Online Extra: Q&A with Symantec's John Thompson

The computer security giant's CEO talks about the ever-more threatening environment -- and his growth plans

John Thompson runs scared every day. That's because the longtime IBM (IBM ) executive, who took over as chief executive of Symantec (SYMC ) five years ago, is intimately familiar with the escalating number of virus attacks on corporate networks, and the defenses necessary to protect them. Indeed, viruses, the pox on computer security, are the motivating force that has made Symantec the world's leading computer-security company and Thompson one of the field's most respected leaders. He spoke recently with BusinessWeek Correspondent Brian Grow. Edited excerpts from their conversation follow:

Q: What's driving the rapid increases in corporate info-tech spending on security -- estimated to go from 5% of total IT budgets now to 8% by 2007? What has changed?


What's driving the desire by chief information officers around the world to invest in security is the change in the threat environment. Our Internet Security Threat report clearly identified three important trends: the rate of propagation in virus and worm activity is accelerating, the new number of [computer] vulnerabilities is also accelerating, and there's a desire on the part of the malicious attackers to perpetuate this stuff more frequently then ever before. That's driving not just large companies, but midsize firms and individuals to want to protect themselves from this newfound activity.

What has changed is the relative proportion of [IT] budgets that companies are contemplating to allocate to security. Not too many years ago, it wasn't unheard of for a company to allocate less than 2% of their IT spending to security. Today, that's starting to creep up to the 4% to 5% range. And some of the enterprises that are more digitally oriented -- financial services, insurance companies, and health care -- are starting to push up into the 10% to 12% range. That's an important trend for not just our business, but the [computer-security] industry in general.

Q: At a time when it's highly advantageous for security companies to have a broad portfolio of security products and services, Symantec is doing this through acquisition rather than developing them in-house. Why?


First off, a number of years ago, we recognized that this was an emerging trend. We launched the first set of integrated security appliances that hit the market in the spring of 2002. Those were organically developed products, not products that came through acquisition. They're called Symantec Gateway Security (SGS) appliance products.

While we have, in fact, looked at acquisitions as a way to expand our presence in the market, the real leverage for us is to take our core antivirus capability and leverage that across other technologies to deliver a more complete solution.

Q: How would you describe Symantec's mergers and acquisitions strategy?


It's centered around three principal issues: time to market, market expansion, and early-stage technology, where you get not just technology, but a very highly skilled team. To the extent that we need to quickly enter a market, we'll establish a relationship with a market leader or someone with a strong presence.

To the extent that we're looking to expand the market for our company, we look for acquisitions, because they bring in skills and products. Where we might not have a technology edge, for example in high-scale, event-correlation technology, we might buy a small company where they have it already up and running -- and maybe patented, which makes it even more valuable.

Q: Last month you acquired e-mail-security firm Brightmail. How does that company meet your M&A criteria?


Brightmail is clearly the market leader in anti-spam. While we're the market leader for [blocking] spam at the desktop, Brightmail is the leader for [blocking] spam at the gateway. They bring a well-established position and a very sharp team to Symantec.

Q: What's next on your buying list?


If I told you that, I'd have to kill you. It would be fair to say that we've outlined a strategy that's about securing and managing the IT infrastructure. While we've got terrific capability in the security domain, there are a number of important areas in enterprise administration and management that we would like to move into.

Furthermore, while we have a strong foothold in the services business around managed-security services, we would like to have a stronger consulting and administration capability.

Q: More companies are willing to outsource their network security, and companies like Verisign (VRSN ) are moving into managed security. Do you plan to make services a larger component of Symantec's portfolio? How?


It's clear that more customers are finding themselves in a position of not having the skills to deliver effective security. So they will turn to a trusted partner like Symantec to provide those skills and operational rigor through our managed-security services or consulting teams. We think that's a huge opportunity for growth for us, and we'll be investing more in that area for sure.

Q: What's the next evolutionary product crucial to effective network security? Early-warning systems? Integrated security software, hardware, and services?


We think the real opportunity comes from applying the insights we have from our Deepsight [early-warning] database to the operational tools that we have for space management, configuration management, and server provisioning. To the extent that you can help ward off an attack by taking corrective action, that's a substantial move forward in the security and network-management arena. That's why we acquired PowerQuest and ON Technologies six to eight months ago.

Q: Your stock price goes up and your profits get bigger every time there's a new big virus attack. Do you foresee a point where viruses are made ineffective in attacking corporate networks?


The more we and customers do to think about the process of securing their environment, it will make the kinds of attacks that we're seeing today less effective. But what we've seen is that about every 15 to 18 months, there's a new form of attack that makes some of the old technologies or processes less effective.

So we don't foresee in the near future that the attack spectrum is going to change. We think that, if anything, the attackers are going to become more aggressive. Therefore, more vigilance will have to be applied.

Q: Is network security increasing an intelligence game?


Absolutely. Symantec's Deepsight collects information from 20,000 network sensors in 180 countries around the world. We have a set of skilled professionals to analyze attack information to be able to warn our customers in advance of the possibility of an attack or the presence of an attack.

We think early warnings will go a long way to mitigating some of the risk. We have to be very vigilant about the vulnerabilities that are being discovered by hackers and crackers.

    Before it's here, it's on the Bloomberg Terminal.