Security: the bigger picture

John W. Thompson is chairman and chief executive officer at Symantec Corporation. He joined the security firm in April 1999 from IBM, where he was general manager of IBM Americas and a member of the company's worldwide management council.

In September 2002, President Bush appointed Thompson to the National Infrastructure Advisory Committee to make recommendations regarding the security of the critical infrastructure of the US.

Why is Symantec's strategy to become a full service security company while others in the market are just focusing on single areas for future development, such as antivirus?

Look at some of the market leaders from a few years ago which were focused on a single technology. Today they find their businesses stalled.

Companies that specialise in firewalls today face low growth and few new customers. If you close your eyes to the emerging threat landscape your ability to service customers is limited.

The nature of today's threats means that antivirus technology alone is not enough; you need a combination of tightly integrated technologies operating at each tier of the network.

Won't that make security technology so complex to manage that only the largest companies will be able to afford it, leaving everyone else to outsource?

Technology providers have to do a better job of integrating technologies and making them simpler to deploy happily. By making technology easier to use, deploy and manage, mid-sized companies will be able to manage the environments they create.

But outsourcing a proportion of the security environment will become more commonplace. On the consumer side of the marketplace, more and more security capabilities will be absorbed into their service provider network. Tiscali is doing this for eight countries in Europe.

Are you concerned about Microsoft's predicted entry into the antivirus market?

I don't view Microsoft as a threat at all. Would you buy a Microsoft antivirus product? Discerning buyers are people who will look to companies that practise the craft of security day in and day out.

Arguably the consumer and small business sectors of the market are only penetrated about 50 per cent by simple antivirus technology. And I argue that not all of them will blithely run off and buy a Microsoft product just because Bill Gates and Steve Ballmer think they should.

What about open source? Will Symantec operate in that sphere?

We already offer a fee-based Linux service. As Linux moves onto the desktop we will have a solution for it there. As customers adopt Linux in greater quantities we'll have to move our technology platform to that environment.

But just because it's Linux doesn't mean we won't try to recover some of the costs and make money on the investment made. IBM makes money out of Linux.

You're involved in the National Infrastructure Advisory Committee advising on national security. What's your estimation of the current state of play?

Well I think we've made enormous progress since the attacks of 11 September, but that being said there's an enormous amount of infrastructure.

Eighty-five per cent of critical US infrastructure components are owned and operated by the private sector, so the Committee is trying to create an effective public/private partnership where we can bring forth issues of critical infrastructure and look at what needs to be done sector by sector.

Do you think there's a security education gap that needs to be addressed in dealing with business and the public sector?

I'm not sure that one segment is more or less aware. There are business segments that tend to be highly regulated that are more attuned to the security challenge.

For example, financial services companies are highly regulated and very aware of security issues. Healthcare is also very concerned about the privacy of records and hence more attuned to security issues.

Contrast this with steel manufacturing, which is not highly regulated, very cost sensitive, less information intensive and therefore probably not as attuned to security.

So is more overall regulation the answer?

I'm not anti-regulation; I'm pro speed and flexibility for business. Some regulations tend to slow companies down and, when you're competing in global markets, the last thing you need are burdensome regulations.

Countries need to be careful that they don't make the cost of doing business in their countries unduly expensive and make companies based in those countries less competitive.

Do you think that security companies will have to share more information to beat emerging threats?

Part of the motivation for setting up the Cyber Security Industry Alliance earlier this year was that we as an industry need to do a better job of understanding the regulatory environment, understanding the technical standards we will have to build into products to facilitate interoperability and to have better co-ordinated efforts about education and training programmes.

It's an acknowledgement of the point of maturity we've reached. It remains to be seen whether we'll do something from this point on, but it is a good first step.

How far do you see it as Symantec's role to educate the wider public about IT security?

We all bear some of that responsibility and we and others do it through marketing campaigns aimed at creating awareness of the issues.

One of the delicate issues is that education programmes may be viewed by some as more self-serving than helpful and we have to been mindful of that phenomenon.

By contrast, in our country when the government decided that driver safety was an important enough issue to deal with, it decided to fund a national awareness programme called Buckle Up.

Why don't we have a similar campaign for cyber security? We need a similar effort by governments around the world for people to protect their little piece of cyber-space. They just need to be knowledgeable about the precautions they must take.

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!