Time to make security software a lot easier

SAN JOSE, Calif.--Internet security should be like a utility, according to Risto Siilasmaa.

Complex security software that people need to buy in a store or online, then install and manage, should be replaced with a simple shield delivered nearly invisibly with an Internet access account, argues Siilasmaa, the CEO of F-Secure.

The small Finnish security company--it recorded 61.8 million euros in revenue last year--specializes in security as a service. In Europe, it leads the market and provides security software to just over one-third of all broadband Internet users there, Siilasmaa said. That's twice as many as Symantec, the runner-up and the world's largest antivirus company, he noted.

Another of F-Secure's hobbyhorses is mobile phone security. The company was one of the first to sell security software for cellular handsets. That's not a coincidence: Nokia, the world's biggest cell phone maker, is also Finnish. But the threat to mobile phones may have been hyped a bit, Siilasmaa admits.

On a recent visit to F-Secure's U.S. headquarters here, Siilasmaa sat down with CNET News.com's Joris Evers.

Q: People might know the F-Secure name, but they might not know who you are or what it is that you do.
Risto Siilasmaa: F-Secure is an Internet security company, focused around transforming security from a product into a service and working with different types of service providers to significantly improve the convenience of using security.

A Harvard marketing professor said, 30 years back, that people don't want to buy quarter-inch drills; they want to buy quarter-inch holes. We'd like to transform security from the drill that people have to learn to use, to (their) actually being able to purchase the hole that they need.

So you want to make security something people don't have to think about, but is just there?
Siilasmaa: Yes, like water or electricity. It just comes from the wall.

We also believe that people should not have to be educated about what they cannot do online. We believe that technology should give them the freedom to try to do whatever they want. (But also,) the technology will prevent them from doing something or going somewhere they shouldn't go. That's convenience.

It's not convenient when you first have to figure out which product to buy, take it home, read the manual, install it and configure it. Then you buy a new game, and you have to reconfigure the firewall. It's not convenient, and security is becoming too important of an issue for it to be inconvenient.

How can you change that?
Siilasmaa: Security should be a process. It is based on software and hardware, obviously. You have to install something on your PC and your servers, but that should be enough.

In corporate environments, you need to have a level of management and you need to be able to outsource that management responsibility to a team of people that can actually do a better job than you can.

For example, 24/7 support is not available even in many Fortune 1000 companies. People can be called; but they are asleep, they are groggy after waking up, they have to go to a PC and then they have to log on, and then they have to see what's happening. And they may not be the security experts--they're just IT experts.

How does F-Secure stand out in the crowd of security companies?
Siilasmaa: There are obvious technical merits to what we do. But on the convenience side, we'd like people not to have to go to the store. We would like their service providers--the companies that they work with and trust and they have an ongoing billing relationship with--to provide them with an easy way?to subscribe to a security solution that is more than just the software. In that space we are the market leader, and that's what we're really focused on.

Competitors such as McAfee have a similar focus. McAfee has a deal with AOL to deliver security software free to its customers, for example. Is your strategy different?
Siilasmaa: McAfee has started to do a little bit of the same thing that we have done for the last six or seven years. Still, largely, for both McAfee and Symantec, their revenue comes from selling licenses, and the subscription business is a tiny fraction. It's a marketing tool for them. They give away free software, and they hope those users will upgrade from plain antivirus to a suite.

What's the key difference between getting security software from a store and getting it from a service provider for the consumer?
Siilasmaa: The service provider business means that your ISP will offer you a security solution that they can continuously adapt to the requirements of their customers, through what we call "profiles."

For example, online gamers could be a profile, and the ISP can change the configuration behind the online gamer profile. When (you're playing) "World of Warcraft," and you need to open a particular port on the firewall to enable that game to work properly, the ISP can do that. You just find, when you install the product, that it works, and you don't even know that somebody has changed this online gaming profile.

Who pays you the cost of the security software?
Siilasmaa: The ISP is our partner and our customer. The ISP may finance it by charging their customers, or they may bundle the security service into their broadband access.

You believe that's the way of the future, instead of retail?
Siilasmaa: Well, all the customer surveys we have done--very conclusively and with a high margin--prove that the people who buy security from the service provider feel it's significantly more convenient and easier for them on an ongoing basis.

Another area F-Secure likes to talk about is the threat to mobile phones. Is this a real threat, or is this hype?
Siilasmaa: Probably a bit of both, in the sense that it's so difficult to communicate exactly what the level of threat is. There has been mobile malware for a little bit over two years. The number of different viruses is over 300 today--a significantly faster growth than we saw on the PC side in the early days.

All the virus samples we get come from either mobile operators or mobile device manufacturers. So, basically all the samples--with the possible exception of less than five--have actually been in the wild.

Almost all of these viruses are for Symbian operating systems. When you have a Symbian device, you are vulnerable if you allow the malware to be installed. It will typically arrive in an MMS message or over a Bluetooth connection, at which time you see a message asking you to approve the download and installation of the application.

Do you own a Symbian phone?
Siilasmaa: Sure, and I have never received a virus.

Is mobile antivirus the next big business opportunity?
Siilasmaa: We believe that it's an important platform.

Microsoft is stirring up the security industry. It's launched OneCare in the U.S., it's going to launch it in Europe and it'll have enterprise products as well. Does that concern you at all, or are you basically saying, "Bring it on!"
Siilasmaa: We obviously say, "Bring it on." At the same time, we are naturally concerned about pricing. If Microsoft starts to offer their solutions at significantly reduced prices to gain market share, and then raises prices again after a few years, that obviously is a business issue all the companies have to tackle. Otherwise, Microsoft is a welcome addition, and even if they achieve a significant market share, they won't be as big as Symantec is today.

So you've seen how they entered the U.S. market--$50 (to cover) three PCs?
Siilasmaa: That's fine, it is a good business for everybody concerned.