'This is a market with tremendous opportunity'

Michelle Amery

The California-headquartered Symantec Corporation has been furiously gobbling up IT security and consulting companies. The close to $2 billion IT security giant is also changing tack "� it's advocating a new approach to securing data.

On a visit to India last month, her second in about five months, Michelle Amery, Symantec's vice president, Asia Pacific, and Joy Ghosh, enterprise sales director for Asia, talked to Palakunnathu G. Mathai on, among other things, the Indian IT security market. Excerpts:

Is there an awareness of IT security here and is there a desire to something about it?

I think it is no different from anywhere else in the world. It is not necessarily a desire "� there is a desperate need, and there is a requirement, especially if you look at financial services, for people to comply with regulations and they have no choice. So they are working out how to do this most effectively and in the most cost effective way.

What kind of year or year revenue growth is Symantec seeing in India? This would be an indication of the awareness of the need for security

Ghosh: Let me answer that. Close to triple digit.

That must be on a low base.

Not any more. We've been around here since 1999. Now the base is not very small.

Amery: The other thing's that's interesting is the size of the deals we're doing here. This is a market with tremendous opportunity. When you look at how quickly India is bringing on its bandwidth, it's a tremendous opportunity for us. The opportunity in large deals and projects is enormous.

Are the large deals coming from IT companies, BPOs or companies outside this sphere?

Ghosh: It is coming from all over "� financial services, telcos, BPOs and PSUs in these verticals.

In what way is the IT security market changing?

Well, it is changing, and it is not that it's not about technology but it's more about business process and manageability.

You can't have security for security's sake or technology for technology's when it has a very definite business impact on organisations. It is top of mind from a board level perspective in many companies.

I thought it always was top of the mind at senior levels.

Not really. If you went to a CEO and asked him what his security posture was a few years ago, it wasn't top of his mind.

But now as people are being asked to sign off on the integrity of their information, and certainly at the finance level when they are being asked to sign off that they have minimum levels of vsecurity, it's a completely different deal, because that will impact their credit rating and other things.

What does this mean for companies like Symantec? Much bigger business, obviously.

It provides an enormous opportunity to really solve a customer's problems. As this gets more and more complex, fewer and fewer organisations are really capable of resolving them.

I thought there are a lot of IT security companies

There are a lot of IT security companies. But as I said, as it gets more and more complicated, there are fewer and fewer that can solve business needs. They can solve point product technology security needs. We were earlier talking to somebody and he asked whether it is something like the ERP phenomenon. And it absolutely is.

It is about giving a solution that will give an early warning of something that is coming, provide technology that could automatically block that, about providing ways of responsibly and reliably rolling out patches without panicking about it because we have to stop the latest of attack; and giving processes and policies and reporting that will allow me to prove that I am doing the right thing that will help me in compliance issues as well.

You are saying that companies are beginning to offer complete IT security solutions

We are offering a complete solution.

Who else is?

I am not sure that anybody currently plays in the market like the way we do, not all of them. There are people who play in pieces of it. The industry is going to change and is going to consolidate into players that can present a complete picture to customers.

A Gartner paper talks about integrating IT management practices with security practices. This seems to be the big change that is taking place. Can you explain this?

There's been a growing recognition that organisations have been very focused on securing information. Whether they are doing it well enough remains to be seen.

In any IT organisation, you have got your security officer or whoever is responsible for that piece and you have got the rest of the IT organisation that is all about providing the infrastructure so that people can store and use information.

There hasn't been a strong connection between the two of them. You hear about organisations that are expanding and rolling out new machines or whatever.

Security has been allowed to happen after the roll out, in many cases. And what we are saying is, you can't look at these two things separately.

You have look at them together. If you are looking at security as one piece, the objective of the security officer is to tie things down so much that nothing is ever going to get out.

You can't run a business that way. The objective of the IT guys is to just keep things running because that's what customers want from them.

That doesn't keep the information safe. With the kind of attacks we are seeing it's is not just about not being able to get to information because the system's down. It is also about fraudulent use or the impact that hackers can have on the integrity of that information.

