Friend and Foe of Microsoft
Symantec's chief John W. Thompson talks about co-opetition with Microsoft, the security market landscape and the company's Software as a Service and open source strategies.
Symantec Corp. Chairman and CEO John W. Thompson isn't one to back away from
a fight. Good thing, because those combative skills figure to be valuable in
his ongoing battles with Microsoft in the security market -- a market in which
Microsoft appears hell-bent on taking significant market share. Several times
in recent years he has shown little reluctance in confronting the software giant
for the misuse of its monopoly position or reluctance to work closely enough
with "co-opetitors," including Symantec, on issues involving application
Answering a question about if it's a bad thing for the industry that so many
application vendors aren't willing to go up against Microsoft one-on-one in
key markets, Thompson gives a typically direct answer: "I don't know if
it is or it isn't. What I do know is, it's a good thing for our company. I want
every employee, customer and channel partner associated with our company to
know that we stand for something -- great innovation -- and we won't be constrained
by a monopolist."
Since Thompson, 57, took over the reins of Symantec in 1999, the company's
revenues have grown from $632 million to $5.2 billion in 2006. He has accomplished
this, in part, by reshaping the company's focus of producing just desktop software
utilities to one that produces a range of Internet security products.
Before coming to Symantec, Thompson worked at IBM Corp. for 28 years, holding
senior executive positions in sales, marketing and software development. He
also served during that time as a member of IBM's Worldwide Management Council.
In the fall of 2002 he was appointed by President George Bush to the National
Infrastructure Advisory Committee, responsible for making recommendations about
the critical infrastructure of the United States.
In a wide-ranging interview, Thompson sat down with Ed Scannell, Redmond's
editor, and Doug Barney, Redmond's editor in chief, to discuss a number
of issues and trends including, of course, Microsoft as a dominating presence,
Symantec's evolving open source and Software as a Service (SaaS) strategies,
and the growing influence of Google Inc.
Redmond: What have you learned, as chairman and CEO of Symantec,
about co-opetition with Microsoft over the past eight years?
Thompson: Microsoft over the last eight years, to be fair, has been
more partner than competitor. While there has been a lot of rhetoric over the
last two-and-a-half years about their aspirations in the security space, it
hasn't really materialized as significant competition -- yet. The operative
word there is "yet," because we know that Microsoft has a formidable
R&D engine. They have a desire to get into security, but their Release 1.0
product is rarely as good as it can be -- but they stay on the march. We anticipate
we'll have to deal with the forces of Microsoft on the competition side much
more stringently than we've seen over the course of the last eight years.
Has Microsoft taken a more enlightened attitude over this period of time
toward ISVs, or has there been little change?
As the software industry matures and as Microsoft's footprint gets bigger,
and as all of us have aspirations of delivering more complete solutions, you're
going to bump into Microsoft or IBM or another large-footprint software company
quite often. I think what we've learned is we must balance the two sides of
our brain: the one side that competes with them juxtaposed to the other side
that partners with them. We're not unmindful that of the $5.2 billion in revenue
our company generated last year about $3.5 to $4.0 billion of that came off
of the Microsoft platform. The only way we can do that effectively is to do
a good job of partnering with Microsoft's engineering teams so our solutions
work well in their environment.
You had some hard words earlier this year about them not sharing code for
Vista development purposes.
There were clearly issues between our companies around access to advances they
were making in Vista, debates we had about what should have been appropriate
kernel-level access so we could continue to innovate. And while we tried to
resolve those issues amicably between the two of us, the dispute rolled out
into the public domain. I've never been one to back away from a public fight
if that's the forum the adversary wants to put it in.
And was that issue resolved by the time they delivered GA code?
Yes it was. After a fairly public dispute about the Windows Security Center
and Patch Guard, we asked Microsoft to make sure that Patch Guard was an option.
Their position for a long time had been no, no, no, no, Patch Guard will be
mandatory. Well, they eventually capitulated and Patch Guard is now an option.
We had asked them to make sure there was some form of trusted access to the
kernel and they again said no, no, no, no. So we said, "Look, this is the
only way in which we can ensure that we can continue to innovate around Windows
and deliver advanced security technologies ahead of what the hackers might deliver."
