Security threats Toolkit

John Thompson: Customers need security know-how

Robert Lemos and Dawn Kawamoto CNET News

Published: 22 Jul 2004 15:20 BST

Chief executive John Thompson has succeeded in transforming Symantec from a seller of PC utilities for the consumer market into a major player in enterprise security software.

But for all his accomplishment, the preternaturally upbeat executive says he's not feeling too secure these days.

While many companies -- and some government agencies -- have done much to secure themselves against hacker attacks, many parts of the Internet remain vulnerable.

Government officials, chief executives and consumers need to do more when it comes to securing themselves, and security policy is still lagging behind the threats, says Thompson, who is also a member of the National Infrastructure Advisory Committee. He was appointed to the panel by President Bush in 2002.

In addition to pushing his company's focus further toward enterprise security software, Thompson is looking to expand Symantec's consulting and services business, which today is a small part of the company's overall revenue -- "a pimple on an elephant's butt," according to the chief executive.

The former IBM software executive sat down with ZDNet UK's sister site CNET News.com recently to talk about his corporate strategy and his views on cybersecurity.

There's been criticism of the United States for adopting guidelines for Internet security, as opposed to regulations. How do you rate US policy?
I think there were a number of important tenets that were brought out in the National Strategy to Secure Cyberspace. One of them was that the government itself would become a role model for the implementation of security. That's not happening. Another was that we would focus on some investment in advanced research and development, and hope to create awareness programmes.

It's just not happening fast enough, or not enough money is being funded at the top, from a government point of view, on advanced R&D. I think there is greater awareness within government, because it has certainly focused on FISMA (the Federal Information Security Management Act).

The government has focused on grading agencies on how well they have done (in reference) to a rather simple set of metrics. The grades are not very good, but it's not been translated yet into a lot of tangible action, unfortunately. On the public-policy front, I think there have been a number of initiatives that have met with mixed results.

On the policy side, do you think the industry has done enough?
I think if I was fair, I'd say the government has not done enough, and it would be equally fair to say the private sector has not done enough, either. More C-level officers and corporations need to come to realise how important it is to protect their critical digital assets -- and what to do about it. It needs to become at least a discussion, occasionally, at the senior management level, if not the board level, at companies.