Symantec Corp. is trying to change its role in the pantheon of security software providers with a risk-management study showing that misunderstanding is the cause of misaligned security spending, and that its advice is the way to correct the balance.
Aside from the new approach, a refinement of the Symantec Security 2.0 strategy it unveiled in October, the company plans to announce Monday a revamp of its channel program to focus on its new orientation.
It will also try to expand its services business to as much as $1 billion of the $10 billion annual revenue Symantec CEO John Thompson has predicted the company will generate by 2010. The services will be based on its agent-based security products integrated with both server-based products and services supplied directly from Symantec or its partners.
A consumer implementation of the idea called Norton360 -- which is designed to add online transaction security and automated backup to a customer's Symantec desktop software -- went into Beta test in November.
The practicality of the approach, Symantec's ability to make even a practical plan work, and the question of whether Symantec is the right company to become the center player in an identity protection network are all open to question, according to Mike Rothman, president and principal analyst of SecurityIncite, and a SearchSecurityChannel.com columnist.
"Whether they price and package as a "service," its still an anti-virus agent they are trying to keep on the desktop. I'm skeptical. Symantec's ability to execute has been terrible over the past few years. Consumer has been better, but it's still an open question," Rothman said. "And the $1 billion number is a red herring. What had been traditionally been software revenue may be reclassified as "services," but it's more about whether the pie is growing."
The study is a survey of 528 IT professionals in 37 industries whose responses -- according to Jeremy Ward, service development director for Symantec Global Services -- show that top-level managers and security specialists have wildly differing views on what their risks are, and how well their organizations quash those risks.
The study found that respondents at the highest managerial level and those at the lowest were the most concerned about IT risk, but that respondents at every level tended to overestimate their own ability to mitigate risk and underestimate the ability of others.
IT managers, for example, were far more likely to believe the organization's security technology countered three-quarters of the potential risks than were top-level executives. However, higher-level executives tended to believe changes in process were far more effective in mitigating risk than any other group.
Comparing perceptions of risk and actual security incidents, Ward said, shows that the organizations that were victimized least often were not those who were stars in either security technology or in process controls. Those with moderate levels of response in each of 12 risk areas had the lowest level of actual loss, he said.
The report recommends a five-step policy development process that includes evaluations of both technical and process-oriented risk areas, the creation of a holistic solution that covers both areas of risk, and deployment of a plan that integrates both technology and process-oriented approaches.
Not coincidentally, the next day Symantec CEO John Thompson said in his keynote at the RSA security conference in San Francisco that the computer industry should abandon its one-vendor-supplies-all approach to security in favor of an approach that balances business and technical risks in a coordinated way.
Customers need to store and archive security events and relate them to one another, he said. They have to know if they're in compliance with internal IT policies or federal regulations, train their own people in new processes and hire new people who can create and enforce those policies.
"It will take security companies and customers partnering together to secure customer data," Thompson said. "We're talking about a user-centric approach compared to a technical or device-centric approach. You have to protect the end user and their information, not just the device."
Also not coincidentally, Symantec has announced a rash of acquisitions, new products and product enhancements over the last couple of weeks, including identity managmenet and data security reporting products that provide the kind of end-to-end data and identity security approach Thompson recommended.
- Symantec NAC tool takes integrated approach to network security
- Microsoft, Symantec might clash in application security
- Symantec chief: Consumer confidence in data protection is key to online growth
- Symantec-Altiris deal wins early praise from admins
- Symantec acquires Altiris, prepares to announce new edition of network access control app
- Symantec unveils 'universal ID system'
- Symantec adds reporting to backup software
- Symantec unveils Storage Foundation 5.0
The next step is an update to Symantec's channel program, which is expected to include new services and incentives for channel partners offering integrated, multivendor security services, and an update of enhancements to streamline the integration of its channel with that of 2005 acquisition Veritas.
The announcement is due Monday, Feb. 12.