Interview: Peter Watkins
Interview: Peter Watkins

Spyware is a common threat to data security, but the CEO of Webroot claims some of the big vendors have missed the boat.

Boulder, Colorado, is a small, prosperous city that sits in the foothills of the Rocky Mountains. Like Albuquerque and Phoenix, it's one of those places in America that many people over here have heard of without really knowing too much about it.

So here's a few nuggets: it was the setting for the 1970s sitcom Mork & Mindy, the Dead Kennedys' lead singer Jello Biafra was born here, and British long-distance champion runner Paula Radcliffe moved here in February. And it's where you'll find the headquarters of anti-spyware specialists Webroot Software.

The Paddington Hilton is a long way from Boulder, but it's where I met up with Peter Watkins, who has been in the CEO's chair since January.

Watkins is no stranger to the IT business. He has held various positions at SunSoft, a division of Sun Microsystems, marketing positions at Apple Computer and at smaller players such as Elemental Security, a venture-capital-funded security software company, as well as Resonate, a software firm providing performance-management solutions to large enterprises.

However, he is probably best known in the information security world as a former president of Network Associates (before it morphed into McAfee). In 2000, he found himself embroiled in a class action after it was alleged that the company had recorded revenue for products that had only been distributed to resellers, rather than actually sold. The fallout saw Watkins, then-CEO Bill Larson and chief financial officer Prabhat Goyal leave the company.

That was then. This is now, and Watkins is looking fresh and keen to talk as we settle down in his sixth-floor room overlooking Praed Street.

He starts by accusing McAfee and Symantec of being asleep at the wheel. They failed to address the spyware problem at all, he says. No products, just good intentions. Webroot, of course, was different. "Two years ago, we decided to be the very best anti-spyware product - period. And grab as much marketshare as possible in the intervening period," he says. "They left the door wide open for us to take the market that we have - and we have almost ten million users at this point," he boasts. "They're still playing catch-up, which is quite surprising, given the rapid pace of the evolution in the industry," he adds for good measure.

So that's the rival dissed, perhaps a little too enthusiastically, but apart from having so many users, what makes Webroot, the little guys from Boulder, so smart?

"Webroot has been able to achieve a level of success that very, very few start-ups ever get to. We are the largest privately held security company in the United States. With a little more time and a little bit more development on our side, we can actually move into that top tier of security companies," Watkins claims.

He becomes more humble and admits that Webroot doesn't yet have the same degree of market awareness as Symantec and McAfee, nor the breadth of products. "I think the larger players face a variety of challenges, and it leaves room for nimbler competitors to come into the market. And so that's where we're going to go," he says.

But, as everyone knows, smaller infosec companies have a habit of being eaten up by bigger ones - the latest being SurfControl, surprisingly relinquishing its independence to Websense in April. So is Watkins worried at all?

"Our prospects as a standalone are very good. We would like to be part of that consolidation, but as in consolidating and rolling up a number of other smaller interesting players ourselves. And if McAfee and Symantec ever come on the market... what the heck? I told you we have big ambitions," he says, breaking into a kind of half smile.

He becomes grave again very quickly, just in case I might not take him seriously. So he adds: "Our intention at this stage is to remain a standalone company and grow this into a very substantial, very profitable, security-focused company."

OK, so it's time to reel out the views of the people that all CEOs love - the analysts. Some have suggested that Webroot faces an uphill struggle as other vendors simply incorporate anti-spyware into their existing packages. The criticism is that Webroot is a single-technology company and that won't cut it in the harsh world of the rapidly consolidating information security business.

"We have seen introductions of anti-spyware within the Symantec and McAfee product lines. We've also seen it recently with Vista and the introduction of Defender. Yet our business continues to grow in spite of that. The basis for our competition has been a best-of-breed offering for some time," Watkins says

Of course, as he admits, the strategy hasn't all been about going it alone against the big boys. Webroot has, in Watkins' words, decided to broaden its footprint. The partnership with Sophos to provide anti-spyware and anti-virus in a combined offering was the first step in a new cooperative direction. And, the intention is to increase the footprint even further on the desktop, targeting both the consumer and business markets.

The Sophos deal also saw Webroot team up with a company that, at the tailend of 2006, indulged in a very public war of words with McAfee and Symantec over the pros and cons of Vista's security.

Watkins is not going to be dragged into that, but he is happy to impart his expert view over just how secure Vista really is. "You've got to give Microsoft credit; it is the most secure version of Windows, as it said. Prior to that, it also said XP was the most secure version of Windows. Which it was at the time," he says, the twinkle firmly back in his eye.

