For Symantec CEO Enrique Salem, the three critical issues facing IT leaders today -- and the three biggest opportunities for his 'information protection' company -- are cloud, virtualization, and the consumerization of technology. In this installment of the IDG Enterprise CEO Interview Series, InfoWorld Editor-in-Chief Eric Knorr and IDGE Chief Content Officer John Gallant caught up with Salem shortly after his RSA Conference keynote describing Symantec's cloud-focused security strategy, dubbed 03.
In this discussion, Salem outlines why 03 is such a critical initiative for the company, and discusses how cloud and virtualization change the security threat landscape and the business opportunities for Symantec. He also talks about why Symantec isn't overly concerned about Intel's purchase of McAfee and what it means for Symantec to be on its own in a market with competitors like Intel, IBM, Cisco Systems, and other giants. Salem also outlines what's ahead for Symantec's non-security businesses in storage and systems management, and how collaboration and social networking will change everything for organizations in the years ahead.
Q: What is 03 and why is it such a critical initiative for Symantec?
A: In computing, there are big transitions that happen every few years. We are in that next transition. I predict that the five years starting from 2010 to 2015 will have the most significant technological change that we've seen in the last 25 years. The reason I say that is that we are going to see a big move to the next generation of what I call distributed computing. Cloud computing to me is just the next generation of distributed computing; it is taking distributed computing one step further. I call it hyper-distributed computing.
What you don't want is different systems in IT for each of these different things. You don't want one system for your on-premises technologies, a different set [of tools] for mobile computing, another set of systems for dealing with cloud-based services. That is a nightmare. Also, IT is always trying to be more efficient with costs.
With 03 we said, 'Let's create a layer that can be an integration point for a number of things.' One, you need a policy engine that lets you set policies. What devices do I trust? What information can go on those devices? Should this user have access to that information? Then you need to have enforcement, something that actually says 'yes' or 'no' based on the policies. And then you need to have audit and governance that reports against what actually happened. As the ozone is the layer that protects the earth from the harmful rays of the sun, we believe you need something similar in business. The ozone is made up of three oxygen molecules. So that is O3, and we have three layers. We have a policy layer and an enforcement layer and then an audit or governance layer that can be used broadly across enterprise computing.
Q: Define how that works within the enterprise, but how it also ties in with cloud providers.
A: Take the following example. Today you have corporate legacy identities. Our goal is to have those same IDs, those same credentials now be used in the cloud. Our direction is to simplify a lot of things that you do today. IT can't afford more complexity.
Q: Is 03 something that has to be implemented at the service provider and in the enterprise in order to work?
A: No, our goal is it can be independent of the service provider. Now we expect some service providers will want to resell and integrate it themselves, but it won't be required. The model is VeriSign's security business, which we acquired. The way our VeriSign identity protection works is you go to a Web site, it checks whether you should have access. It goes back to our hosted authentication service, says you're a valid user and lets you go to the Web site. The idea is we'll be able to integrate the technology and the goal is not to have to modify what the cloud providers are doing.
Q: For enterprise customers, how does the movement to private cloud and use of public cloud change the security landscape?
A: These services are creating new opportunities for leaks and places where information can leave your organization. We call it the borderless enterprise. In a private cloud, you still control the services yourself but you build them in a shared service model. As soon as you go to the public cloud, you're now outside your four walls. You really need to understand what information is going where. Who are you going to trust? Our goal is to have a very information-centered view. When you go out to a public cloud service, you better really understand what you are putting in that cloud. You also need to have the right controls in place. Our goal is to help you in that transition.
Q: How does it change the business model for Symantec? Does it make the service provider a more likely customer for the future? And do you see more of your products moving to become cloud-based offerings versus packaged software?
A: We think about how to do two things: Deliver our services from the cloud, and that means take our capabilities and move them to the cloud. That is message filtering, data loss prevention, backup, recovery, encryption -- all as cloud-based services. We actually call that Symantec.cloud. So if you want to take any of those services that you are doing today on premise and you know that they are not core competencies, trust Symantec to do them.
The other thing is how do we help people build their clouds? Today, Symantec has got 60 petabytes of data backup. We've got seven billion messages filtered, 5 million IDs that we manage. Our goal is to help cloud providers, service providers, build out their capabilities so they can do this securely and cost effectively. We have integrated our end point protection technology into Amazon EC2. Folks like eBay are using our VeriSign identity protection. We are infusing our technology into these cloud providers. We'll deliver services to you as a customer and we'll also integrate with the cloud providers. From a business model perspective, I expect this to be much more of a subscription-based model, not buy a license and pay maintenance. More pay as you go.
Q: Let's talk in more depth about mobile. Do you think the mobile security thing is being overblown now? And what is Symantec's approach to mobile security?
A: Any device can have corporate information on it and you want to have some level of control over it. Today, more corporate information is on BlackBerrys It's starting to be on Android devices and iPhones and iPads, among other things. That means that they will become targets over time. You've got 1.4 billion PC's out there and those are the current target. As you get more critical mass on this range of new devices, they will become a target. It is really only a matter of time.
