http://www.eweek.com/article2/0,1759,1621945,00.asp
http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2004/01/04/BUG78426I51.DTL
SYMANTEC CORP.
On the record: John Thompson (Symantec CEO)
------------------------------------------------------------------------
SYMANTEC CORP.
On the record: John Thompson
Sunday, January 4, 2004
<http://www.sfgate.com/chronicle/>
<http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2004/01/04/BUG78426I51.DTL#sections>
------------------------------------------------------------------------
<http://www.sfgate.com/cgi-bin/object.cgi?object=/chronicle/pictures/2004/01/04/bu_thompson04ph.jpg&paper=chronicle&file=BUG78426I51.DTL&directory=/chronicle/archive/2004/01/04&type=business>
<http://www.sfgate.com/cgi-bin/object.cgi?object=/chronicle/pictures/2004/01/04/bu_thompson04.jpg&paper=chronicle&file=BUG78426I51.DTL&directory=/chronicle/archive/2004/01/04&type=business>
<http://www.sfgate.com/cgi-bin/object.cgi?object=/chronicle/pictures/2004/01/04/bu_thompson0401.jpg&paper=chronicle&file=BUG78426I51.DTL&directory=/chronicle/archive/2004/01/04&type=business>
<http://www.sfgate.com/cgi-bin/object.cgi?object=/chronicle/pictures/2004/01/04/bu_thompson0402.jpg&paper=chronicle&file=BUG78426I51.DTL&directory=/chronicle/archive/2004/01/04&type=business>
John Thompson, 54, is chairman and chief executive officer of Symantec
Corp. in Cupertino, which is involved in Internet security technology.
Symantec, which employs more than 5,000 people in 36 countries, develops
and sells a broad range of content and network security software to
individuals and businesses. A 27-year veteran of IBM Corp., Thompson
joined Symantec in 1999. He sat down last month with a group of
Chronicle reporters and editors to discuss his company and industry. The
following interview has been edited for space and clarity..
Q: Consumers know Symantec because they've seen that yellow Norton box
in the store. Perhaps you could provide a picture of where the company's
been and where it's heading.
A: Symantec probably has been best known for its Norton brand of (anti-
virus software) products. The company was founded in 1982, taken public
in 1989 and acquired the Peter Norton Group in 1990. Symantec
concentrated during the first 15 years or so of its existence primarily
on PC tools targeted at the consumer and the small business buyer.
It was my impression when I arrived that that had become less relevant
as a strategy, because it was more oriented around distribution than
technology itself.
We needed to center our portfolio around a collection of technologies,
and that collection of technologies became security. Today, we are a
security- focused company targeting individual consumers and large
corporate or governmental users..
Q: How vulnerable is the United States to a terrorist attack via the
Internet, particularly since Sept. 11, 2001? What precautionary steps
have been taken since Sept. 11, and what more needs to be done?
A: I don't think 9/11 created new vulnerabilities for America's cyber
infrastructure. What 9/11 did was raise awareness around the world that
our infrastructure is interlaced, that you can't separate the
cyber-infrastructure from the electricity grid.
Furthermore, in the cyber arena right after 9/11, specifically on Sept.
18, we had a watershed event around the world -- the attack of the Nimda
worm. That created a broader level of awareness that many individuals
and small businesses were awakened to.
Then came the (computer virus) attacks of August 2003. Never before had
we seen four broad-based attacks in a span of 10 days or less.
Those events raised awareness of the need for people to secure their
environments. It's also been a catalyst for growth for many of the
companies that play in this sector..
Q: Tell us about the joint venture you've got with Cisco and several
other companies to come up with a coordinated defense against these
problems.
A: You cannot solve the security problem that has emerged in the
connected world in isolation. Companies that deliver technologies that
create connectivity must work together.
After 18 months to two years of discussions, we've come to terms on an
approach that would allow an individual or corporate user who has a
certain set of technologies deployed on their PC device to be checked
for the status of that device when they access a network.
It would be like airport security. You get checked when you're trying to
gain access to the airport, to make sure you don't have -- or do have --
certain things. You do have a driver's license or a valid ID card. You
don't have explosives, guns or knives.
