Want CNET to notify you of price drops and the latest stories?

Feeling secure? Not John Thompson

Symantec's CEO articulates his concerns about the state of cybersecurity and the things that still aren't getting done.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
7 min read
CEO John Thompson has succeeded in transforming Symantec from a seller of PC utilities for the consumer market into a major player in enterprise security software.

But for all his accomplishment, the preternaturally upbeat executive says he's not feeling too secure these days.

While many companies--and some government agencies--have done much to secure themselves against hacker attacks, many parts of the Internet remain vulnerable.

When you think about spam as a global phenomenon, I don't know how you stop it in the United States alone.
Government officials, chief executives and consumers need to do more when it comes to securing themselves, and security policy is still lagging behind the threats, says Thompson, who is also a member of the National Infrastructure Advisory Committee. He was appointed to the panel by President Bush in 2002.

In addition to pushing his company's focus further toward enterprise security software, Thompson is looking to expand Symantec's consulting and services business, which today is a small part of the company's overall revenue--"a pimple on an elephant's butt," according to the CEO.

The former IBM software executive sat down with CNET News.com recently to talk about his corporate strategy and his views on cybersecurity.

There's been criticism of the United States for adopting guidelines for Internet security, as opposed to regulations. How do you rate U.S. policy?
I think there were a number of important tenets that were brought out in the National Strategy to Secure Cyberspace. One of them was that the government itself would become a role model for the implementation of security. That's not happening. Another was that we would focus on some investment in advanced research and development, and hope to create awareness programs.

It's just not happening fast enough, or not enough money is being funded at the top, from a government point of view, on advanced R&D. I think there is greater awareness within government, because it has certainly focused on FISMA (the Federal Information Security Management Act).

The government has focused on grading agencies on how well they have done (in reference) to a rather simple set of metrics. The grades are not very good, but it's not been translated yet into a lot of tangible action, unfortunately. On the public-policy front, I think there have been a number of initiatives that have met with mixed results.

On the policy side, do you think the industry has done enough?
I think if I was fair, I'd say the government has not done enough, and it would be equally fair to say the private sector has not done enough, either. More C-level officers and corporations need to come to realize how important it is to protect their critical digital assets--and what to do about it. It needs to become at least a discussion, occasionally, at the senior management level, if not the board level, at companies.

Many people have criticized the Can-Spam Act as ineffectual, but isn't it true that it takes a while for such legislation to work its way into the toolbox of law enforcement officials and prosecutors?
What's the value of Can-Spam as a legislative initiative? Its value, simply put, is twofold. It makes more sense to have one law than 50, so you don't have the world chasing the uniqueness of the implementation of 50 states. You have one national law that is the superset, if you will, that everyone has to conform to. When it's all said and done, it puts a public spotlight on the issue for individuals who would engage in illegal activity.

But when you think about spam as a global phenomenon, I don't know how you stop spam in the United States alone. I think it needs to be an initiative that, at a minimum, the G8 (countries) take seriously and come up with some uniform set of laws and rules and conventions by which we are going to manage the problem on a global basis, not just inside the states.

What do you think about the sender verification technologies that Microsoft and America Online have proposed? Do you think that they will help reduce spam?
Well, clearly the notion of a trusted sender is a good idea. That makes an awful lot of sense. The question is: How long will it take for something like that to evolve? Historically, Microsoft and AOL haven't been able to agree on much. So maybe they will bury their differences and agree on a set of standards that do make some sense.

Many companies have railed against the Sarbanes-Oxley Act (which requires top corporate officers to sign off on their financial information) as legislation that's increasing expenses. However, it seems like the accounting firms, which are hired to audit their systems, are saying, "Hey, we are not going to sign off on your systems unless you have certain security in place." So for a lot of boards, Sarbanes-Oxley becomes a major reason for the firms to adopt better security. Are you hearing that from your customers?
Customers who have for a long time invested in intrusion sensors, firewalls and antivirus agents, among other security technologies, have finally stepped back from that implementation and realized, "You know something? I don't have a set of policies that work."

(Consulting services are) a pimple on an elephant's butt for us.
There is more discussion between us and them today on policy compliance and security infrastructure management--"How do I manage what I have created?"--which gets back to the rigor that is being driven by things like Sarbanes-Oxley.

The reality is that that's what's driving policy management, policy compliance and infrastructure management activity around our business. It is the realization that "I have deployed all of this security stuff, and I don't have a way to determine just how secure I really am. Every one of these point products that I have deployed over the last five years does its own job in its own little sliver of the domain, but they don't communicate very well."

Where does Symantec see its future growth?
Last year, we probably generated close to $1 billion in revenue from selling security-related software to small businesses and consumers. But the real growth opportunity for us is solving a related problem for midsize and large enterprises. And that involves management of the IT infrastructure, a process of which security is a component.

When did you come to that conclusion?
We came to that realization post-MSBlast. Our DeepSight database and our security management capabilities allowed us to observe what was going on, yet we couldn't tell customers what operational actions they should take at that very instant to mitigate the risk of an outage or attack. As a result, we went about the task of acquiring a set of assets that would help with not just securing the infrastructure, but also managing the process of ensuring that the infrastructure is secure.

How far along are you in making that transition?
My sense is that we are making terrific progress. Our enterprise business grew 24 percent last year. And while it pales in comparison to the wild growth in the consumer space, show me another enterprise software company that in calendar year 2003 grew 24 percent. But we've got a lot more to do, in terms of continuing to expand our product portfolio. That's partly why we acquired Brightmail.

How much consulting business do you do in helping companies establish a security policy?
Financial services institutions are highly regulated. They are very, very concerned about issues around security, because the regulations drive them there. Hence, they have much more rigor around the policy development activities and the policy compliance activities that go on in their environment.

So you probably won't get much consulting business from that sector. From where, then?
If you move to health care, another very highly regulated vertical, it doesn't have the same degree of sophistication or, quite frankly, the same strength in IT spending or skills. Our consulting organization is going to be much more effective in that environment, as opposed to financial services.

You will see us continue to make investments in expanding both our capability in the consulting and integration services phase, as well as our capacity. Those are two very different but very important complementary functions.

Capacity--meaning your actual technology?
No. Capacity meaning how many people we have to do the work; capability being what skills they bring to our company for the kind of work to be done. Today, we can consult with customers on security policy development. We can do penetration tests. We can do a range of things that are fairly narrow. If we could expand our capabilities to include how to ensure greater depth in understanding of the issues around compliance with pharmaceutical industry standards for security and asset protection--that kind of capability we don't have in our company today. If we did, that would incrementally add to the opportunities out there.

Do you have any sense how much your consulting business will (contribute to) your overall revenue pie?
It's a pimple on an elephant's butt for us, let us be clear. Let's put it in the proper context. Our forecast is to be a $2.3 billion company this year. Consulting and services, in the broadest context, will make up 2 percent of revenue. So unless we do something to change the capability and capacity of our company substantially, it's still going to be a fairly small component.

Where would you want it to be?
If you look at the map--where spending will occur in the security space--for every $1 of revenue spent on hardware and software, customers will spend $2 to $3 on services to implement or support.

What is the single biggest problem that faces builders of security software today?
Not enough customers who have the knowledge to implement the software that we can build. If we go open the Silicon Valley papers or go to some job Web site, the most in-demand professional today in the IT industry is the security practitioner. Bar none. They are highly sought-after compared to a database administrator, compared to a project manager--you pick it. There are some 50,000 to 70,000 open jobs in the states alone.