In-Depth

Friend and Foe of Microsoft

Symantec's chief John W. Thompson talks about co-opetition with Microsoft, the security market landscape and the company's Software as a Service and open source strategies.

Symantec Corp. Chairman and CEO John W. Thompson isn't one to back away from a fight. Good thing, because those combative skills figure to be valuable in his ongoing battles with Microsoft in the security market -- a market in which Microsoft appears hell-bent on taking significant market share. Several times in recent years he has shown little reluctance in confronting the software giant for the misuse of its monopoly position or reluctance to work closely enough with "co-opetitors," including Symantec, on issues involving application development.

Answering a question about if it's a bad thing for the industry that so many application vendors aren't willing to go up against Microsoft one-on-one in key markets, Thompson gives a typically direct answer: "I don't know if it is or it isn't. What I do know is, it's a good thing for our company. I want every employee, customer and channel partner associated with our company to know that we stand for something -- great innovation -- and we won't be constrained by a monopolist."

Since Thompson, 57, took over the reins of Symantec in 1999, the company's revenues have grown from $632 million to $5.2 billion in 2006. He has accomplished this, in part, by reshaping the company's focus of producing just desktop software utilities to one that produces a range of Internet security products.

Before coming to Symantec, Thompson worked at IBM Corp. for 28 years, holding senior executive positions in sales, marketing and software development. He also served during that time as a member of IBM's Worldwide Management Council. In the fall of 2002 he was appointed by President George Bush to the National Infrastructure Advisory Committee, responsible for making recommendations about the critical infrastructure of the United States.

In a wide-ranging interview, Thompson sat down with Ed Scannell, Redmond's editor, and Doug Barney, Redmond's editor in chief, to discuss a number of issues and trends including, of course, Microsoft as a dominating presence, Symantec's evolving open source and Software as a Service (SaaS) strategies, and the growing influence of Google Inc.

Redmond: What have you learned, as chairman and CEO of Symantec, about co-opetition with Microsoft over the past eight years?

Thompson: Microsoft over the last eight years, to be fair, has been more partner than competitor. While there has been a lot of rhetoric over the last two-and-a-half years about their aspirations in the security space, it hasn't really materialized as significant competition -- yet. The operative word there is "yet," because we know that Microsoft has a formidable R&D engine. They have a desire to get into security, but their Release 1.0 product is rarely as good as it can be -- but they stay on the march. We anticipate we'll have to deal with the forces of Microsoft on the competition side much more stringently than we've seen over the course of the last eight years.

Has Microsoft taken a more enlightened attitude over this period of time toward ISVs, or has there been little change?

As the software industry matures and as Microsoft's footprint gets bigger, and as all of us have aspirations of delivering more complete solutions, you're going to bump into Microsoft or IBM or another large-footprint software company quite often. I think what we've learned is we must balance the two sides of our brain: the one side that competes with them juxtaposed to the other side that partners with them. We're not unmindful that of the $5.2 billion in revenue our company generated last year about $3.5 to $4.0 billion of that came off of the Microsoft platform. The only way we can do that effectively is to do a good job of partnering with Microsoft's engineering teams so our solutions work well in their environment.

You had some hard words earlier this year about them not sharing code for Vista development purposes.

There were clearly issues between our companies around access to advances they were making in Vista, debates we had about what should have been appropriate kernel-level access so we could continue to innovate. And while we tried to resolve those issues amicably between the two of us, the dispute rolled out into the public domain. I've never been one to back away from a public fight if that's the forum the adversary wants to put it in.

And was that issue resolved by the time they delivered GA code?

Yes it was. After a fairly public dispute about the Windows Security Center and Patch Guard, we asked Microsoft to make sure that Patch Guard was an option. Their position for a long time had been no, no, no, no, Patch Guard will be mandatory. Well, they eventually capitulated and Patch Guard is now an option.

We had asked them to make sure there was some form of trusted access to the kernel and they again said no, no, no, no. So we said, "Look, this is the only way in which we can ensure that we can continue to innovate around Windows and deliver advanced security technologies ahead of what the hackers might deliver." So now they have a specification that allows trusted access to the kernel, which we're comfortable with.