So now they have a specification that allows trusted access to the kernel, which
we're comfortable with.
Symantec is one of the few large, independent software companies that hasn't
pursued an aggressive open source strategy as a way to compete more effectively
against Microsoft. Why not?
There are two ways to play in the open source world. One is to take much of
the IP and make choices about whether we contribute it to the open source community
or not. Another way is to use open source modules or capabilities and embed
them within your products. We choose to do the latter as opposed to the former.
There may be opportunities for us around some of our core technologies like
volume management and file systems, maybe even clustering; for us to consider
contributing those to the open source community. But we haven't crossed that
chasm just yet. What we've chosen to do is to contribute those technologies
to a joint venture company -- the one we created with the largest provider of
telecommunications technologies in China.
Can you assess the quality of education in larger IT shops for security
technologies and issues?
The answer to that question varies by vertical markets. If you look at the
financial services sector, they do a significant amount of spending on security
technologies as well as the education, training and business processes around
the technology. But if you go to the other end of the scale to durable-goods
manufacturing companies, you'll find they spend a disproportionately smaller
amount of either the IT budget or percent of revenue. And this is where we have
to see a greater level of investment around the world.
President Bush appointed you in 2002 to the National Infrastructure Advisory
Committee, responsible for making recommendations on the critical infrastructure
in the United States. Can you tell me what sort of influence you had as part
of that committee?
I'm not sure much, given that I'm a Democrat. [Laughs] In actuality it has
been a great opportunity to give something back. Unfortunately, because of my
health as a young child, I never got to participate in the military -- I had
asthma -- and so this was one way to have some giveback to our country.
Our focus is the clear intersection between the physical infrastructure of
the country and its cyber infrastructure. So think about it: The electric grid
isn't just a series of generation facilities in wires, it has computers that
control the generation of the electricity and the transfer of the electricity
through various gates across the United States. If there was ever a cyber attack,
it would render the grid inoperable, so you'd like to understand what the consequences
of that might be. But more importantly, how you can mitigate the risk.
In a speech earlier this year you talked about the battleground for security
moving beyond securing devices and infrastructure, to protecting data being
shared in online transactions. You said you believe the network perimeter can't
be locked down.
Well, the reality now is that there are so many PCs out there and so many forms
and vectors of attack, people want to know the transaction they're engaged in
is a secure one. So our view is that you have to move security well beyond the
device and closer to the actual transactions occurring online. That's a different
paradigm and one that comes with the maturity of the security segment of the
industry. That doesn't suggest you don't need firewalls and intrusion sensors
and anti-virus agents, but it does suggest those things are a compliment to
a new class of security technologies that will have to evolve over time.
A recent news story surfaced about the FBI planting spyware into a MySpace
page to catch someone making bomb threats to a high school. Does Symantec's
virus-protection tool have some sort of Patriot Act backdoor in it for federal
Would you under any circumstances work with a federal agency to help them
to nail someone like this?
Look, we're a global company and we have customers from all governments all
over the world. And so we're not going to do something that puts our investors'
interests at risk.
Years after Symantec got into the anti-virus business, Microsoft is now
in your backyard with anti-virus software with Forefront. Is it fair for them
to be in the anti-virus marketplace?
I won't argue whether it's fair or not. I think all commercial enterprises
have a desire to grow and prosper and Microsoft has as much a right to aspire
to that as we do. The debate about fairness becomes clearer to me when you ask:
"At what point does Microsoft use the abusive control they have over the
OS environment to their advantage or the disadvantage of users around the world?"
I have no issue competing with Microsoft as long as it's a level playing field.
If Microsoft wants to innovate as we have in the security space, we welcome
that. But don't do something that tilts the playing field to their advantage
because they control the underlying operating system.
How can the industry better ensure that doesn't happen? There have been
plenty of cases like the undocumented APIs back in the 1980s that demonstrated
they almost have a built-in unfair advantage.
The oversight of the European Union gives us some degree of confidence that
there will be a leveler playing field than it may have been in the past. While
one could argue that the United States has taken a more passive view of Microsoft,
the EU has certainly been willing to hold them to task to live up to what they
agreed to in their resolution of the case there in Europe. More importantly,
we've got to continue to innovate in order to deliver the level of innovation
Do you think you'll get help in this regard through trends like SaaS and
the OS in the cloud concept?
