Symantec's new CEO knows his way around the company he has been with since 1990, but can he lead it in tough times? Yes, says Paul Fisher.
New broom, old room. CEO Enrique Salem and I met in Symantec's Cupertino HQ this September, just before the company's move to new premises in Mountain View, another iconic location in California's Silicon Valley. True to form, company insider Salem is the last to leave.
Enrique T Salem became CEO of Symantec on April 4, having served as COO from 2008. He joined in 1990 as CTO, after stints with Brightmail, Oblix and Ask Jeeves. His BA in computer science is from Ivy League's Dartmouth College. He is also a graduate of Stanford Executive Institute. Hispanic Net named him 2007 corporate executive of the year.
How is Salem putting his own stamp on Symantec? “I spent the past six months talking to customers all over the world, both small and large. It is becoming very, very clear that what matters to them is how they protect their information.
“Symantec is the only company that has two market-leading positions – in security and storage management.” Ah yes, storage – that means the 2004 Veritas acquisition. Any Symantec-watcher will tell you that this was not the smoothest of processes. Salem is aware of this and intercepts what he expects me to ask – I wasn't going to, but since he's brought it up… “Why did Symantec buy Veritas?”
He gets into full justification mode: “Its products are incredibly relevant to what we're trying to do – backup and recovery, archiving, file systems. Because it's all about the information, and we're the only company that can bring together high security information and how you manage the information,” he says.
“The message I get from customers is that they don't want to keep dealing with lots of point products. Some people have 50, 60, 70 different things.
“Our opportunity is to deliver a solution that gets rid of complexity, reducing cost of ownership by integrating both backup and recovery technologies with secure technologies and protecting customers' information.”
So he's taken an awkward acquisition, now finally absorbed – a process likened by one wag to a python swallowing an antelope – and turned it into a business advantage. The message is that the era of acquisition is over. “We have been very acquisitive. I want us to focus now on the integration of the technologies, not just how we buy more things. Let's bring the pieces together and deliver that vision of not having a separate backup and archive business, but a backup and recovery and archiving business. Symantec will be in a great position to say, ‘we will secure and manage your information',” he says.
That's the vision – and it is a good one – but Salem still has to deal with negative analyst comments and a newly combative McAfee, led by the ambitious Dave DeWalt. Second quarter results were not as good as hoped and this was reflected in the share price. Salem remains undaunted.
“Our business is different again than most. We're a little more tied, especially in a storage business, to what's happening with server sales and you've seen a slow-down in numbers of servers. Some makers have been off 30 per cent on their server sales and we're a little more connected to that.
“Now, security is something that you need, whether the economy's doing well or not. And so my expectation is that we'll do very well going forward and also that we've strengthened our position in the SMB segment,” he adds.
Salem is not put off by one quarter's results. He is in this for the long term. He replaces long-serving CEO, John W Thompson, the only African American leading a major technology company.
“In this economic environment, you have to build for the future. My goal is to run Symantec for the next ten years. The product portfolio that we assembled under John Thompson allowed us to grow from $600 million to $6 billion. That puts us in a unique position. Very few software companies have our skill.”
Perhaps. I decide to bring up McAfee. It raises the temperature in the room. For the first time I see another side to Salem. He has the warmth everyone who works for him tells me he has. But, he has another side – one he has perhaps been cultivating since taking over. I was one of his critics when he delivered a less than convincing keynote at the San Francisco RSA conference in April, shortly after he took over. But that was one of those keynotes – infomercials for the headline sponsors. One-to-one, it's different.
I ask whether McAfee is a long-term threat, if it may even overtake Symantec in the business market. He cleverly turns the question back on me: “What's your feeling?” I say I believe it to be aggressive and re-invigorated under DeWalt.
Salem looks at me square on. The smile has gone and the voice lowers. “Now, let's be clear. That comment you made about McAfee overtaking us; that is its management saying that. Without a major acquisition, it will not overtake us. At this point, we have got a very differentiated offering in security, with significant leadership in the software service.