So the message that we are giving people has been around four areas. One is your resilient infrastructure "� how do you keep your infrastructure up and your information available to those people that you want to be able to access it?

So we've mapped what a resilient infrastructure would look like from a security and availability perspective.

The second one is about regulatory compliance. It's a fact of life and it's only going to get tougher. So how do we map out solutions that help answer that security problem for customers?

Yes, this is a big issue in India now with offshoring

A huge issue. Not only offshoring, though BPO is obviously is very important. The other one is the banks, regardless of whether they are international or local Indian banks. They also have these kinds of issues, especially with Basle 2.

The third area is around the mobile workforce. It's so easy to bring in a small LAN and hook it up. What about the PDAs and the Blackberrys they're introducing? How much control do you have over what they are introducing into the network?

So how do you tackle that?

It is a mixture of products, of services, it's a mixture of alerting. We call it services, but it's early warning.

The third space we talk to customers is about anti-fraud and this huge rise in the levels of phishing (phishing attacks use e-mails and fraudulent websites designed to fool recipients into divulging personal financial data) and the stealing of confidential information for fraudulent use.

Is there a lot of that in India?

That's going to grow. Clearly, bandwidth is gradually being put in and increasing. So more and more people will get on the internet. As that happens, this issue becomes much more serious.

But talking to some of the telecommunications companies and some of the projects we have been working on in the last six to 12 months, the knowledge of the need for anti-spam solutions is very, very high.

That is a good sign, because some markets that we work in are nowhere near as aware of this.

Are you referring only to telecom companies or lots of other people?

Lots of other people.

Where do you see the market in India heading?

Up (laughs). I don't know the answer to this, but I have some thoughts. Where other markets have gone through that phase of `we'll take best of breed products' "� they've kind of ended up in this situation where they can't manage and say now we'll go into integration.

In India a lot of infrastructure is just coming in. So how quickly will Indian companies recognise the learnings of other companies and jump right into a truly integrated solution?

Just like you've jumped to wireless technologies, there are huge opportunities for Indian companies to save themselves from the whole lot of pain that other companies had to go through in implementing their security solutions.

Is consolidation going on in the industry? Symantec has been buying one company after the other

Looks like we are doing our share (laughs).

Ghosh: Since then we have two consulting companies, one in the US and one in Europe

Why consulting companies?

Ghosh: Because we see a lot of services driving implementation and achitecting. We are presenting a simple high level picture but on the ground these are fairly complex technologies to implement, especially when you implement them to solve business problems.

These are not vanilla products that you can stick and press a magic button.

How many companies did Symantec take over last year?

Ghosh : More than 20. But probably eight major acquisitions were significant additions, versus the small technology company additions.

I would like to ask a question I asked your CEO. A lot of the big IT companies are getting into IT security. Do you see that as a threat?

Amery: Can I show you something? This is a map of what we have in the world.

You can talk of security technologies but most security technologies are going to be reactive, not proactive. Just the number of insights that we get "� I can't even imagine how long it would take a company to go into development.

We have a little over 600 million desktop service points of presence around the world, we have 318 million live update hits a day, people who are relying on our information and also feeding back things that are happening on their machines.

In addition, one of the acquisitions that we did two years ago was Security Focus. We got two things out of that.

One of those was Bugtrack, the premier service for tracking vulnerabilities inside many applications "� there are 4,000 or 4,500 applications from more than 1,200 vendors.

So that is the first level of defence. We get very early understanding of what vulnerable abilities are out there. The other thing we got was a product called Deepsight.

Deepsight is a threat management early warning system. With Deepsight we have 20,000 censors in 180 countries around the world, placed with customers and educational institutions and various networks.

The censors feed us information about internet traffic and what's going on. So it really is a global early warning system for what's going on. To add to that, we have six security operation centres around the world that are managing about 4,300 devices for 500 major companies.

Do you have these in India?

Deepsight is there in India. We have censors in India.

Are attacks being launched from India?

Ghosh: There is a number to that. What is difficult to say is how many of those came from India and how many of those use India for routing.