We think about this in a couple of ways. First, you've got to manage these devices. You want to know it's up to date, that it's current - the same sorts of things we did on the PC platform, including things like anti-malware. It's the mobile device management space and it is a very important space. But more important than that for me is how you control the information that is being put on the device. Today, this thing (he points to his iPhone) is a companion device. It's not my primary computer device yet. So what that means is I am going to synchronize information out to this thing. But what my corporation wants to do is make sure the stuff that I put on there isn't the source code of the company. You need to know how to protect [critical] information from being delivered onto that device.
Q: What about the other big trend corporations are dealing with, both in a positive and a negative way: Social networking? What things need to be approached differently in security because of social networking?
A: I am a huge believer that the way we collaborate needs to change. We have been in a very email-centric world, but it's not as effective as it once was. We are all overwhelmed with the amount of email we get on a given day. So we are big believers in the social enterprise. I had a customer who said [their company] created its own internal LinkedIn where people could find the appropriate subject-matter experts inside the corporation. They don't have to send six emails to find out who's the person who understands de-duplication at the company.
So, we are absolutely believers in this notion that collaboration will change. And many of the habits that people have in their day-to-day consumer life -- leveraging Facebook or Twitter or other types of social technologies like LinkedIn -- are going to be very relevant for how the enterprise works. The companies who don't embrace it will be at a competitive disadvantage. They will be less productive in my opinion.
What does it mean for security? Let's say you have engineers working on a collaborative tool, they are sharing information amongst people in the group. Well, they may put some intellectual property out to too wide an audience. Even if it's internal, that's a problem. Social networking creates the opportunity for a lot of corporate information to leave the organization. You have to have the right controls in place. Our job is to provide the enterprise with the tools to control what content is going to leave the organization to the public Internet. It is a combination of things. One is broader use of certain capabilities that we have, but we also have to apply them to the different tools, whatever their social platform is, SharePoint, Chatter [from Salesforce.com], etc. We've got to make sure we are integrating that capability. We work on all the Internet protocols, so we can always see the data in motion through any of those protocols. But they've got to use it in that area.
Q: What challenges do you see with Intel's purchase of MacAfee and what opportunities?
A: We had looked at all the scenarios. We've looked at HP buying them. We looked at Cisco buying them. We looked at Oracle buying them, or IBM. Intel wasn't on the list. Intel is a quality company and they know what they are doing. But this feels like a diversification play. It really feels like they were saying, 'Hey, we've got a core silicon business but we also want to do some other things and try to diversify our business'. So, quite frankly, for us that was probably the best place [McAfee] could have landed because [Intel] is not known as an enterprise software company. They sell to businesses through third parties, through OEMs, but not through their direct sales force. Oracle or HP have massive go-to-market capabilities. They are very different than Intel. So if there was a place for it to go, that was probably the best place for us. You took a focused security company and wrapped it in a $40 billion silicon company. There is no way it can have the same focus. Because when you sit around the executive table and you've got a $10 billion fab you are putting in, you're thinking about the $10 billion fab, [not security].
It creates an opportunity for Symantec to go into the marketplace and say we are a company that is the market leader in security, focused on security and here is all our innovation. You don't have to worry that we're going to wake up tomorrow and decide to be a game company. I think that message is resonating.
Customers do ask the question about what Intel can do in silicon and we tell them silicon is a great accelerator. You can enable many things in silicon. But having a complete solution, especially in security where there is so much change going on, you're not going to do that. Anything that they put into silicon will have to have open interfaces that they will have to allow third parties to use. I am not worried about that. Silicon moves way too slow. Think about the rev cycles in silicon versus what we do in software every day. Imagine that you want to protect against Stuxnet with a reputation-based system. It's going to take you three years with silicon.
Q: So you don't feel that is something that could fundamentally change the security game?
A: We take Intel very seriously. They are a big company, smart people. But we think it's a distraction and it causing some amount of disruption to the McAfee team.
Q: Is it something of an awkward position to now be the one remaining, big standalone security company?
A: No, it's a great position. This morning, I was on CNBC and they called me Mr. Security. That is a good thing, right? As a company you want to have an identity. You want people to know you for certain things and usually people know you for one or two things. When you think about Cisco, people think about networking, routing, maybe a little bit of telepresence now. You think about Oracle: Databases and apps. I don't think people are going to associate Intel with security. They're going to say Intel is a silicon company. They are going to say Symantec is into information protection. That is we do, we think about securing information, we think about managing information. Love that. I want to be that company.
Q: Recently in The Wall Street Journal a columnist was speculating about mergers he or she thought might be possibilities in the tech industry. One of those was HP buying Symantec. I know you won't tell us if you're going to be acquired, but it goes back to this issue of being a standalone security company and whether that makes you a target.