Mahesh Sharma | June 17, 2008
world according to | John Thompson
SECURITY technology is on the verge of a big shake up, with pundits predicting the number of threats and items of malware being coded will soon exceed the legitimate code being created.
Consumers live in the wild west of the internet, says Symantec chief John Thompson
Change is brewing at the enterprise level as well, with the spread of systems that enable personal mobile devices to infiltrate corporate networks.
Symantec chief executive John Thompson is promoting the notion of a risk-based approach to protection, rather than a rules-based approach.
Thompson joined Symantec more than a decade ago, when it had 2300 people, and has taken it to a $6 billion company employing more than 20,000.
He says this new wave of security will take the company to a new level of growth.
There has been a lot of talk about moving from a blocking bad applications to only allowing good applications to come through. Is Symantec going down this path?In the second half of 2007 we saw more new malicious code than legitimate code. If between 70 per cent and 90 per cent of the code being written is bad, I'll be chasing my tail forever trying to block every one of those things.
The other side is, I know all the things that are good.
There are fewer good things than bad things in the online world, so I will move to a whitelist model, that says these are good and all of these are bad, and I will only allow you to do these good things.
How will this play out at the consumer and enterprise levels?Companies or organisations that have had less disciplined or more democratic practices about what users can do may have to change policies a little, while dangerous code continues to propagate at the rate it is today.
Consumers live in the wild west of the internet.
We're testing in our labs an approach that allows us to collect intelligence on good and bad spots around the web so we can deliver a reputation-based service for consumers that allows them to have whitelisting capability, as opposed to continuing to deal with the paradigm of trying to identify all the bad stuff.
There is a way, with reputation-based services, to say we know of people who have used that with bad consequences, and therefore you use it at your own risk. As well, we know of alternatives that have no problems, and that's a safe place to go to compute or run an application.
How can you evaluate the reputation of all the software that's out there?We have more security end points covered than anyone else in the world, with more than 50 million active subscribers.
We have 50 to 100 million enterprise end points, and that represents an intelligence network that allows us to gather information about good and bad things in the online world.
It's the synthesis of that information that allows us to then say we're going to provide a service that allows us to whitelist and blacklist.
You recently spoke about the move to shift to a risk-based approach to protection at the enterprise level. What's driving that?This is evolutionary, not revolutionary. Over the past 10 years we had a rules-based approach. If you complied with the rule you were allowed to pass, and if you didn't comply you were blocked.
A risk-based approach is founded on a better understanding and awareness of what is going on, and consequently better judgements of the level of risk that is acceptable.
If I see a packet coming in I decide whether that packet may or not be malicious and where it may or may not go through the network.
I may let it go through because where it's going is not a part of my infrastructure that I'm interested in protecting, because it costs more to protect it than fix it later.
Those are the ways policy-based security will allow companies to be more granular in the way they think about protecting specific devices or content.
How ready are companies to take on this risk-based approach?Historically, there has been a security IT team and an operations team, but security exposures became operational problems. Therefore, the most advanced users of technology are starting to say there's a different way to package and parse the work.
Managing firewalls, managing intrusion centres, all those things done by the operational team, the or chief security officer and their team, will focus more on the rules and policies needed for allowing information and access in an organisation.
The most advanced companies such as Goldman Sachs, and JBMC, and some of the big financial services institutions in the US, have already made that separation and they're seeing enormous benefits from it.
How do you devise these policies so everything that is supposed to get through does?Almost all our products has some way that enables users to prescribe how it's going to be used.
The issue is to enable users to synthesise multiple security products down to a common policy framework.
We've done that with a product called CCS and we'll continue to integrate CCS and its common policy framework with many of our other policy based systems.
Vontu is a case in point. It has its own set of policy engines, but it would be nice to have vontu's policy engines and CCS do a better job of interoperability.
Over time we'll certainly deliver that.
In early 2006 Symantec restructured its consumer business to use technology across the different product groups, such as bringing backup to Norton 360. I understand you did a similar reorganisation on the enterprise side earlier this year.Yes. In the security business that's the way we've worked for many many years.
That was less so in our Veritas business, which tended to be much more siloed and didn't share technology so much across the organisation.
By breaking down some of those walls, we've got more cross-pollination.
The reorganisation appears to be paying dividends now, as our recent enterprise product announcements all contain integrated functions across different products.
The shift is reflected in bringing our Altiris end-point management team together with our Symantec end-point protection team. It's about bringing our backup executive team together with our net backup team. It's about having Vontu work more closely with end-point protection, our backup and our archiving business.
So, in the enterprise space we're one big team, as opposed to three or four individual teams.
That was one of the real benefits in the consumer business.
They viewed themselves as one big team trying to optimise everything inside that team.
The change of attitude is really starting to take off, and is really starting to have a positive effect on morale, and therefore should lead to a more positive effect in company performance.
There has been a changing of the guard across the world's software giants, such as SAP and Microsoft. Any similar plans for yourself?We've gone from being the Rodney Dangerfield of the software business to the fourth largest independent software business in the world.
We happen to have product, technology and services in some of the fastest growing areas of the industry.
It represents an opportunity for our company to demonstrate this collection of assets we have, and the people we have are second to none in the industry.
I have no timetable for when I'm going to finish up at Symantec. I love what I do, we've got a great company. It has been a great experience. I don't have anything to be ashamed of or look forward to, other than spending more time with my family.