Security threats Toolkit

John Thompson: Customers need security know-how

Robert Lemos and Dawn Kawamoto CNET News

Published: 22 Jul 2004 15:20 BST

Where does Symantec see its future growth?
Last year, we probably generated close to $1bn in revenue from selling security-related software to small businesses and consumers. But the real growth opportunity for us is solving a related problem for midsize and large enterprises. And that involves management of the IT infrastructure, a process of which security is a component.

When did you come to that conclusion?
We came to that realisation post-MSBlast. Our DeepSight database and our security management capabilities allowed us to observe what was going on, yet we couldn't tell customers what operational actions they should take at that very instant to mitigate the risk of an outage or attack. As a result, we went about the task of acquiring a set of assets that would help with not just securing the infrastructure, but also managing the process of ensuring that the infrastructure is secure.

How far along are you in making that transition?
My sense is that we are making terrific progress. Our enterprise business grew 24 percent last year. And while it pales in comparison to the wild growth in the consumer space, show me another enterprise software company that in calendar year 2003 grew 24 percent. But we've got a lot more to do, in terms of continuing to expand our product portfolio. That's partly why we acquired Brightmail.

How much consulting business do you do in helping companies establish a security policy?
Financial services institutions are highly regulated. They are very, very concerned about issues around security, because the regulations drive them there. Hence, they have much more rigor around the policy development activities and the policy compliance activities that go on in their environment.

So you probably won't get much consulting business from that sector. From where, then?
If you move to health care, another very highly regulated vertical, it doesn't have the same degree of sophistication or, quite frankly, the same strength in IT spending or skills. Our consulting organisation is going to be much more effective in that environment, as opposed to financial services.

You will see us continue to make investments in expanding both our capability in the consulting and integration services phase, as well as our capacity. Those are two very different but very important complementary functions.

Capacity -- meaning your actual technology?
No. Capacity meaning how many people we have to do the work; capability being what skills they bring to our company for the kind of work to be done. Today, we can consult with customers on security policy development. We can do penetration tests. We can do a range of things that are fairly narrow. If we could expand our capabilities to include how to ensure greater depth in understanding of the issues around compliance with pharmaceutical industry standards for security and asset protection -- that kind of capability we don't have in our company today. If we did, that would incrementally add to the opportunities out there.

Do you have any sense how much your consulting business will [contribute to] your overall revenue pie?
It's a pimple on an elephant's butt for us, let us be clear. Let's put it in the proper context. Our forecast is to be a $2.3bn company this year. Consulting and services, in the broadest context, will make up 2 percent of revenue. So unless we do something to change the capability and capacity of our company substantially, it's still going to be a fairly small component.

Where would you want it to be?
If you look at the map -- where spending will occur in the security space -- for every $1 of revenue spent on hardware and software, customers will spend $2 to $3 on services to implement or support.

What is the single biggest problem that faces builders of security software today?
Not enough customers who have the knowledge to implement the software that we can build. If we go open the Silicon Valley papers or go to some job Web site, the most in-demand professional today in the IT industry is the security practitioner. Bar none. They are highly sought-after compared to a database administrator, compared to a project manager -- you pick it. There are some 50,000 to 70,000 open jobs in the States alone.