Emerging Trends in Information Technology

Gareth Seltzer, President, TWS Canada Group and Past President, The Empire Club of Canada; Johanna Groenberg, Grade 12 Student, Earl Haig Secondary School; Reverend Vic Reigel, Pastoral Staff, Christ Church, Brampton; Jeff Barrett, President, MacMedics; Bryan Roby, Principal, Madison House Associates; John Newton, PhD, PEng, Principal, John Newton Associates Inc.; Lou Natale, Director, The Empire Club of Canada; Christine Peters, Principal, Bump Creative Partners Inc.; Jim Willis, General Manager, Symantec (Canada) Corporation; and Dave MacDonald, President and Director, Softchoice Corp.

Introduction by Bart Mindszenthy

Ladies and gentlemen, I don't know about you, but I remember the serene days when IT spelled and meant "it."

But then along came the computer, and it kept on coming--from monstrous machines taking up huge spaces with miles of cables and hidden in sealed air-conditioned rooms to the desktop work station to the laptop of today.

And with the computer came information in quantities and qualities unlike ever before. And IT really did become "information technology."

And then we discovered the World Wide Web, and e-mail, and online banking and online just about everything.

So whether it's an Intranet or the Internet, our compressed, wired and now wireless world has moved to a new level, a new order.

But that level also brings new threats and dangers. And one glaring threat is security. In fact, Canada's Auditor General just this week reported that the federal government's own systems aren't as secure as they could or should be.

The fact is that security has become a major issue, as bits and bites fling and flow and disassemble and reassemble by the multi-billions day in and day out. It's become an issue of credibility, reliability, and sometimes even of survival.

We're now living in an "information economy" where data has become not only a product, but perhaps the currency that drives us as individuals and organizations and nations.

Since its formation in 1989, Symantec Corporation has emerged as a global leader in the very field of information security. It provides a broad range of software, appliances and services to ensure secure IT infrastructures to more than 120 million users globally.

The company now has operations in more than 35 countries.

When our guest speaker joined Symantec just five years ago, the company had revenues of some US$630 million. For 2004, revenues were more than tripled at just under US$1.9 billion. So it's rather safe and secure to assume that he's doing something very right.

John Thompson graduated from Florida A&M University and earned his master's degree from MIT's Sloan School of Management.

He then went on to a very successful stint with IBM, latterly including the role of general manager of IBM Americas and a member of its worldwide management council.

As Chairman of the Board and Chief Executive Officer of Symantec, Mr. Thompson has led the way in shaping the company's leadership position in the area of information security software.

Obviously, the President of the United States thought Mr. Thompson had something of deep value to share when he appointed our guest speaker in 2002 to a select committee charged with making recommendations regarding the security of the crucial infrastructure of America.

As well, Mr. Thompson serves on other security-related committees and is a board member of several corporations.

All in all, Mr. Thompson is a very focused, results-oriented, thoughtful and proven leader who brings a huge amount of skill, passion and drive to his job.

Ladies and gentlemen, please welcome to the podium of the Empire Club of Canada the Chairman of the Board and Chief Executive Officer of Symantec Corporation, Mr. John Thompson.

John Thompson

Thank you very much, Bart, for that very gracious introduction, and good afternoon everyone. It's clearly a pleasure to be with you here in Toronto and have an opportunity to speak to such a prestigious audience. It's my understanding that the club dates back more than 100 years, and it's also my understanding that the speeches that are given here are published and provided in a yearbook to secondary schools, to universities, to elementary schools throughout Canada.

Now when I heard about that I thought what an honour, quite an honour. And I started to think about my 10-year-old granddaughter and whether or not she would even pay attention to what I have to say today, much less something that might be in the archives 100 years from now. And so it truly is an honour and, I hope, an opportunity for me to suggest to my granddaughter that there are people who will pay attention to at least one thing that I say.

As Chairman and CEO of Symantec I'm often called upon to talk about what's going on in the Internet and what the trends are that are affecting the IT industry. And so what I'd like to do is share with you what I share with colleagues and friends as well as government officials and regulators around the world--my thoughts about the trends that we see emerging in information technology.