“Our competition reacts by buying the fourth player in the market, SaaS, where we bought number one in MessageLabs. We pay attention to what the market wants – a combination of software to servers and also a notion of ‘how do you back up and protect the information?' Right now, we are clear leaders – and I don't expect that to change.”
Fighting talk and Salem needs to do that. But he acknowledges that perhaps Symantec had lost its way in getting a coherent message across – perhaps in some of the slightly bumpy acquisitions.
“We need to be clear on who we are. Some people will know us for Veritas, some for anti-virus. Symantec is more than those and our job is to be clear on what we're going to do. We will secure the world's information from the widest range of threats on any device, reducing complexity for the customer.”
He has spent the past months talking to over 200 customers. He says they don't care about the actual infrastructure, they want to commoditise it. “A very large customer of ours selected our backup software and then went to two of his vendors and said: ‘Don't tell me about what your benefits are, because whoever gives me the best price is going to win.'
“And so that is part of our job, to help commoditise the infrastructure. So we'll secure and manage information, and we'll commoditise infrastructure, and all 17,500 people here need to articulate why that's important to customers,” he says.
It must be working, because until this point, SC too had a hard time finding an “in” with Symantec. Now we get to meet not just the person at the top but other senior executives as well. Good.
Symantec's other side, with Norton Anti-virus, is the consumer business – it is one of a handful of security firms that is a household name. But with all the focus on the enterprise market, will the consumer market play second fiddle?
“The consumer market is a business that adds a lot of insight. Consumers are the early adopters, the first to get on the internet and try things: everything from instant messaging to iPhones and social networking. Social networking will be a phenomenon that does make it into the enterprise in a big way because it'll drive improvements in end-user productivity.
“Consumers are the point of the spear in many of the things that we do. We've been in this business of fighting malware for more than 20 years and, in that time, a lot of the techniques that we have used have been what I would call blacklisting: detecting a bad piece of code or malware, and then writing a signature report. In 2008, we wrote 1.6 million signatures; that was more than we'd written in the previous 17 years. Well, to correct that situation, we've moved to a generation of security that we call reputation-based security. We started enabling that technology in the release of our 2009 consumer products and the latest version of Norton Internet Security 2010 has the feature code Quorum fully-enabled. It changes the game. Our ability to have the world's largest global intelligence network is driven by our consumer business.”
So both enterprise and consumer are very much part of Symantec's future. The technologies can overlap, but what kind of company will Symantec become? Is it moving from being a “security” firm into a fully-fledged IT business? It already often talks of itself as the world's fourth-largest software company. How will this affect strategy, as businesses look to IT to become an intelligent business driver in the post recession world?
“We're in the information management and information security businesses and my goal is to absolutely remake Symantec to being a lot more than security.
“You mentioned one competitor; I have several others that are, again, doing only a portion of what we do. What's great about us is that we're not just in a narrow sliver of what matters to customers. So I'm feeling great about our opportunity.
“Today, Symantec is a $6 billion firm and we've got a tremendous opportunity. If you take all the work we do in the data centre, in securing the enterprise, and with consumers, this is a $50 billion opportunity and that's why when I get up in the morning I am not worried about the market potential.
“I focus on making sure we're moving fast enough to problems customers care about. This isn't a lot of puffery about who's bigger, it's more about who's got the best set of tools and products, to solve what really matters to customers. Very few companies in this industry have what we have,” he adds.
Salem also sees opportunities in any post-Windows-dominated world, as more platforms and applications emerge from Google et al. “Microsoft is thinking about the threats and its opportunities, just as we do. The big distinction is that we've got a set of assets that are completely platform-independent.”
I need to ask one last question. The readers of SC are under pressure as never before, their world is changing and they have to deliver more, often with fewer resources. They need to rethink their own strategies – and with it the technology, apps and methodologies they adopt. So what does the CEO think they should do? The advice is clear and says a lot about the direction that Salem will be taking his business.
“I would tell them – figure out what matters to your business and start with the information. What information do you really care about? How do you create it, how do you secure it, how do you manage it? How do you manage the risk around it? The accessibility to the information, the agility around it, are what ultimately you have to prioritise. It's not about the hardware infrastructure any more – quite frankly, that should all become a commodity,” he says. The smile is back on the new face of Symantec.
