Secure Computing’s CEO on infosec industry to 2010

John McNulty is the CEO of Secure Computing, which recently acquired firewall vendor Cyberguard. As chairman and CEO of Secure Computing, John McNulty has over thirty years experience in the hi-tech industry. Before joining Secure Computing, he was senior vice president sales, services and business development at Genesys Telecommunications Laboratories. Prior to Genesys, he was with Intel Corporation, where in his last position he was director of marketing and business development for the enterprise server group, which he launched.

Brian McKenna recently spoke to Mr McNulty about the vendor’s strategy, the rationale for the Cyberguard merger, and about the security industry’s five years ahead.

To begin with could you sum up where Secure Computing is positioned, in 2006, following the acquisition of Cyberguard?

The acquisition combination we did with Cyberguard was a real important one for us because it marked what I would characterize as a crossing of the Rubicon as far as what our future strategy will be for the next five years. We had reached, in a strategic analysis made at the end of 2004, a fork in the road; we needed to decide if we would grow only organically, making small, opportunistic acquisitions, or try and become a much more significant security player – sizewise and position wise in the industry.

The decision was taken to go for the latter, to truly try to create a world class, very dominant player. We think the security industry is, in many respects, like the automotive industry in the 1920s. Globally, there were hundreds of companies making cars, and there’s only a handful making cars today Today, relatively speaking, the security industry is that way, and it’s not going to take 80 years to evolve.

It’s going to evolve, we think, in the next five years to a handful of relevant companies. We believe we have an opportunity to create one of those relevant companies because security is our only business; we’re passionate about it, we have a great fundamental technology base — particularly with the coming together of Cyberguard and Secure Computing, and we see a void in the marketplace for enterprise security, from the edge to the desktop.

We think we have a bit of an advantage against most of the people that will compete in the area of threat management because we can augment that with strong authentication and identity management.

The fundamental belief we have is that security should start with knowing who the user is, regardless of how they come into the network. If you know who the user is you then, like a hawk, can capture exactly what they are authorized to do, and then security becomes relatively straightforward because you simply have to enforce that policy. The policy enforcement plays to the concept of ‘secure enough’ risk management.

Is that an approach that you’d sharply distinguish from say, Cisco’s self defending network concept system?

I think the self defending network concept is a great concept, but you ask anyone from Cisco to explain it to you and they will immediately start a bit of a dance because they don’t know what it is today. The concept is that all endpoints have defence mechanisms that are tied to identity management — that, I think, is their big picture concept; but today they don’t have the defence mechanisms on a per port basis; they don’t have the identity management capabilities.

Identity management starts with strong authentication, and we’re expert at that, and the defence mechanisms start with defences that cannot be breached, and we’re expert at that. There’s a lot of things in between that but the layers that we offer today like intrusion detection, intrusion prevention, capabilities to provide an appliance with unified threat management capabilities – anti-virus, anti-spam, URL filtering, SSL scanning - that type of capability we can bring to the fore, and mange it centrally.

Tell me about unified threat management – what is it, really?

It’s an IDC term – they defined the market after we had an appliance that met their definition. Our appliance preceded their definition of the market by eight months. In some respects I think we pointed them to it. So they’ve defined it as a firewall - it doesn’t define the level of the firewall, so it could be packet filter, stateful inspection, application proxy, it has anti-virus capabilities and it has IPS capabilities.

We take that a lot further with the approach to providing a lineup of appliances. First we have the same software load on our appliances from $1500 to $70,000, all the same capabilities are present.

In the base price you have the Sidewinder firewall, that has never been compromise — so right away we differentiate ourselves. Number two, you can run that firewall as a packet filter, a stateful inspection capability or a full application or application proxy firewall – your choice; you can configure that on the fly, it’s augmented with intrusion detection and intrusion prevention capabilities, it provides filtering for e-mail, instant messaging and peer to peer type traffic. And then separately priced, you can add anti-virus, anti-spam, URL filtering and an SSL acceleration capability, and there are a number of other features but that fundamental lineup is by far the most robust capability in the market place you can get and you can get it from a price point of $1500 base price to a price point of $70,000 base price.

So if I were a prospective customer, what’s the first thing you would say?

I think, number one, each situation is a little bit different in the unified threat management space; it depends on whether the customer’s augmenting an existing network, tearing out devices at the edge, and replacing them, and what he’s interested in. Some of our appliances are deployed and run only as a firewall, all the capability is there for the others, they are just interested in a firewall at this, lets say the front of their ERP database, so every situation is different.

The thing that we point to with Cyberguard and Secure is a track record of being the ‘gold standard’ of security. When we are talking about security, we’re very price competitive in the industry, and where we separate ourselves is: we’ve never been compromised. Our competitors in the security industry can’t say that kind of thing, and, after all, you’re buying something for the purpose of security, so it makes a tremendous difference.

From the customer’s stand point, what they are interested in, we have an approach with our selling that we want to become a partner and a trusted advisor, and sell the customer what they need to accomplish their task, and it’s to the issue of risk management – you don’t put the Hope Diamond behind a screen door, and you don’t put a pack of pencils in a vault – let’s work together and understand what is the appropriate level of security for the information.

In terms of doing that professional services bit, how is that achieved?

We have a network services organization that does deployment and rapid assessment, but what we have done is put together a network of value added resellers around the world – about 1400, that are truly underlying the word value add resellers.

We are committed to the channel, we are 100% indirect model, with the exception of 57 accounts that we sell to directly worldwide. That’s actually a legacy from Secure when I walked in the door when it was 100% direct, and the right way to build a security business is to have the channel model, but you have the relationships the big account for many years once they continue to be direct, and so we’re weaning them down. We’re down from when we announced 100% through the channel, with the exception of named accounts, we were about 100 named accounts, we’re down to 57 and so those accounts, 40 or so have moved to channel.

What are the upsides and downsides of that business model for you?

Leverage is the upside for sure. The downside is, and I don’t think it’s a negative per se, but there has to be a lot more effort on our side to have the visibility into the marketplace when the sales organization does not work directly for you. So, our channel account managers have to be a lot more active and our view of the pipeline to be as level as we want it to be, takes a lot of extra incremental work.

How do you optimize their effectiveness?

Working very closely with them, we’ve won the five star VAR business five star award three years in a row for our channel programmes in North America.

If you go through the milestones for Secure Computing, your firewall capability is right up there as a major achievement time after time; why did you acquire Cyberguard?

One thing is that, for both Cyberguard as a standalone company, and Secure as a standalone company, both of us had enough technology to be a relevant player in 2010, and the quality of that technology was excellent — certainly sophisticated and evolved enough for us to be individually significant players; but we didn’t have the size. Size matters. We think that to be considered a relevant company in 2010, five years into the future, as you look out, you need to be in the billion dollar plus range as a minimum.

Organically, neither one of us could grow there, no matter how fast we grew, Within reason we thought we could become a three hundred and fifty million dollar company, but that simply in our view, in the strategic analysis would not make us a relevant player.

So we acquired them because they were a great fit with us, when you look at the technology, very similar technology in the firewall space, in the URL filtering and SCM space it was very complementary with the appliance side of Cyberguard’s business – Web Washer – adding a new component to our cart and then the SG series, is a low end that we simply didn’t have either, so that was very attractive to us.

Also, although we were very similar in many respects, we had very little overlap. 60% of the business of Cyberguard was offshore – non-US, that is to say. Secure’s business was 70% US, so the make-up of our combined company is 55% US/45% offshore, and that’s a healthy mix for a company of our size. We want to drive that to probably 60% non-US over the next few years because we think that the market’s at least 60% offshore, probably 65, and we want our share of that market!

So the combination gave us more presence internationally; their presence in the Middle East, South-East Asia was far better than ours. Their presence in Europe was very significant, equal to ours, but didn’t overlap, so the combination created a much stronger player globally. Today we have well over 17,000 customers and product representation and installations in 106 countries, so we’re progressing to what we want to be in 2010.

We saw an opportunity to build a company that we think will be a relevant company in 2010. In today’s environment there are hundreds and hundreds of start ups around the world and 40 to 50 public companies of significance in the security industry. As that evolves over the next few years we’ll get down, we think, perhaps to maybe 12 relevant companies.

By the security industry are you factoring in the big infrastructure players Sun, IBM, Microsoft, Cisco?

I would not include Sun, IBM and Microsoft in the security play, but I would include Cisco and Juniper, the network players that have significant security businesses. Obviously companies like Sun and IBM and HP are going to, I think, over the next few years, have more and more security offerings, but I don’t think you’d consider them a primary factor in the security industry in 2010 based on what we see today though they could acquire themselves into that position.

In terms of where you think your main future revenue growth is going to come from, is strong authentication the main thing?

The way we’ve modelled our business is that each of the three principle product areas – unified threat, secured content, and authentication will grow in 2006 at an equal level. We think we can do better in each area.

We think that each area has the opportunity to have breakout performance, but the one that I would put on the top of the stack, with the highest potential for breakout performance based on needs of the market place — potential opportunity because I don’t think it’s real yet — is strong authentication. This is driven by consumer facing financial services opportunities, banking and brokerage, and that’s a global perspective because you’ve got a tremendous amount of activity in each of the major markets around the world. The [recent] Banamex [Mexican bank] transaction that we announced in Q4 is the biggest transaction in the company’s history: $8.6 million dollars, over a million tokens, and is the very tip of the iceberg.

In each of the major markets in the world – Europe, Asia, Pacific, Japan, North America, South America - we see a tremendous amount of activity, but the activity is all centred around kicking tyres, if you will. I believe the way the market in this consumer facing space will evolve is that in each market you’ll have somebody go out and successfully deploy major numbers of two factor authentication mechanisms, and that will cause a mad scramble to keep up.

An interesting data point is that Banamex was driven by the marketing department of Banamex, not by the security department, not by the IT organisation; it was driven by marketing.

I think that that to me is the single most significant statement I can make about Banamex as far as its illustration of an industry trend. It’s marketing driven, and it’s a combination of all the threats to the business model.

That’s interesting because of course a lot of the fear around internet banking is not especially rational.

The threat is there, I honestly think the threat is there.

The threat is there but it’s not like compliance which has been a big drive in the security industry for a few years now so you can’t dodge it, whereas cyber criminal threat is just slightly more questionable, it’s more debatable.

The bad guys go to the soft target and until the internet is made secure for banking transactions it’s going to be a soft target. There’s been a huge change in the crime that’s being committed. I went to a seminar that was put on by one of our customers in the banking community – within 30 minutes of an identify theft, and the identify theft comes from the former Soviet Union, the former Eastern Bloc, a bank card was made up and money was withdrawn from ATMs in the mid West of the US. It’s a very fast response to extract millions from the banks in twenty four hours.