My being invited to speak here today demonstrates the growing interest in and the importance of IT, and the fact that it's no longer an isolated area of responsibility. As a matter of fact the area of IT that we are focused on, information security, has clearly now become a boardroom issue. Now because of that we, as an industry, need to move away from some of the jargon that we use and so we need to eliminate some of the many acronyms--IDS, and UDBM, and AV--so that you can get to the simple essence of what we do, which is protecting the vital infrastructure and information that you rely on to make business decisions, and maybe even personal decisions every day.

We need to make sure that that infrastructure, when put in place, can recover from an incident very quickly, and, more importantly, you have the confidence in which to make appropriate decisions about running your business. And so our job at Symantec is to make sure the applications that you use for business decision making stay up and running no matter what might happen.

As you might imagine the opportunity to speak to audiences carries me to parts of the world near and far. But there's one thing that is common about every place in the world, and that is our customers are dealing with three very, very vexing challenges and they're consistent around the world: cost, complexity and compliance.

Now cost is one that is certainly not a new nemesis to the IT domain; it's something that we've had to deal with for quite some time. As a matter of fact, hardware costs have come down quite substantially over the last few years, but the real challenge for many IT organizations has been the labour cost associated with running and managing their environments. And as more systems and applications are being deployed, as more security vulnerabilities are discovered every day, and as the number of users required to be served by this infrastructure grows, there's no question that cost control is challenging.

The next big challenge is complexity. Your IT departments have traditionally had to deal with the complexity of the computing environment and tried to make it transparent to many of you. They're also managing the ongoing challenge of integrating disparate operating environments from Windows, from Solaris or Unix in a range of operating systems. This is an enormous amount of complexity and it is getting greater, not less, in its difficulty.

Today the Windows environment is still the most exploitive from a security point of view but other platforms, including Linux, are now demonstrating similar weaknesses. And it's this level of platform growth that ensures that there will be a tax on those new environments as well. We at Symantec certainly applaud what Microsoft is doing from the point of view of its security initiatives. We also recognize that what they are doing is necessary, but not necessarily sufficient, for what every large enterprise user must have. Large enterprise users have a requirement for multi-platform or cross platform in the vernacular heterogeneity and therefore it may be impossible for someone who is so focused on one environment to support others. That's why Symantec and other purpose-built companies will in fact be a better alternative for security than someone who is so focused on one particular environment. And we're also mindful that we're not distracted by things like computer games, and things that don't relate to securing your infrastructure.

Compliance is also the new elephant in the room and it's one that we certainly have to be mindful of. You can't avoid bumping into some new regulatory requirement today. Regulatory requirements around retention of records, the discovery and retrieval of information are processes that can in fact determine whether or not your business is running appropriately, and clearly security breach disclosure is a paramount issue.

In Canada you're grappling with a number of regulatory initiatives like PIPEDA. And in the U.S. clearly we are struggling with Sarbanes-Oxley. If you are in one or another vertical industry around North America there are at least one or two regulatory initiatives per industry that you must conform to, and it's in that context that this new elephant in the living room is one that we have to deal with.

Compliance has become a top priority for CEOs around the world and it certainly is wielding considerable influence over IT budgets and IT decisions so it's no exaggeration to suggest to you that it will in fact be the challenge of the 21st century.

In this evermore complex, more costly, more regulated environment, it's no wonder that many of you want a more integrated solution to manage your infrastructure and you'd rather work with a strategic partner who can help you do just that.

Now don't get me wrong, I'm not suggesting that you're going to buy all of your IT solutions from one vendor; that's highly unlikely. But I'm also not naive enough to think that we can't provide more than we do today. So the drive to deal with the vexing challenges of cost complexity and compliance are in my opinion going to be factors in consolidation in our industry over the course of the next few years. I would predict that our marketplace is going to see fewer vendors, better product integration, improved inoperability and fewer complicated license agreements for all of you to negotiate; in other words fewer hoops and hurdles for all of our customers around the world.

That suggests only a few of us will be able to deal with the growing challenges that you face, and it's my belief that those who are global in nature and well prepared will be able to handle that challenge.

Now one of the things about the security domain that we know is that the motive of the attackers is changing from notoriety amongst a small group of friends to geopolitical power today and in many instances financial gain. At Symantec we identify about 100 new viruses every week and we see about 48 new software vulnerabilities every week, and that vulnerability represents the gap between when someone discovers something and when it gets attacked. Once upon a time that gap represented six months. Today that gap is less than six days. Last March, the Witty worm attacked a vulnerability that had only been disclosed 24 hours before that. And we are clearly on the cusp of what we call day-zero attacks where the vulnerability and the exploit occur almost simultaneously.

As we are all well aware, cyber threats go well beyond malicious activity around worms and viruses. Today spam, spyware, phishing, identity theft and fraud represent the new face of cyber crime. Spam is turning out to be more than the great nuisance. I think Canada's own federal Industry Minister David Emerson described it best when he said, "A few years ago spam was a mild irritant; today it's become the cancer of the e-economy." Spam has become one of the most severe threats to individuals and businesses and today it represents more than 66 per cent of all e-mail traffic.

Phishing, which is spam's evil stepchild, is growing at an alarming rate. From September to October of last year the number of phishing sites, hence the opportunity to steal someone's identity or information that could be of value, doubled in one month. Disguising themselves as well-known, highly reputable institutions like CitiBank or eBay, phishers con unsuspecting consumers into volunteering personal information. In fact their hit rate is 5 per cent. Now that's five times greater than any physical catalogue campaign that a mass marketer would institute.

While the consumer is certainly a victim of this fraud perhaps the greater victims are the banks, the retailers or the government institutions whose brands have been unwittingly compromised and hijacked. Businesses must fight back against scams to protect consumers but also to protect themselves and their brands.

Finally businesses and government offices need to be prepared for both natural and manmade disasters so that infrastructure they are relying on can in fact carry the vital information for their industry. Even something as common as a server failure can have a serious impact on productivity and the profitability of a particular business.

Our own research suggests to us that it costs 10 times as much to recover from a single incident or a disruption than it does to prevent it. Our information is at risk, ladies and gentlemen, and the risk mounts with each and every passing day, as does the value of the information that's being targeted. Information is in fact the lifeblood of almost every organization today and it's worth more than the individual parts that store it, manage it or retrieve it or distribute it, combined. We rely on information to serve customers, doctors rely on information to render diagnosis for patients and utility companies rely on information to distribute energy. So, today, we truly do live in an information-based economy where data is not only the important currency as was suggested by Bart, it increasingly is the product itself. And that product is under increasing attack.

I'd like to share with you a simple story of how that is occurring around the world. Unleashed on January 25, 2003, just a little over two years ago, the Slammer Worm exploited a vulnerability in Windows-based operating environments that had been identified six months earlier. Slammer was aptly named. It slammed the Windows systems rendering them inoperable, doubling its infection rate every eight and a half seconds. It was the first of the so-called Warhol worms, a reference to Andy Warhol's famous quip about everyone having 15 minutes of fame. In Slammer's case it was 10 minutes. It infected 90 per cent of the unprotected servers in just 10 minutes worldwide. Airline flights were cancelled; ATM networks stopped working; whole businesses went down.

The mad dash began to quickly identify vulnerable IT systems and patch them and to make critical backup data sets available. Once Slammer hit, companies struggled to bring their businesses back on line. In some instances it literally took days. It was clear that companies didn't know enough about the IT infrastructure of their environments to take immediate action. They didn't have the necessary processes in place to recover from such a disaster. In the end, the damage exceeded $1 billion worldwide, according to Computer Economics. That's just the clean-up costs. That doesn't even begin to account for lost productivity or lost revenue, or more importantly lost customer trust or customer confidence. So an event like Slammer had a major ripple around the world. Indeed Slammer impacted the global economy in a way that no other single attack ever had and it didn't even carry what we in the trade call a malicious payload.

So what are the lessons that we learned from Slammer? What did Slammer teach us about protecting the information assets that are so critical to our economy? Well we learned that our view of security was far too narrow. We learned that we had to focus not just on protecting the device or the network but more on the information itself. Once the dust settled on Slammer, customers made it clear that we had to serve them differently. We had to protect their information differently. We had to make sure that it was not only secure but that it was available as well. Information that is secure but not available may very well be useless. It's like putting your valuables in a safe and then forgetting the combination all together.

Our goal is to strike the right balance between making information secure and making information generally available. Symantec has been helping customers solve this problem for quite a few years from our simple beginnings in content security to the introduction of our first integrated security appliances about three years ago. Our integrated security solutions have helped many of you, I believe, take cost and complexity out of managing your security environment. Now we need to look beyond cost and complexity to deal with the issues of compliance as well. And today we argue that it's more about an integrated infrastructure approach not just an integrated security approach. It's about seamlessly bridging the divide. That's an important phrase, "bridging the divide," between device management, systems management and network management across a disparate operating environment, because security as traditionally defined is no longer good enough. We're in a different game with different rules and far, far more stringent requirements.

Slammer showed us that even when we as security professionals did everything right, alerted our customers to the impending threat, updated signatures and definitions, and recommended a response, it just wasn't adequate. Traditional security wasn't then enough and today even integrated appliances fall short of some of the requirements that our customers have. They couldn't ensure that their business would stay up and running no matter what. Therefore new proactive technologies incorporated into the concept of an integrated security appliance will in fact help prevent some attacks but then the question becomes one of recovery.

Our researchers have been hard at work to stay ahead of the attackers and making the process of security far less costly and far less complex. But we must shift our game to offence, where we are driving the overall process of protecting critical information, not just responding to known threats or visible attacks. In other words we must take an approach to this far more proactive and far more holistic in dealing with the issues before information is compromised, stolen, affected or misused.

After Slammer we realized that to be a strategic partner to our customers we really had to take a more bold step. We had to connect external threat information that we have in our laboratories with internal knowledge that customers have about their operating environments. While an external early warning system is clearly a valuable asset and a valuable head start, if you can view into the horizon, it doesn't necessarily save all of your assets. It would be like a hurricane brewing on the horizon where you know from the radar that it's on its way and you know that it's going to hit within a few hours. That's good to know you still need to get plywood and duct tape and take all of the necessary precautions to board up your windows. Now imagine, however, if the radar tracking a hurricane's progress could talk to your home, could in fact trigger the automatic activation of your hurricane shutters and the automatic activation of sump pumps.

To truly protect assets, we need to be able to act on external threat information and have that talk to the IT infrastructure and have it drive process and change. Let's imagine a scenario. What if an external threat could alert and trigger an internal audit? You could instantly identify the systems that might be vulnerable to an attack. Take it a step further. What if the external alert could tell systems to patch processes or applications in those vulnerable systems and automatically update those that are unprotected? What if external intelligence could prompt more frequent backups of critical data from an end-user device all the way up to the largest data centre in our mainframe environment? What if the early warning system could trigger the automatic fail over to a secure network environment and prompt the restoration to a trusted state once the threat level had passed? And what if all those actions could produce an audit trail to ensure your policies and processes were conforming to internal or external compliance requirements?

Now we could argue, and I think you would agree, that would be pretty useful. However, that might be challenging to implement. And so the question for Symantec after our analysis of the Slammer attack is: how do we start to work towards delivering that level of critical infrastructure protection? After Slammer, we realized that we needed to strengthen our portfolio in areas of asset management and storage management so that we could deliver that kind of solution to you around the world. By combining the unparallel capability that we have in security intelligence with the capability to understand what systems environments customers were wanting, we could take an important step forward in critical infrastructure protection.

So we made two simple acquisitions of little companies called PowerQuest and ON Technology. These were not security companies and many said I don't understand that. They specialized in data recovery, in client and server provisioning, in inventory and asset tracking, in software distribution and patch management; all critical items for managing the IT environment, but they're not security technologies. At that point we could offer both security and availability solutions with one small caveat; we could only do it in a Windows environment. And there is, to the best of my knowledge, certainly few, large enterprises that are Windows only. So to serve the needs of customers we certainly needed to have a far more comprehensive portfolio.

And it was out of that simple concept of how do we serve the needs of customers better that our merger with VERITAS was born. Pure and simple: it marries the market leader in security technologies with the market leader in storage and availability management. And it gives us depth of capability across every single platform being deployed by a large enterprise customer around the world. The new Symantec following the merger with VERITAS will serve the full spectrum of customers--from consumers to the largest government and commercial users around the world. We will operate at all tiers of the IT infrastructure and on virtually every single platform.

So let's take a look at an area where we think wonderful synergies between these two might come into play. Compliance is about understanding risk and developing strategies to mitigate risk. The compliance process requires protection and remediation technologies coupled with policy management solutions.

Symantec has many tools and services that can help information technology teams navigate their way through the growing thicket to ensure regulatory compliance, but an integrated solution also requires capability to ensure that the data is maintained and it is available at the data centre level all the way down to the individual PC level.

It also requires cataloguing and indexing of capabilities for discovery and retrieval. In some industries today the storage and retrieval of e-mail messages is almost as important as the banking or financial information about the company. Sure, you could cobble all of these together with various vendors, but getting them from one might certainly make the process simpler and less complex.

Looking at the information security needs through the eyes of a business executive today it's clear that there are heavy demands weighing on your agenda, all requiring immediate action. You need to reduce the risk of managing your information. You're worried about security and privacy and the availability of the data itself. You want to shield the information you safeguard from threats and you need to prove to regulators that you can produce accurate, auditable records upon demand. And as security and availability converge, it's my strong sense that your security teams will focus more on managing and mitigating risks as opposed to blocking attacks.

Already we are seeing the emergence of risk management groups with a far more over-arching responsibility for information management across the entire enterprise. It's in this space that we believe that there will be a redefinition of roles, a redefinition of the role of what security is performed and how security is managed across the large enterprise. No longer will we be the custodians of information security; we are the stewards, I believe, of the integrated infrastructure challenged with making them both more secure and more available.

The annals of commerce are filled with examples of companies who have transformed their model and in doing so transformed their industry. Perhaps a classic example that I'm familiar with is from the package delivery business. In 1998 UPS embarked on a transformation that was, as its CEO, Mike Eskew, described as radical as any it had done in its 97-year history. They no longer wanted to describe themselves as just being in the package-delivery business. No longer were they responsible for the pick-up and delivery of small packages. They viewed that they were in the global logistics and supply-chain management business. Its new charter was to enable global commerce, the flow of goods, information and funds all on an international scale.

Today, UPS acts as the fulfillment centre for Nike.com; it's the repair centre for Toshiba laptops; it even recycles many of the old discarded PCs that many of you may have got rid of.

I would argue that we're at a very similar juncture in the information security industry's life cycle. We are at the cusp of an enormous opportunity on the frontier for information technology. Our paradigm has shifted. Until today we chartered this frontier of the IT environment as security specialists. We patrolled its borders, we spotted threats and we alerted those at risk. It's time for us to do more. It's time for us to do more than raise red flags and block threats.

Integrated infrastructure management means addressing all forms of risk before they strike as well as after. It's about disaster recovery. It's about systems availability. It's about proactive protection of the entire infrastructure, especially the information. In the old paradigm we were only as good as the last update. In the new paradigm, sensors will prevent attacks. And when they can't, alerts will trigger a patch distribution and provisioning and backups so information stays secure and available, and information technologists stay focused on innovating instead of fighting fires.

In a world where our most vital and valuable asset, information, roams the Internet, where network walls no longer exist, where the threats to information are rampant and accelerating, the regulatory demands for security and privacy are incessant. We need to move beyond a security-only focus and stake out our place, I argue, in the information management category. But these are only the first steps in an ongoing journey. There's still more that we can do in expanding our role to managing systems availability. Network access and performance of applications must be a part of that critical mission, helping our customers manage and protect the content that rides over the Internet.

Leaders never follow and innovators see opportunities often where others don't. Fortune always favours the bold. Those who take proactive and comprehensive approaches to ensuring the integrity of the information and the resilience of the infrastructure in the future will, in fact, be the winners in the IT game. To get real value out of the information assets we truly must protect them. We must balance the needs of availability with the imperative for security, and we need to expand beyond the traditional borders if we want to effectively address both of those needs. At Symantec we intend to lead, we intend to innovate, and we intend to be the first movers so that we can, in fact, continue to be your trusted advisor.

I thank you so much for the opportunity to be a part of the Empire Club's event today and I thank you even more for your support and trust and confidence in our company. Thank you very much.

The appreciation of the meeting was expressed by Lou Natale, Director, The Empire Club of Canada.