Symantec is one of the few large, independent software companies that hasn't pursued an aggressive open source strategy as a way to compete more effectively against Microsoft. Why not?

There are two ways to play in the open source world. One is to take much of the IP and make choices about whether we contribute it to the open source community or not. Another way is to use open source modules or capabilities and embed them within your products. We choose to do the latter as opposed to the former. There may be opportunities for us around some of our core technologies like volume management and file systems, maybe even clustering; for us to consider contributing those to the open source community. But we haven't crossed that chasm just yet. What we've chosen to do is to contribute those technologies to a joint venture company -- the one we created with the largest provider of telecommunications technologies in China.

Can you assess the quality of education in larger IT shops for security technologies and issues?

The answer to that question varies by vertical markets. If you look at the financial services sector, they do a significant amount of spending on security technologies as well as the education, training and business processes around the technology. But if you go to the other end of the scale to durable-goods manufacturing companies, you'll find they spend a disproportionately smaller amount of either the IT budget or percent of revenue. And this is where we have to see a greater level of investment around the world.

President Bush appointed you in 2002 to the National Infrastructure Advisory Committee, responsible for making recommendations on the critical infrastructure in the United States. Can you tell me what sort of influence you had as part of that committee?

I'm not sure much, given that I'm a Democrat. [Laughs] In actuality it has been a great opportunity to give something back. Unfortunately, because of my health as a young child, I never got to participate in the military -- I had asthma -- and so this was one way to have some giveback to our country.

Our focus is the clear intersection between the physical infrastructure of the country and its cyber infrastructure. So think about it: The electric grid isn't just a series of generation facilities in wires, it has computers that control the generation of the electricity and the transfer of the electricity through various gates across the United States. If there was ever a cyber attack, it would render the grid inoperable, so you'd like to understand what the consequences of that might be. But more importantly, how you can mitigate the risk.

In a speech earlier this year you talked about the battleground for security moving beyond securing devices and infrastructure, to protecting data being shared in online transactions. You said you believe the network perimeter can't be locked down.

Well, the reality now is that there are so many PCs out there and so many forms and vectors of attack, people want to know the transaction they're engaged in is a secure one. So our view is that you have to move security well beyond the device and closer to the actual transactions occurring online. That's a different paradigm and one that comes with the maturity of the security segment of the industry. That doesn't suggest you don't need firewalls and intrusion sensors and anti-virus agents, but it does suggest those things are a compliment to a new class of security technologies that will have to evolve over time.

A recent news story surfaced about the FBI planting spyware into a MySpace page to catch someone making bomb threats to a high school. Does Symantec's virus-protection tool have some sort of Patriot Act backdoor in it for federal investigators?

Absolutely not.

Would you under any circumstances work with a federal agency to help them to nail someone like this?

Look, we're a global company and we have customers from all governments all over the world. And so we're not going to do something that puts our investors' interests at risk.

Years after Symantec got into the anti-virus business, Microsoft is now in your backyard with anti-virus software with Forefront. Is it fair for them to be in the anti-virus marketplace?

I won't argue whether it's fair or not. I think all commercial enterprises have a desire to grow and prosper and Microsoft has as much a right to aspire to that as we do. The debate about fairness becomes clearer to me when you ask: "At what point does Microsoft use the abusive control they have over the OS environment to their advantage or the disadvantage of users around the world?" I have no issue competing with Microsoft as long as it's a level playing field. If Microsoft wants to innovate as we have in the security space, we welcome that. But don't do something that tilts the playing field to their advantage because they control the underlying operating system.

How can the industry better ensure that doesn't happen? There have been plenty of cases like the undocumented APIs back in the 1980s that demonstrated they almost have a built-in unfair advantage.

The oversight of the European Union gives us some degree of confidence that there will be a leveler playing field than it may have been in the past. While one could argue that the United States has taken a more passive view of Microsoft, the EU has certainly been willing to hold them to task to live up to what they agreed to in their resolution of the case there in Europe. More importantly, we've got to continue to innovate in order to deliver the level of innovation users want.

Do you think you'll get help in this regard through trends like SaaS and the OS in the cloud concept?

There is a "back to the future" paradigm shift going on right now where big servers in the sky are going to support small, limited-function clients out at the end of the wire. And as that continues to evolve and accelerate, it certainly weakens the control Microsoft has over the industry. I think that's good for the whole industry. It puts Microsoft in a position of having to get back to innovating and stop trying to monopolize.

Are you putting more of your R&D monies into SaaS strategies?

We've already launched our platform called the Symantec Protection Network, and the first service we'll deliver on top of that platform is an online backup service targeted at small and midsize companies. We expect to launch that service within the next 60 to 90 days.

You've had a pretty active acquisition strategy this decade; can you give us an idea of what you've accomplished and a look forward?

We had an interesting "aha" moment after the Slammer attack in 2003. We recognized the problem was that many of the systems that got breached during that attack were systems that had been vulnerable for six months or more, yet users hadn't taken the necessary steps to patch or remediate the problems. It became clear to us we needed not just security technologies in our portfolio, but management tools to help with the process of security in our portfolio as well. So we went out and bought Power Quest and On Technologies. We bought Veritas, which moved us closer to protecting digital content or data, and then we bought Altiris in April of this year. This is all around the notion that ultimately security, storage and systems management-related technologies will all converge -- that it will be about a more resilient infrastructure.

And then you'll deliver these as a service, maybe on an on-demand or as-needed basis?

Correct.

That was a short answer, John.

Think about it. We're the world's largest provider of backup software and there are many small to midsize companies today that have an enormous amount of digital content they haven't adequately protected. And protection in this form isn't protecting it from malicious content, but protecting it from loss should there be some catastrophic outage that would occur in their business environment. So we could offer a series of services that would allow them a level of protection. So on top of the managed security services offerings we have, why not deliver a managed-backup service as well? Once you've got that in place, why not deliver a managed-mail service? Why not deliver a managed-security client? Why not deliver a managed PC? There are a full range of things that can be done on top of this base network infrastructure that we'll put in place.

Can you assess the job Microsoft has done with security inside Windows Vista?

Well, school is still out until they deliver the first service pack. I think in the main they've done a much better job with Vista than XP, and they did a better job with XP than they did in Windows 2000. So they've incrementally improved the OS at every level. Remember, Windows wasn't designed to do what it's doing. Windows was designed to support one user on one PC. So there's a great technology feat that has been undertaken by Microsoft bringing forward a huge amount of legacy software while they expanded Windows from a single-user environment to a multi-user environment. But we shouldn't assume that they're the answer to security.

There are an awful lot of things purpose-built companies like Symantec do in the industry that make Windows a better experience for users. It may behoove Microsoft to think about which battle it really wants to wage. Would they rather fight Google or Symantec? Would they rather worry about the emerging world of SaaS or anti-virus at the desktop? I'm not convinced this is the one they should put a lot of energy into. Google is more impactful for Microsoft strategically than worrying about an anti-virus agent on every desktop.

How, for instance?

Look, with Google's business model and the attraction they have to software engineers and the relationships they're building with consumers around the world, Microsoft had better pay attention. With the success of Salesforce.com's model, they better pay attention. That makes sense to me, strategically.

Generally how impressed are you with Google?

They've done a terrific job. I was over at Google recently and I was amazed. They had a group of summer interns -- three or four of these kids were Ph.D.s in mathematics and physics and they were interning at Google. That feels to me what Microsoft was like 20 years ago.

Google was called before some Washington sub-committees to explain a few of its acquisitions. Is Google becoming the Microsoft of the Web 2.0 age?

Any time you have the rapid success they've had, or that Microsoft had, it causes people to pause to understand what it means. Given the seat Google sits in right now where they have a great deal of control over the flow of information and digital content, I think people perhaps unnecessarily but knowingly worry about the degree of influence that they ultimately might exert. I don't think that's their intent, but that's not for me to decide -- that's for Eric [Schmidt] who leads Google or for people in Washington. I think Washington would be better to sit back and observe for a while as opposed to exerting any regulatory oversight.

Featured

comments powered by Disqus

Subscribe on YouTube