Interview: Symantec's John Thompson talks about big picture security

Security efforts to focus on processes first, then technology

In his first five years at the helm of Symantec, CEO and Chairman John W. Thompson has steered the company through a couple of major transformations including shifting its focus from selling consumer software to enterprise-class security software. What's more, he and his team did so at a time when almost every major software company was limping through the dot-com bubble burst and subsequent economic downturn. Under Thompson's charge Symantec doubled its revenues to over $1 billion.

What helped, of course, was that Symantec was in the right business at the right time, namely being the top dog in the anti-virus business during the post-9/11 period of escalating Internet viruses.

"I would have to say that while 9/11 was a monumental event for the world, it was a wake up call to the threat of terrorism in our country. But in and of itself it was not the catalyst for our business. Ironically on 9/18, just one week after that, the Nimda [virus] attack changed the world's perception of what computer attacks or worms were really going to be like," Thompson says.

Before joining Symantec, Thompson worked at IBM for 28 years where he held several senior-level executive sales and software positions, the last of which was as general manager of IBM Americas, a $37 billion organization responsible for supporting Big Blue's technology products and services.

As testimony to his growing influence in the industry, in September, 2002 President George W. Bush appointed Thompson to the National Infrastructure Advisory Committee (NIAC), which has the responsibility for making recommendations regarding the security of the infrastructure of the United States.

Thompson sat down with Editor At Large Ed Scannell to discuss a range of different concerns facing not just Symantec but the entire security software market, and possible solutions to some of those critical problems.

IW: What is the biggest issue the security industry is grappling with right now? And does that issue have more to do with technology or people?

Thompson: There are two big issues the security industry is grappling with today, neither of which has to do with technology. The first issue is the awareness level the general public has of things they can and should do to protect their systems and network connections. Just as we have evolved our awareness of the benefits of buckling up and the benefits of airbags, we need to have that same ethos evolve in the connected world in which we live. Second issue is the rapidly accelerating increase in the number of vulnerabilities that get discovered every day. And, equally importantly, is the shortening of time between the discovery of the vulnerability and the release of an exploit. And the combination of those forces is a very powerful thing. Right now we have a closure rate between discovery and exploitation of four to six months. We need to be more in the realm of seven to 10 days. That is an enormous challenge.

IW: How rapidly are the technologies evolving that allow you to discover security threats more quickly?

Thompson: We need to do a better job of creating processes for large and small companies on a new vulnerability and what actions they should take. We need to shift the paradigm from reactive technologies to more integrative solutions that deal with the variety and complexity of the threats that are out there today. We need to shift the focus from security as a technology to security as a process where people know that technology is an important part of the security process, but that in and of itself is not sufficient. Case in point: seat belts and airbags are great, but if you don't buckle up they are of less impact and value.

IW: Are companies not aggressive as they could be in terms of putting someone in charge of just that?

Thompson: Clearly we are seeing that as an emerging trend in the largest companies around the world. The whole issue of security policy and compliance to security policies is becoming a very important area of focus. What we are seeing now is customers shifting their attention from security products like firewalls and intrusion sensors, to the policies that need to be in place, and the technologies that help them enforce policy compliance. This is the classic example of people, process, and then technology. Over the course of the late 1990s and the early part of this decade, we got technology out ahead of people and process. The smart companies are going back and reconstructing their programs around the idea of hiring the right people or the right partners, and building the right processes across their company and making sure they have got a technology supplier or suppliers that conform to the environment that they want to create.

IW: You have said you do not feel education is adequate for turning out qualified people to create and administer these processes and policies. Is education getting any better at the university level?

Thompson: There has been no appreciable improvement in our country's ability to produce the kind of talent we need in this space. There have been some small initiatives around the country that have been noteworthy. There is the U.S. Cybercore initiative that has put about $30 million into 13 universities to drive educational programs and produce better skills. But we need more activity like that, and not just in the U.S. but around the world.

IW: Do you see a promising technology the security industry that could be a significant improvement over what we have now?

Thompson: First, I do not think there is any silver bullet to solving the technology side of the security equation. While there have been terrific advances in the state of technology around heuristics, behavior blocking, and things like that, technology is only a part of the approach to solving the problem with the more important aspect involving putting the right process in place. One of the things that has been truly incredible to observe though, is the amount of venture investment that has gone into early stage security technology. The U.S. and Israel probably lead the way in terms of venture investment in technologies companies focused on the security paradigm. That is quite encouraging. Many of those companies are going to find that the opportunity is far more significant to integrate their technologies more tightly with larger organizations like ours, where we can deliver a more integrated solution set, as opposed to a point product. Point products do not cut it any more.

IW: Since 9/11 has Symantec been able to gain more government contracts for some of its flagship products than it otherwise would have won?

Thompson: I would have to say that while 9/11 was a monumental event for the world, it was a wake up call to the threat of terrorism in our country. But in and of itself it was not the catalyst for our business. Ironically on 9/18, just one week after that, the Nimda [virus] attack changed the world's perception of what computer attacks or worms were really going to be like. And since that time, there has been another wake up call sent around the world to do a more effective job of securing the infrastructure. And that has led to a nice buildup in business for Symantec.

IW: Are you focusing more of your time on security solutions on the server side of things or on pushing technologies down to users on desktops, mobile devices and other appliances?

Thompson: I'll answer that in two ways. First, our focus on security is on the infrastructure itself. So it is all about how you protect the network, the device, and the application that is riding on the server. In that context then, we focused on layering on technology at each of those important inflection points. So regardless of what the end point might be, and the predominant ones today are laptops and PCs, what is the right combination of technologies we need to be put together to protect the end point from a breech or an attack. If the end point more becomes a PDA or a cell phone, then we need to migrate that technology down and be cognizant of the functions and data that reside on that device. At the gateway tier, which is truly the access point to a company's infrastructure or an access point for a company going out to the Internet, we believe that by combining multiple technologies there and simplifying the technology integration process, you can do a better job of filtering out unwanted traffic. At the application tier, with things like mail servers, we are combining technologies there as well to make that process simpler. The recent acquisition of BrightMail is a furthering of our efforts to move more into the application security world.

IW: How important will Web services be to your integration strategies for tying together these multiple security technologies?

Thompson: Well Web services are nothing more than a way for users to interact with applications. But what Web services suggest is that the connection is always there between an application that is resident somewhere in the cloud, and a user who is somewhere on the other end of a connection. So ensuring the integrity of the data and integrity and validity of the connection is a very important element in any company's strategy that is moving towards a Web service paradigm. But candidly, more of the focus of Web Services today for the platform companies seems to be on the transaction side rather than the infrastructure side. So they are more focused on authentication, authorization, access control, and user provisioning, all of which are very important things that have to ride on top of an infrastructure.

IW: How important a role will autonomic technologies play in Symantec's future product development?

Thompson: I don't know if I want to call them autonomic. If you accept that security is a process, and if you can eliminate the human interaction or intervention in that process by automating more, that is a good thing. So you will see us continue to advance the state of the art or take information that we have in our response data bases and have that drive automation or an automated response by some of our products. This will happen particularly around vulnerability scanning, intrusion detection, and real time backup or configuration management.

IW: Have you been following what your old company [IBM] has been doing in this arena?

Thompson: Not really. It seems to me that IBM has a huge footprint in the industry and so they try a little bit of everything. While we are mindful of some of the things they are doing in the security domain, we do not want to get distracted by all the hyperbole around everything they do.

IW: Symantec is gravitating more towards managed security services. How big an opportunity does that represent for the company?

Thompson: We think the managed security services opportunity is enormous and so we have been an active participant and probably the largest firm in this space outside of an IBM or EDS, which does large outsourcing contracts. We think users will want to avail themselves of the 24 by 7 by 365 operating centers that we have in five locations around the world. We think they want to avail themselves of the incredible talent we have, particularly in light of the short fall of skills in this area. I argue that many of the more thoughtful customers are deciding, given their limited staffing, they would rather have us monitor and mange their security sensors while they apply their staff resources to policy and policy complaint activities. That is a very good segregation of duties.  It is the fastest growing segment of our business for sure.

IW: What sort of threat do you perceive Microsoft to be to your business over the short and especially over the long-term, given the security technologies they could bake into Longhorn?

Thompson: Over the near term there is clearly the opportunity to work with Microsoft to do to a better job of creating a more secure Windows experience for users around the world. To that end, we have active relationships with them in a number of areas, primarily around consumer and small business efforts where they know that we can help them secure Windows better than they currently can themselves. Over the long term however, their focus I clearly on building out a more secure Windows infrastructure to make sure that it is less vulnerable to attack than it appears to be today. To that end they are going to want to do more with their own capabilities rather than partnering. And we will have to be mindful of that and try to out-innovate Microsoft around the security process. Not the security product but the security process. I don't think there is any franchise more powerful than ours around securing the consumer experience and we will not concede that to anyone including Microsoft.

IW: Given their critical security problems with Windows and Office, has Microsoft ever come around the back fence to Symantec, swallowed their pride and asked for technical help in fixing a major security problem?

Thompson: Well we have a good working relationship with Microsoft at the development level. But let's not kid ourselves, this is a company with enormous resources and talented people, and there is a certain pride that comes along with that for them and for us. It is not clear to me that they have reached the point where they are willing to come to us and shout "help!"

1 2 Page 1
Page 1 of 2
How to choose a low-code development platform