Q&A: Symantec, McAfee CEOs have differing views on security landscape

Thompson, DeWalt discuss strategic directions

In early December, InfoWorld sat down with Symantec Corp. CEO John Thompson and David DeWalt, chief executive of McAfee Inc., and asked them about the strategic direction of their companies and where they see different aspects of the IT security market heading in 2008 and beyond.

Each of the interviews took its own course, but we made an effort to ask the two executives about many of the same issues.

What follows are a sampling of each CEO's comments on issues related to the rise of data protection, consolidation in the security market and competitive issues between the two industry leaders and their many rivals.

Over the past year in particular, we've seen a relative sea change in the security market as customers have shifted their focus toward data protection versus more-traditional methods of defending endpoints and network assets. How has this forced a strategic change in direction for your companies -- in particular as smaller vendors in sectors including data-leakage prevention (DLP) make claims that they are better suited to deal with this shift?

Thompson: The reality is that we have had great insight about what information was flowing around in an organization for years. The fact that we were doing virus protection was interesting, but what was more interesting was depth and breadth of intelligence network around the world, which has been telling us about where viruses and worms are coming from, what hacker attacks are occurring, where spam is originating and what keywords people are using to bypass filters.

There's a great deal of insight that's associated with that intelligence network that Symantec has that should make this shift toward information-based security easier for us than any smaller company that doesn't have that breadth.

Furthermore, customers have the expectation that we and others who have been trusted providers for them will evolve as their needs evolve. Certainly, that's been the case in the more traditional security technologies. If [you] look at what AV [antivirus] technology does today versus what it did five years ago, it is light-years different.

We should use the metaphor of the evolution of the past to apply to the problems of the future, and we've certainly evolved our business over the last 10 years to be very different in terms of its focus and our ability to solve problems for customers that 10 years ago probably didn't exist.

DeWalt: Actually, I see it as a huge advantage to being a big company. Managing data and data security is a pretty strategic thing for corporations, when I think about who they would trust as an adviser in these situations. With either a start-up [that] may be dedicated to only [DLP], or someone with a thousand people in support, you get a level of service related to companies like Symantec and McAfee that isn't there with the others. We're already running in most large corporations on the endpoint.

Adding another endpoint agent from a small company versus going with McAfee isn't as attractive to these customers. We offer cost optimization, centralized management and other benefits that you can't get from smaller companies.

The reality in the security world today is that we are seeing more cost-optimization requirements. So, how do you look at a company like us that has AV, antispyware, HIPS [host intrusion protection] and NAC [network access control], and how will you add DLP and encryption as an agent, versus adding someone else's products? We look to acquire the best of breed to do that -- to make sure that we have the best technology to fit into our suite -- and offer centralized management with single-agent control to every desktop.

That's the big company game we play, and you have to recognize that turning the ship isn't necessarily about building a technology from scratch. Data security meeting endpoint security, meeting perimeter security is an important component of why people would trust a larger vendor.

DLP is obviously an area where both companies have made significant investments over the past year, with Symantec's acquisition of Vontu and McAfee's acquisitions of Onigma and Safeboot. Could you describe your strategies around DLP and why it has become such an important element of data security?

Thompson: The first thing we have to ask ourselves is if this is a problem that customers would like for us to help them solve. If so, is there a technology already in place in the market that has already garnered the hearts and minds of its users? Clearly, that was the case for Vontu, which was unquestionably the market-leading solution for DLP.

Our view is, if this is a problem that customers would look to Symantec to help them solve, why not see if we can acquire the best technology to be able to do that?

The question of DLP as a stand-alone platform or as a feature will be answered in how customers want to solve the problem. If customers are willing to dedicate resources to the problem as an isolated area of activity, that probably functions as a stand-alone product.

However, if they view that solving that problem is a part of another business process, then it would behoove us to make that feature part of a broader suite.

DLP over time might become part of a broader digital rights management strategy for an organization. Now, that's a big theme that goes well beyond what Vontu does today, but if you believe that the currency of business today is as much about information as it is about cash, having a clear understanding of where digital content is and who has rights and privileges to use it is a very important topic for a lot of companies today.

DeWalt: McAfee and Symantec have clearly addressed DLP in very different ways.

We see DLP having two important problem-solving areas: intellectual property protection, and the management and monitoring of information loss via endpoints.

We believe that most DLP events occur through insiders, through endpoint devices. Not people e-mailing out the source code, but copying it onto a USB drive and walking out with it. Is it more practical to e-mail the source code over the network or copy it to a 60GB drive in a matter of second?

If you look at where the problem is, you'll see that the protection of intellectual property is the most important issue and that secondly, it's about compliance [with] data-privacy reporting components.

With Safeboot, encryption is already proven as a strong approach for data privacy and breach management, and it is best served when the customer can prove no loss of data when they lose a mobile device, that they have no need to report that incident.

