Jeremy Burton joined Symantec last year via the blockbuster merger with Veritas. Now as senior vice-president of enterprise security and data management, Burton oversees about US$2 billion worth of business. In this interview he provides the inside story on how the merger is going.
Overall, where does the Symantec-Veritas integration stand?
It closed last July and since then we’ve consolidated what were six business units into three [in addition to Burton’s group, there are the consumer and storage businesses]. Going into this Symantec and Veritas were both doing well, so we didn’t want to break anything. The final piece of the puzzle here is at the end of the fiscal year we’ll want to determine how the sales force should look. Once that’s done, there is no Veritas and Symantec, there’s only Symantec. I’m a Veritas guy and two-thirds to three-quarters of what I own is legacy Symantec.
And what about on the product side?
Product integration is happening on a number of levels. On the e-mail products, some of it is done but the majority is still to come [Symantec has acquired a handful of messaging-related companies, including Brightmail and IMlogic. Part of it is that customers still make separate decisions on e-mail archiving and security, though over time I expect people will start seeing these two as leveraging off each other. We just don’t want to move too quickly and create some sort of flying boat: You can have a spam filter if you drag along our archiving engine… Unifying the metadata [from filtering messages and other traffic] and policy management, that’s a no-brainer and we will get on with that.
On the security side of things, our integration is not so much between Symantec and Veritas products, but let’s get the Sygate, Whole Security [past Symantec acquisitions] and Symantec client security unified agent footprint on the desktop and let’s build out the compliance picture. The area where there is a lot of integration going on is in our mid-market products. You’re going to see us roll out a unified offering that is the best of Backup Exec and LiveState. This is not an arm’s length hacked integration. This is a new product, which is going to be able to do continuous protection of systems and data from any point in time to any point in time.
A high-level policy manager will involve integration up from endpoint compliance, e-mail management, and targeting backup and recovery to see how infrastructure is stacking up against policy. We’re just about to ship that product.
Who are you targeting with your messaging management products?
It used to be that the messaging guy was buried under networking, but what we’ve started to see in a lot of organizations, in particular financial institutions, is that they are starting to get a grip on the issues around messaging. There is now a top guy, a VP of messaging, who is typically a peer of the VP of infrastructure, VP of security and VP of applications, and that guy will be responsible for messaging policy and management of messaging systems.
I would argue after the ERP systems, messaging is the most important application and some would argue if the e-mail system wasn’t running it would do more damage than if the ERP system wasn’t. Customers have gone after it because of the exposure that exists within the e-mail and instant messaging systems. They need to keep it up and running and establish policy to manage it. It’s starting to become a bigger buying center and in our reorganization this is why we took the opportunity to take all our messaging products and put them in one group and say OK, if we believe that e-mail is the next big mission critical app, which we do, and we believe the data volumes are growing 50 percent to 100 percent a year, then wouldn’t it be good to be able to go to this VP of messaging and say: ‘We’ll help you manage it all with the same amount of tender loving care with which you manage your ERP system today.’ It’s one of the few areas in IT right now where security pressures and decision-making come together with storage. The VP of messaging will make decisions around anti-spam and e-mail security and e-mail archiving and what it’s going to take to keep the system up and running.
Which vertical markets are most active here?
The financial institutions are further along than anyone; they’re starting to realize that it’s not just can we stop things getting in and storing the data, but we’ve got to watch what’s going on because that’s going to give us some insight into where potential risks exist in the organization.
Initially with the financial institutions, it was fraudulence, but now they’re realizing they spend a fortune on corporate litigation and e-mail discovery. They’re realizing that if they go looking for information when the subpoena shows up, that’s the worst time because they don’t know what they’re going to find. Maybe if they looked proactively they might understand where the risks are and maybe nip them in the bud or at least monitor them and disclose information without paying a third-party millions of dollars to do it.
So where is Symantec headed in this area?
We have a very big investment in that area, primarily starting with e-mail, but also instant messaging. Also you think about a lot of these collaborative applications like SharePoint and voice-over-IP. We had a meeting recently with our new CIO and he was talking about how huge our telecom bill is and said we are going to put voice-over-IP clients on every desktop and laptop. So now you have a digital stream and communications vehicle, and there’s no reason why those conversations can’t be journaled and kept. The problem is that you end up with storage of biblical proportions.