What you'd love to be able to do in the cyber world is make sure that a
device that's trying to gain access to the network doesn't possess a
virus or isn't carrying a malicious payload of some sort that could
create harm to other parts of the network..
Q: How do you respond to those who say Symantec hypes the threat of
viruses and worms as a way to increase sales?
A: There's an old expression that opinions are like noses. Some people
choose to blow theirs more often than not. I think that opinion stinks,
because there's nothing further from the truth.
Now I can't speak for others in the industry. But we have a very
rigorous process by which we evaluate an attack and put a rating on it..
Q: I've talked to a lot of security experts who say companies like
Symantec are just taking a Band-Aid approach. They say what really needs
to be done is that Microsoft and other companies need to start making
secure products. Do you look at it that way?
A: This is not about Microsoft. Every company in the industry can do
more to create a more-secure product. The interesting conflict we have
is that software development is a combination of both science and art.
When you practice the science to its fullest extent, it's likely you'll
create more-secure code. But the art is the exciting part and the part
that gives companies user excitement. When you blend the two, sometimes
you create a problem.
The issue for Microsoft is it has more code in the environment than
anyone else, hence it's a more target-rich environment. So Microsoft
happens to be the beneficiary of those kinds of activities..
Q: Have we just been lucky so far? For all the problems created by
hackers or by those spreading viruses on the Internet, we haven't been
hit by terrorists or by those seeking some greater evil.
A: The Internet has facilitated an opportunity for people with more than
just simple maliciousness to take advantage of unsuspecting companies or
individuals.
It's created an opportunity for people who have a financial motive, a
geopolitical motive or a criminal motive to exploit the vulnerabilities
that exist in software products, and more importantly, the
vulnerabilities or lack of awareness that exist in individual users and
small businesses. That is the most significant issue we face.
These people might have an intent to steal your identity, which has
become a huge problem on the Web. They might have an intent to steal
your credit cards.
Consumers don't understand the simple precautions they can take to
protect themselves when they're online. If we could raise the awareness
level around the world to this problem, we could drive down the impact
of a virus attack or worm attack exponentially. .
Q: Do you have a couple of suggestions for our readers?
A: It took us awhile to get from the awareness of the benefit of seat
belts to the point where it's now instinctive to buckle up.
It's going to take that level of repetitive messaging to get to the
point in the cyber world where you wouldn't think of going online
without having an anti-virus product. You wouldn't think of going online
with a broadband connection without having a personal firewall..
Q: You were appointed by President Bush to the National Infrastructure
Advisory Council in 2002. Does Washington understand these issues?
A: The council is made up of about 25 executives from all critical
infrastructure components of the U.S. economy. Craig Barrett of Intel
and John Chambers of Cisco are members. There are representatives from
the airline, electric utility and banking industries.
The project I've been most involved with is how we manage the release of
information about vulnerabilities and systems. That's an important issue
for us to have some general agreement on, given how cyber-connected we
all are..
Q: And it's controversial how to release these things, too, right?
A: Well, in my mind, it shouldn't be. There's a code of conduct.
Q: Microsoft doesn't want it to be public.
A: That's not true. What Microsoft wants is for people to follow a
standard code of conduct. If we can agree on a code of conduct and
adhere to it, I don't think anybody would have an issue with it --
including Microsoft..
Q: You talked about codifying conduct. What about the open-source
community? What's your take on this incredibly robust community of
computing that might not be as easy to rein in?
A: I'm not sure I understand what you mean by "might not be as easy to
rein in." Do you think Microsoft is easy to rein in? (Laughter) Did I
miss something?.
Q: I guess my question is: Can you secure an open-source environment?
A: There isn't anything inherently less or more secure about open
source. The issue will be: To what extent are people willing to avail
themselves of free software that has not gone through the same quality
standards, the same security process? It's an issue of buyer beware, I
would argue..
_______________________________________________
Dailydave mailing list
Dailydave_at_lists.immunitysec.com
http://www.immunitysec.com/mailman/listinfo/dailydave
Received on Jul 19 2004
Intro