There is a "back to the future" paradigm shift going on right now
where big servers in the sky are going to support small, limited-function clients
out at the end of the wire. And as that continues to evolve and accelerate,
it certainly weakens the control Microsoft has over the industry. I think that's
good for the whole industry. It puts Microsoft in a position of having to get
back to innovating and stop trying to monopolize.
Are you putting more of your R&D monies into SaaS strategies?
We've already launched our platform called the Symantec Protection Network,
and the first service we'll deliver on top of that platform is an online backup
service targeted at small and midsize companies. We expect to launch that service
within the next 60 to 90 days.
You've had a pretty active acquisition strategy this decade; can you give
us an idea of what you've accomplished and a look forward?
We had an interesting "aha" moment after the Slammer attack in 2003.
We recognized the problem was that many of the systems that got breached during
that attack were systems that had been vulnerable for six months or more, yet
users hadn't taken the necessary steps to patch or remediate the problems. It
became clear to us we needed not just security technologies in our portfolio,
but management tools to help with the process of security in our portfolio as
well. So we went out and bought Power Quest and On Technologies. We bought Veritas,
which moved us closer to protecting digital content or data, and then we bought
Altiris in April of this year. This is all around the notion that ultimately
security, storage and systems management-related technologies will all converge
-- that it will be about a more resilient infrastructure.
And then you'll deliver these as a service, maybe on an on-demand or as-needed
That was a short answer, John.
Think about it. We're the world's largest provider of backup software and there
are many small to midsize companies today that have an enormous amount of digital
content they haven't adequately protected. And protection in this form isn't
protecting it from malicious content, but protecting it from loss should there
be some catastrophic outage that would occur in their business environment.
So we could offer a series of services that would allow them a level of protection.
So on top of the managed security services offerings we have, why not deliver
a managed-backup service as well? Once you've got that in place, why not deliver
a managed-mail service? Why not deliver a managed-security client? Why not deliver
a managed PC? There are a full range of things that can be done on top of this
base network infrastructure that we'll put in place.
Can you assess the job Microsoft has done with security inside Windows Vista?
Well, school is still out until they deliver the first service pack. I think
in the main they've done a much better job with Vista than XP, and they did
a better job with XP than they did in Windows 2000. So they've incrementally
improved the OS at every level. Remember, Windows wasn't designed to do what
it's doing. Windows was designed to support one user on one PC. So there's a
great technology feat that has been undertaken by Microsoft bringing forward
a huge amount of legacy software while they expanded Windows from a single-user
environment to a multi-user environment. But we shouldn't assume that they're
the answer to security.
There are an awful lot of things purpose-built companies like Symantec do in
the industry that make Windows a better experience for users. It may behoove
Microsoft to think about which battle it really wants to wage. Would they rather
fight Google or Symantec? Would they rather worry about the emerging world of
SaaS or anti-virus at the desktop? I'm not convinced this is the one they should
put a lot of energy into. Google is more impactful for Microsoft strategically
than worrying about an anti-virus agent on every desktop.
How, for instance?
Look, with Google's business model and the attraction they have to software
engineers and the relationships they're building with consumers around the world,
Microsoft had better pay attention. With the success of Salesforce.com's model,
they better pay attention. That makes sense to me, strategically.
Generally how impressed are you with Google?
They've done a terrific job. I was over at Google recently and I was amazed.
They had a group of summer interns -- three or four of these kids were Ph.D.s
in mathematics and physics and they were interning at Google. That feels to
me what Microsoft was like 20 years ago.
Google was called before some Washington sub-committees to explain a few
of its acquisitions. Is Google becoming the Microsoft of the Web 2.0 age?
Any time you have the rapid success they've had, or that Microsoft had, it
causes people to pause to understand what it means. Given the seat Google sits
in right now where they have a great deal of control over the flow of information
and digital content, I think people perhaps unnecessarily but knowingly worry
about the degree of influence that they ultimately might exert. I don't think
that's their intent, but that's not for me to decide -- that's for Eric [Schmidt]
who leads Google or for people in Washington. I think Washington would be better
to sit back and observe for a while as opposed to exerting any regulatory oversight.