment of the market versus the other, you have the opportunity to do very well or very poorly. If you were more evenly distributed, you have an opportunity to handle the ups and downs much better.

Becoming an enterprise-focused company hasn't been easy. Last week, you acknowledged that there is some trouble with customer support for a former Veritas product. Are these just teething problems?
Thompson: That issue is specific to a brand-new product, one Veritas acquired just before our acquisition of Veritas. It was a small company that built a market-leading product for e-mail archiving. Once we put it into the larger Veritas and Symantec sales force, sales took off. Sales grew faster than our ability to scale up and train up our support organization. We have had a few issues in some markets. Those will be addressed.

That has nothing to do with bringing Symantec and Veritas together. It is unique and specific to one product area that has had phenomenal success in the marketplace. I'd love to have that problem a few times more, quite frankly.

So you would say that becoming more of an enterprise-focused company hasn't been hard for you?
Thompson: You don't take a company like Symantec through such a significant transformation without there being some challenges or pains. Seven years ago, we were a $632 million, consumer-focused company. Today we're a $5 billion, fourth-largest software company in the world, with a very diverse product set with leadership capabilities in all of the segments that we play in. I think that has been a pretty remarkable transformation for this company.

At the Gartner event on Wednesday, Symantec customers were asked if they see synergies between Symantec and Veritas. There was only one. Did that shock you or worry you?
Thompson: I was quite surprised. Since we closed the transaction in July of 2005, I have spent a considerable amount of time on the road with customers, talking about the Symantec-Veritas merger. While it certainly caught people by surprise in late 2004 and early 2005, as time has gone on, customers have started to say, "Gee I can see the relevance of bringing these things together."

So such a muted response surprised me. We have to execute to be vindicated. I am not concerned about that. I think the strategic intent of our company is spot on with where the markets are going. It may take some people time to catch up with our thinking, but that's OK; we're patient.

Where do you see prices for security products headed?
Thompson: It is clear that as markets mature, prices weaken. And clearly certain segments of the security market, not all, are starting to mature. We talked two or three quarters ago about weakness in price in our core antivirus business. Interestingly, it would appear that during the most recent quarter, prices there have stabilized.

Now, as Microsoft enters the market, it will be interesting to see what the price dynamics become. Microsoft has a formidable franchise in Windows, and they have a formidable marketing capability. I am sure that they will use both of those in an effective way. As long as they are fair, we believe they can compete and win.

You have talked about playing fair before and that you won't go "whine" to the regulators or sue Microsoft. Is there a certain line that Microsoft should not cross that might change your mind?
Thompson: We haven't done some magic, game-theory approach that says if Microsoft does this, we're going to do that. We're worried about running our business in the best way we know how to. Obviously we have one eye on the market and another eye on all of the competitors in the market, and Microsoft is one of them.

I'd rather compete with Microsoft's products than with Microsoft's PR. All we have been doing for the last two or three years is competing with their communications machine. Once they get a product in the market, we'll see just how good they are and we are.

Where do you see Symantec and yourself five years from now?
Thompson: I could envision Symantec being twice the size, a software company that is $10 billion in scale, 30,000 employees around the world, 8,000 people in engineering, a large percentage of that staff globally distributed, a sales and marketing engine, and a powerful brand that is recognized as one of the true leaders in the tech industry.

As far as I am concerned, I love what I am doing. I am having a wonderful time. We've got a great team of young executives that work with me, and hopefully we will all still be here together five years from now.

And your flagship products then will be?
Thompson: I don't think you will see us stray too far from the core roots of protection--protecting the infrastructure, protecting the information, and increasingly protecting the interactions individuals and enterprises have as they operate in the digital world.