So for a company that's in the business of fighting spyware, just how bad a problem is it for the world these days? In Watkins' view, it is incumbent upon any anti-spyware provider to really go out and search for it.

He points to a Webroot survey that showed that 90 per cent of PC users were aware of spyware, but half of those have had a problem with it. "It's like, well, if you knew about it why didn't you do something about it? A quarter of the people in the UK are not even updating their anti-virus once a month," he says, not without justification.

"Last year, we found more than three million websites with various exploits on them. That's a very scary number. The targeted nature of the spyware makes it very dangerous. Viruses have a long history of disruption of business processes and perhaps actual destruction of corporate data. But spyware threatens far greater financial loss because of the surreptitious and stealthy nature by which it extracts information from an organisation," he says.

The other problem with spyware is that it brings up emotive and legal issues and can lead to clashes between organisations and their customers, particularly in the financial sector.

Watkins points to a scenario where banks are starting to take a more assertive stance with their customers - did they do enough? Did they have up-to-date anti-spyware, for example. But, as he points out, who defines enough?

"Did you have anti-spyware technology running on your systems? Did you not? Was it current? Was it up to date? Did the bank tell you you should have had one before you enrolled in their online offer? There's a whole series of questions like this and a tremendous amount of finger pointing. And there will be more and more finger pointing between the various parties about who is liable for that £5,000 transfer that should not have occurred," he explains.

Fortunately, Watkins also has some rather sensible ideas about how the industry may resolve the problem. "What you need is a good set of guidelines to which both parties agree, and it may have to be up to the financial institutions to set this up.

"I don't think it's any different from the bookkeeper who goes rogue on the owner and writes a cheque and deposits it in his or her account. That's not the bank's fault," he says. "So I think if you look at history you should see the same kind of division of responsibility. But that does put the burden on many small businesses to get the appropriate security tools in place. And that's a big ask."

Some have suggested that it would help to simply get a clear message from the industry - the banks, vendors and other stakeholders. We are bombarded with surveys and propaganda from security vendors. We get conflicting information - surveys that say the public doesn't trust online banking and then the next survey will say they do.

Watkins thinks it may be time for some kind of industry body that, for example, sets guideline for consumers. "I will give credit to the financial industry with regard to the Payment Card Industry (PCI) standard. They have actually come out with more specific recommendations and requirements about what compliance actually means. They are much more specific than the alphabet soup of government regulation out there."

So having set the world very thoroughly to rights, what's next for the CEO of Webroot. Is an IPO in order?

"Being a public company has its benefits, but going public exposes you to a much greater degree of scrutiny and a quarterly reporting cycle that can get in the way of doing what you feel is best for the business on a long-term basis," he says.

There is a final mention of his two great rivals. He's happy, he says, to be in battle with them, to see them do their best against his. But then he gets more dramatic.

"I think of both McAfee and Symantec as people who are trying to kill me. Therefore I'll need to do unto them before they do unto me," he says with another twinkle in his eye - although perhaps with a sharper edge to it than previously.

PETER WATKINS - THE BACKGROUND STORY

Before assuming taking over as chief executive at Webroot in January 2007, Watkins was the CEO of Elemental Security, a software company developing enterprise security and compliance management products. He was also the president and CEO of Resonate, before it was sold in 2003.

Peter has more than 20 years of both hardware and software experience in the development and delivery of new products and technologies. He currently serves on the board of advisers for the Yale School of Management and was on Webroot's board of directors before taking on the CEO role.

SPIES: THE GOOD, THE BAD AND THE UGLY

Spyware is set to become threat number one in the fight against online crime, according to some industry sources. Its raised profile is bad news for much of the currently booming web-based economy, with implications for merchants, media owners and advertisers.

The problem is that spyware uses very similar techniques to the ones the online economy applies to track patterns of consumer behaviour and target customers more accurately.

But as the threat of ever more sophisticated types of spyware-based attack takes hold, consumers are starting to become more nervous about the practice of adware, cookies and other online tracking tools, and even about using e-commerce sites at all, as they realise just how much information about them is collected.

The problem is that there is very little in the way of legislation governing what companies get up to on the web, because the technology moves so quickly that it's difficult for legislators to keep up. The fact that national barriers are irrelevant online further complicates matters for legislators.

The other issue is that much of the marketing intelligence gathering is contracted out - making it easy for companies to maintain a useful distance from any practices which may, now or in the future, stray into the realms of privacy abuse. To protect legitimate marketing techniques in the face of spyware, some are now calling for a code of conduct.