Joe Pasqua, vp research labs, Symantec
Vibes stands for ‘virtualisation-based endpoint security'. It is a VM solution for the home. You want the normal ease of using your computer, without draconian limitations. You go to a shopping site, enter a credit card, and a shiver goes down your spine – you don't want anything bad to happen. For the time of that transaction, you might live with limitations, be locked down and secure.
I get what looks like a message from Jessica. Is this really from her, or is a bot running that's trying to send me malware? I'd like to be able just to click on it and know nothing bad is in it.
Using virtualisation, we built something that embodies those three types of activities: Vibes.
Pondering virtualisation, you think about carving one machine up into multiple virtual machines (VMs) running on behalf of different users or activities.
We took a desktop PC and carved it into three VMs, each running on the user's behalf but looking like one environment – and exactly like what they would have on their machine normally.
The second VM is a super locked-down one. We make it look like the user's, but we ensure that nothing is running on it except software we know is good, and we control what you are allowed to do in that VM. You cannot install new software in it, for instance.
The third VM we call the Playground. This is where you double-click on a file that you don't recognise, you switch over to Playground and it's run in that environment. No matter what you do, if anything goes wrong we can reset it, and the Playground will revert to its normal clean state.
To the user, these three environments look the same, but they are isolated from one another using the different VMs. And the virtual disks of each of those VMs are isolated from one another. So, you're protected in that way.
This happens on the fly, that's the key. There are two interesting aspects. One is, it happens on the fly seamlessly from the user's perspective – you're not going to notice anything different on the screen, Amazon is still going to think it's you. Vibes manages all that in the background.
Second, we do those switches based on queues. So, the user doesn't have to say, ‘OK, well now I need to be in the Playground or now I need to be in the heightened security arena'. Vibes notices what's going on and tries to be intelligent about when to switch between these different environments.
You just go through your workflow as you would normally, but under the covers we're switching you between different environments to provide you with the right level of protection based on the kind of activity you're involved in. Good vibes!
Francis deSouza, vp enterprise security, Symantec
Hackers seize on the fact that they have a window before an IT security process will catch them. That's what we're finding and it has caused us to completely pivot our security strategy around.
We used to talk to customers about lots of point products for associated pain problems: ‘If you have a problem, we have anti-virus or anti-spam.' We had literally dozens of these products.
In future, we're going to talk about only four Symantec products that are important and which map to each of those pain problems.
First, to protect infrastructure, we'll talk about the Symantec Protection Suites. That has our endpoint protection product in it, our flagship, but it also has email gateways and web security.
To protect your information, there's the Data Loss Prevention Suite, our DLP suite.
To develop and enforce IT policies, we offer Control Compliance Suite. For endpoints, Altiris Total Management Suite. And that's it. Those are the four products. So we'll go away from what was the strategy in the 90s, which was multiple defence and debt-type products.
There's an awful lot of vulnerable business out there. The more data we create, the less control we seem to have over it.
Companies create more information than ever. It's not unusual for a firm to say the volume of information it has doubles every two years and IT security teams have more people to manage than before: employees and suppliers and contractors – and customers that have access to the networks. There are more devices to manage: PCs, laptops, iPods that plug into the network, smart forms. Companies have SAS infrastructures, virtual infrastructures. They're facing more sophisticated criminals. That's why you're seeing this growth in the amount of black market information traded.
Businesses now are thinking, I'd like to just hand over all my security account, I haven't the people or the expertise or time to worry about data security.
There is a lot more interest in offering parts of it. Some companies offer the whole thing. That is a smaller part of the market, but growing. The bigger part we're seeing now is companies taking chunks of it. What drove MessageLabs' growth was companies just saying, ‘I don't want to manage mail security. Just deliver it on the cloud, clean it all up and get my mail cleaned up, remove the malware and spam'. That is a rapidly growing part of our portfolio. Parts of security get out-tasked and that's in smaller numbers again, but growing. We expect some companies to say, ‘we want you to be our security partner; security's your responsibility'. But again, that's a smaller set of firms.