If you can address those two problems, you can address the bulk of the issues on the marketplace. It will be up to customers to determine which approach they think is better: a network-oriented appliance tool, as with Vontu, or protection at the endpoint, which is where we have invested.

What we have compared to Vontu is apples to hubcaps, literally entirely different technologies. Vontu is primarily a network gateway appliance that is matching rules. There's no host to classify content, but [there is] primarily an appliance to look and monitor for data loss.

That's a totally different thing than Safeboot, which is whole-disk encryption for mobile devices. Symantec has no encryption technology in its entire portfolio, so the technologies are not even in the same hemisphere. Symantec bet that monitoring network traffic is the future. We bet that doing it at the endpoint is more of a safe, compliant way to address this.

Our philosophy is protecting all the endpoints, including all types of mobile devices, and every access point through those endpoints, including removable storage. That's where our DLP strategy will be centered, and we feel the growth of Safeboot proves that we're making the right bet.

Symantec could be right too -- maybe we're both right -- because it's not like Vontu is doing poorly either.

Your smaller rivals, and some industry analysts, like to say that large companies such as Symantec and McAfee do not innovate, that they only acquire innovation through mergers and acquisitions. How does that strike you, and why do you think they are wrong?

Thompson: I think people might argue inappropriately that the sustaining innovation mission that any company with a large base of users has is forgotten about. We already have the 2008 versions of our products in marketplace. Is there any innovation in there at all? We certainly think so.

There is a very important mission that we cannot overlook, and that is we have a bunch of customers who have an enormous amount of expectation of us being able to continue to deliver new features, functions and capabilities for them that will migrate seamlessly from what they do today to what their needs might be tomorrow.

We spend 15% of our revenue on research and development not because we want to spend it, but because we have to maintain some stream of innovation in order to be able to serve the needs of our existing customers.

If you look inside the company, our Symantec Research Labs facility has delivered incredible innovative capabilities such as generic exploit blocking, or the ability to see vulnerabilities and create a signature to block an attack before the attack occurs. That's all about innovation. The fact that we are an acquisitive company means that we are open to people who have fresh ideas or a new view of the world.

The security world has evolved so rapidly over the last five years that if we were stuck in a paradigm that said we will only deal with ideas that emanate from inside the company, we would be unable to serve the needs of our customers at all. The best way for a company that competes in all the segments of the market where we compete is to use strength of our balance sheet, cash and income statement to continue to evolve.

Consider all that in backdrop of the idea that the whole software industry is consolidating around us. You cannot ignore the broader macro-trend going on in the industry itself.

There are fewer software companies today than there were a year ago; one year ago, there were fewer than five years ago; and five years forward, there will be fewer than there are today. The question is, Can you evolve a process that is relevant for your customers and relevant for your company as you think about targets that you bring into the company over time?

DeWalt: It's a myth that companies our size don't innovate. Many products are being made almost 100% in-house. Lots of the work in our new consumer technologies was an organic exercise, as with ePolicy Orchestrator. We didn't acquire anything to build that product, and if there's one product strategic to this company, EPO is that, and the list goes on.

But we also have to use the balance sheet and acquisitions because we can. It gives us the opportunity to grow. Maybe that looks externally like we don't have to innovate, but we're really doing both and making sure that we augment the strategy. It is a combination, and we have to be good at balancing both things. Companies like McAfee have gotten mature because they're good at development and acquisition.

Part of that is at blended-shore development. We're moving sustained engineering and quality assurance to offshore locations like India and China. Innovation is coming from Beaverton, Ore.; Santa Clara, Calif.; and elsewhere where core development and Avert Labs sit.

Those people don't want to do sustaining engineering on Windows 95, so we have to innovate that way so people who want to be working on the newest thing can do that.

In reality, the core of this company is focused on nothing but innovation. We do the other stuff in low-cost locations, and if we didn't do that, we would probably die.

Over the past several years, we've seen many major IT providers, including Microsoft, Cisco, Intel, Hewlett-Packard, IBM and EMC, make investments in acquiring security technologies and building their own security products. How has this shift toward the integration of security into the operating system, network and computer hardware, software, and storage changed how you will direct your own companies?

Thompson: The reality is that what customers are trying to do in terms of managing access to applications and the ability to share information across the enterprise, both internal and extended, makes it incumbent upon all of us to recognize that securing that content is very important.

Many of the companies you referenced started their lives thinking that security was something that slowed down the machine, network access or their sales. They finally came to the realization that security is an enabler and not an inhibitor and that they must embrace it one way or another.

The real question becomes, Where do customers think logically about security elements? If you look at what has evolved at Symantec, we have said that it's natural that some security technologies will live and reside in the network.

Networks have become fast enough, deep packet inspection technologies have become good enough, and we assume that as time goes on more of that will occur. And the logical place for companies to do that is with the people providing network equipment, but that's only one place where you have to protect the stream of content; another is where the users interact at a desktop or server, or where it is being managed at the gateway or applications level.

1 2 Page 1
Page 1 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon