This post is a first in a new series on my blog titled “The Virtual Boardroom”. Each post in this serieswill be an interview with a CEO or top executive in the virtualization field. This inaugural post is an interview with Symantec CEO Enrique Salem. Enrique set aside some time for me and we discussed some of the issues related with virtualization security, endpoint protection and VMworld 2011 among other topics. Here’s the interview in it’s entirety.
Greg Stuart (GS): You spoke at the RSA conference in 2010 about the growth of the security industry and the challenges that we are facing today . What are some of the toughest challenges that Symantec, as a leading security focused corporation faces going forward into 2012 and beyond?
Enrique Salem (ES): What you’ve seen happen is that the threats have become more and more targeted. So I started working on the security industry in the 80s for a big financial services company and at that point the attackers used to go after where the money was. So, they went after banks. Does that make sense… like the old days, you know that bank robbers rap, and hold up a bank. What happened in the early 90’s is that we started to see that as computer technologies began to be connected, we started to see hackers go after people to say, hey, we could deface a website, we’re smarter than the security professionals. As time unfolded in the 90s, we started to see the attacks become really targeted. So it was no longer I go after a website just to show that I can, I’m going to go after individuals. I’m going to try to see if I can start fishing for some of their credit card details or their identity so I can do other types of crimes. And so what has happened every year probably starting in the late 90s, early 2000s, is those attacks became more and more targeted. The conventional ways or traditional ways of protecting a user were no longer going to be effective, so in 2005 we started to see what we knew would be quite frankly, if not managed well, a crisis. And what you’ve seen over the last couple of years is that those attacks have become that targeted. I mean you can’t pick up the paper any morning and not read about some attack on some big company, right? We’ve seen them go after gaming sites, we’ve seen them go after banks, we’ve seen them go after security companies, and we’ve seen them go after defense contractors. Somebody went after the Uranium enrichment facilities in Iran. And so the challenge is how do we make sure we stay ahead of those threats to protect our customers. Because our goal is to help you make sure you can grow your business on line or if you are in individual be safe online, in a reliable, scalable way. And so the challenge is how do we stay ahead of the bad guys? And I get asked all the time what keeps me up at night. And the thing that keeps me up at night is how do we protect our customers? How do we make sure they can recover the data when they need to? How do we make sure there isn’t a malicious insider that’s going to go after them?
GS: It seems like it’s just a constantly evolving landscape and I’m sure with it evolving like that so much, as a company you also have to be evolving right along with it, otherwise you would get caught behind the curve.
ES: Exactly. And that’s why we’ve driven some great innovation. I’ll tell you at Symantec research labs we’ve developed new technologies that allow us to tell you if an application is malicious or not, we call it a reputation system that is innovation built at Symantec. A lot of people talk about reputation, but sometimes we’ll talk about IP reputation. We are doing application reputation because Symantec has the largest global intelligence network that really allows us to be able to tell you if that app a good app or not? It’s a system that when we first launched it into consumer products it was catching on many individual computers, on one out of every 2 computers we found a previously undetected threat.
GS: Wow, that’s a scary thing. I’m glad that you brought up innovation. Innovation is on the tip of every corporation’s tongue it seems. Marketing puts the word innovation in bright lights and it is by far one of the most overused word in the technology arena. Innovation is defined as , “a new method, idea, product, etc” which seems like such a bland definition when compared against how it’s used in presentations and on websites all over the Internet. How does the CEO of Symantec define innovation, and what is Symantec busy innovating?
ES: What I think about innovation…you’re absolutely right. Innovation is an overused word. To be honest with you I like how Thomas Edison used to describe innovation. He’d say innovation is one percent inspiration and 99% perspiration. I think, and by the way, you may or may not know, my background is in technology. I was actually Symantec’s first CTO back in the 90s, and so I think you are absolutely right, it gets thrown around like it’s going to create something magical just by some people saying hey here’s some new great cool thing. That’s not how it works. Innovation is about figuring out, and this is how I think about it…what’s a big problem that hasn’t been previously solved and go figure out a way to solve it. I don’t think you need to have some magical description. And that’s why I agree with Edison. It’s one percent really figuring out what is that thing? What is that big thing that we’re going to go out and solve and solve for a customer and 99% of that is just hard work. Sorry if that’s not glamorous, but that’s how I think about it. Solve a big problem. Solve a big problem that hasn’t previously been solved. The security industry needs to be focused on how do you take an attack, put a fingerprint on it and then send it out to your customers. And so reputation was about turning that model on its head and saying we are not going to wait for your attack we’re going figure out a new way, that’s innovation, a new way that is better than what was done before. What we’ve done with our NetBackup appliance is we’ve got the one box. We’ve got the media service, we’ve got the de-duplication technology, we’ve got the backup software, we put all of those together in a way, in my opinion, solves a customer problem and makes the use of backup much simpler. So to me we are innovating every day we’re coming up with new ways to solve customer problems in ways that haven’t been done before.
GS: Good answer. Moving onto another topic that is really hot, cloud computing. It seems to be the bulk of what we talk about today in technology across the board, even in personal computing. I like the idea of the cloud computing model and I embrace it. I use Dropbox to store all of my data in the cloud and I access it on different endpoints. How do you convince someone who is less trusting in the cloud? I’m convinced, and I know that it’s secure, but how do you convince someone who’s less trusting? Maybe a corporation who has decided that they don’t think they can trust the private cloud or the public cloud method? How does Symantec ease the customer’s fear of placing their data in the cloud?
ES: What they care about is the two biggest areas, security and availability. They want to make sure that their data is secure and they want to make sure that if they rely on it, it’s available. If you were using an online word processor you want to make sure you can use it whenever you need to. If you were using an online mailbox, you want to make sure you can get to it. So, security and availability are they two key things. The beauty of Symantec is, that is what we do. We are the largest security vendor in the world, we are the largest backup and recovery and quite frankly availability management company in the world. And so we are in a unique position. Because we’re not going to say, here’s what we do. We think about who do we trust, we think about what data we can trust to be out there because quite frankly I don’t know that I would start taking all of Symantec’s source codes and storing it in somebody else’s data center. That’s our property, I don’t see the benefit of doing that and so we’re not going to do it. But we do take customer data. We take our customer names and put it in a crm system that’s hosted. We take employee data and move it into the cloud for a new hosted hr management system. What we do is we say what is the data that we believe can be secured and managed outside of our four walls and then we go through a lot of work to show people that if you are trusting us in a case where it’s our cloud based service, here is how we protect it, here’s the audits we do, here are the techniques we use, if it’s our data going to someone else’s cloud, we want to make sure that they’ve done the right steps but many times those companies come to us such as amazon, ebay, sales force, many of the biggest companies in the world use our technology to protect their environments from attacks. So, our job is protecting your information, and we’re pretty good at it and I think people come to us when they have that kind of problem.
GS: Sure, absolutely. Information is growing at a extremely rapid rate, and the way we access that data is also growing. There are so many endpoints available to the end user today, cell phones are accessing the Internet, laptops, tablets even TVs. How do we ensure the protection of our data across all endpoints?
ES: The way we think about it is, we take an information centric view of the world, and we think the devices are irrelevant. With all due respect to Steve Jobs and Apple and everybody else who’s building cool devices, the device they use today may not be the device they use tomorrow. What really matters is who the individual is and what the information is they need to access. It’s really about accessing information anywhere, anytime. When we think about new devices, because smartphones are outselling PCs now, we thing about 1, you have to be able to manage them because IT is starting to let people bring their own devices to work, and when you do that, IT wants to manage it. 2, you have to be able to authenticate the user. When you talk about using Dropbox or box.net, it’s important if you’re going to access info from you mobile device that’s confidential that we know is grey so authentication comes very important. 3rd, you have to be able to protect the information. On the device , if I’m a corporation, I want to be able to say, I don’t want you r iPhone, Android or iPad to have a confidential PowerPoint presentation. What they have to have is some form of information protection on the device. So that’s how we think about it Greg, so we think about it as you got to manage the device, authenticate the user and protect the information. I’ll give you a great example, what does the consumer want? They want to bring their device into the corporation, they want flexibility and privacy. What does the corporation want? They want to manage risk, and they want control. So the solutions that Symantec is going to deliver is going to solve that fundamental divisions where the consumer and the enterprise IT department have potentially conflicting goals. We at Symantec believe we are going to have some pretty darn effective solutions to deal with the management, the authentication and the information protection, quite frankly, on any device.
GS: I like that idea, there’s so much changing with endpoints these days. VMware has come out with stuff like the Mobile Virtualization Platform which is a great thing, which is trying to leverage the issues between IT and their employees being happy with their device. Switching gears a little bit, I thought we could talk about VMworld some, I’m lucky to be going this year and I’m sure Symantec will have a large presence there just as you did last year. It seems like many if not all the vendors that will be part of VMworld have or will announce a new offering for the virtual datacenter or one that will partner with vSphere 5. What are some of Symantec’s virtualization security offerings, specifically is there anything on the horizon to compliment the release of vSphere 5?
ES: At the end of the day we’re working with VMware on a number of solutions both on the security and availability side. The new version of our Symantec Endpoint Protection 12 which is just becoming available is basically the best way to protect a virtual environment, and the reason is what customers have told us, they want to make their virtual environment as secure as their physical environment but they don’t want to have a security tax where every guest has to be scanned repeatedly. What we’ve done is moved to a model that we call single instance security. For us, we’ve made the capabilities available, we’ve integrated with VMware and you’ll be seeing us show off quite frankly what I’ll call state of the art in the security virtualized environment.
GS: The last thing I had to ask was what does Symantec bringing to VMworld, anything specifically on the horizon for VMworld?
ES: Obviously at VMworld we talk about all the latest technologies, you’ve heard us talk about VRay and some of the other technologies we’re bringing to market so definitely expect us to discuss all the things that we’re doing across the entire portfolio because virtualization for us needs to be all of our products whether they’re products for backing up and recovering, security products, file systems, as you probably know we developed a solution called Application HA with VMware and you’ll see us showcase some of those technologies and probably tell you more about some new things that we’ve done at the event but nothing we can talk about right now.
GS: I’m glad you brought up VRay, I was looking at that a little bit the other night. Tell me more about VRay.
ES: The whole vision of VRay is we want our customers to have as much visibility into a virtualized environment as they do in a physical environment, that’s what’s important. We don’t want them to have different mechanisms for managing from one environment to the other. It’s not something that’s just in one product, it’s something that we use across the portfolio you’ll be hearing us talk about some of those capabilities at VMworld and beyond. It’s all about visibility, you know how you have an X-ray that allows you to see inside a human body? The thing about VRay is it is something that allows you to see inside your virtual environment.
GS: Alright, looking forward to it. I appreciate your time and I think this will be good information to get out there. It’s always nice to catch up with a busy guy like you and help spread the word about Symantec.
ES: Thanks Greg, good talking to you.