We’re working with a big regulated pharmaceutical company now with 150,000 employees, and we calculated that if each received 16 e-mails a day that within 4 years their archive store with all this journaled e-mail, they’d be indexing more objects than Google. That’s just e-mail, not voice, IM, files.
With our anti-spam software, we look at 25 percent of the world’s e-mail each day and we don’t look for anything else. You can imagine if we start looking for potentially fraudulent activity. People realize we need to be a little more intelligent about what we’re looking for as it comes through, but also let’s be intelligent about what we’re archiving. You’ll see us collecting the metadata of what’s being filtered so that it can be analyzed, plus you’ll see a level of integration by year-end for our assorted security policy products. By next year, we’ll have a unified policy manager for messaging. This messaging business is our fastest growing business and it’s in the hundreds of millions of dollars. If I’m looking for an area where our next $1 billion business is going to be, this is it.
Still, your endpoint security business (antivirus, etc.) is actually your biggest business. What’s new there?
If I talked to you at this point last year we’d be talking about antivirus and spyware, but the threat landscape has changed dramatically. Not that we aren’t concerned about hackers and spies, but thieves are the biggest threat. They are trying to steal information off the PC and laptop, anything from walking into your offices and sticking a USB drive into a computer and walking off with the crown jewels to phishing attacks and keystroke logging.
Over the past six months we’ve made a couple of acquisitions: Sygate, which has technology for device blocking on the endpoint to stop people from stealing information with pen drives and so on; and also Whole Security, which has a behavior-based technology that resides on endpoints that really eliminates the threat of phishing attacks and keystroke loggers. Both of those pieces will be fully integrated into our client security suite later this year. We want one footprint on the endpoint that stops hackers, spies and thieves.
The Sygate technology also is going to take us from endpoint protection to endpoint compliance, which is where you’ve got a security policy in your company that all endpoints, for example, need to be running antivirus, up-to-date definitions and support strong passwords. A lot of companies, whether by Sarbanes-Oxley or another regulation, have been forced to think about a security policy and that’s where endpoint compliance comes in, snagging computers as they come on the network, scanning them and taking remedial action if necessary.
Word is that it’s a buyer’s market in security. True?
It’s been primarily in the low end of the enterprise segment. It’s fair to say people are not paying a premium for stopping the hackers and spies. What we want to do when enterprise license agreements come up for renewal is not just say, ‘OK, we stopped hackers and spies last time we had this discussion and we still stop them.’ That’s because the customer will say, ‘Great, I’ll renew but I got a 50 percent discount last time and I want more this time around.’ What we’ve got to do is put more value on the table and say, ‘Yes, but now we can also stop thieves and help you with compliance, so instead of giving us $1 million, you should be giving us $2 million.’ Later this year when we’ve more fully integrated the pieces we acquired six months ago, that’s when I look for things to trend up on price.
We heard from customers at a recent conference that they’re starting to feel appliance overload. Now I know appliances aren’t a huge part of your business, but what are you seeing here?
The guys who have gone big for appliances are the network security guys who don’t have a lot of skills to manage servers and updates. We have a relatively modest appliance business and haven’t been in the business as long as others, though the business is still meaningful to us. The interesting thing that I see here is that the promise of appliances was that you could just plug them in and never have to manage them. Well, it’s not quite that easy, as they do require a bit of management.
What I think folks are realizing is that they probably want to have some unified point of control. The challenge is that you can’t hack open these boxes and put agents on them, so using agentless technology to get some understanding of what’s going on in those appliances is going to fly. We do have some agentless technology and I would argue we are more capable of providing this sort of management umbrella for a lot of these appliance than are the appliance makers themselves.
At some point, it could make sense for us to come in as a sort of OEM supplier with our components, then tap into the devices with centralized management tools. We’re some ways from that, but if the problem gets bigger, we have the potential to provide that. And we can tie in what’s going on in the network, at the gateway and on the endpoint.