|Home - CEO Spotlight - Apr 03 Issue
CEO Spotlight: Tom Noonan, Internet Security Systems
By Angel Mehta, Managing Director, Sterling-Hoffman Management Consultants
While most software companies continue to struggle, enterprise security is one of the few sectors left that continues to expand – and red hot Internet Security Systems (ISS) is leading the charge. Angel Mehta, Managing Director at Sterling-Hoffman, talks to CEO Tom Noonan about growth strategy, an entrepreneur’s Christmas, and the emergence (finally) of enterprise security as a mission critical priority.
Angel Mehta: I was at a conference earlier this year and the consensus amongst investors seemed to be that security is and will be the hottest software segment for a couple of years. ISS is clearly one of the trailblazers…so if you could identify three things that you need to make happen….three challenges to meet in the next six months… what would they be?
Tom Noonan: Key challenges right now within my control or outside my control? Because I would probably look at this in two dimensions. Of course, there are those things that are subject to market risk which quite frankly none of us control but we all worry about a lot anyway. And then you have those things associated with operational risks. I prefer to focus on the latter – the operational side.
Angel Mehta: Let’s start there. I think most people have heard enough about the war and accounting scandals at this point. [Laughing]
Tom Noonan: Agreed. So on the operational side…number one is what I would call our ‘solutions strategy’ which is the development and delivery of our next generation dynamic threat protection system. It has been under development here for a number of years. I think it represents a core supplanting technology in the industry…meaning that it will operate in a way that will minimize the dependence on legacy security technology in corporations, business and governments around the world. I would say that is one of our top priorities right now as those systems will begin coming to market this year.
Number two is ‘activity associated with marketing expansion’. The new platform is creating additional market opportunity for us. Traditionally, we’ve served the larger more ‘security-elite’ corporations who have extraordinary security requirements both in terms of efficiency and flexibility….but this new generation of dynamic threat protection systems will actually make world-class security available to the masses.
The packaging, the pricing, the promotion and the placement, which is the market expansion piece of this, are causing the company to undergo a metamorphosis in our distribution channels, programs and plans as well as our overall go-to-market strategy.
Think about it: today, we are serving 11,000 enterprise customers…but with this new generation of products, we believe the opportunity increases to hundreds of thousands of businesses – smaller ones from say a couple of thousand employees up to ten thousand employees – that quite frankly have been overlooked. They’ve been largely untouched by the security marketplace. That’s a huge gap.
Angel Mehta: So let me ask you…Gartner predicted earlier this year or late Q4 2002 that growth in security space is probably going to slow down. Has that been ISS’ experience so far this year?
Tom Noonan: That has not been our experience; however, I think growth in all technology markets has slowed from the blinding pace of ’95 to 2000.
Angel Mehta: Of course…
Tom Noonan: So I would acknowledge it from that perspective - but you know, security is a very, very broad term. It’s a maturing marketplace for the legacy products that have been with us since the days that preceded Internet technologies like standalone firewalls, standalone anti-virus systems, etc. But those are giving way to new dynamic and integrated protection systems like this dynamic threat protection technology and system that we are introducing.
So I think you are going to see a slowing in the traditional security products that were developed as single threat-oriented-type technology.
Angel Mehta: You mean like anti-virus?
Tom Noonan: Exactly. These were designed to stop a virus but not a Trojan or a worm or a remote control device or a pest or a back door.
The other would be a firewall…they’re probably the most prevalent security platform that exists on a distributed network; however, architecturally these systems were designed long before things like peer-to-peer communications…before even the Web was around and so most security breaches compromise the Web protocol and the e-mail protocol. Every firewall and every corporate network lets HTTP or Web traffic in and out and it lets e-mail in and out. So what the bad guys do is exploit the underlying technology as a weakness. So yes, I think you’ll see a slowing in the traditional technologies and a displacement market evolve for systems that deal with today’s threat as opposed to yesterday’s problem.
Angel Mehta: Let’s go back a few years. How did you get to know Klaus (founder of ISS)? Tell me about that original partnership…what is it that you saw early that made you ditch Dunn & Bradstreet for a start-up? This was before startups became the in-thing, right?
Tom Noonan: Well, the early meetings with Klaus and I did not take place in person. – it was in cyberspace. At the time, at D&B, one of the great fears was that the Internet was going to make D&B’s business model obsolete. D&B, of course, at the time was known as the world’s leading information company and the promise of the Internet in those early days was free and ubiquitous information. So if you were an information company that had cornered the market on selling and managing proprietary information that no one else had access to…well, that was a threatening promise.
Angel Mehta: Right.
Tom Noonan: So in researching that for D&B, one of things that became very very clear to me was that one of the fundamental challenges to using the Internet to automate business commerce was the very fact that it was designed originally and manifestly to be open and easy to access - and so you had this conundrum. Business could utilize the Internet but it would be insecure and, therefore, problematic.
I actually met Klaus by reviewing some of his on-line posts on security bulletin boards about vulnerabilities in internet-worked UNIX systems. I know that he was coming from a Georgia Tech domain which is my alma mater…and I was living in New York during the week but then returning to Atlanta on the weekends. So we arranged a meeting. There was nothing specific in mind other than to talk about this ‘Internet’ thing.
Angel Mehta: And yet he got you to max out your credit card to fund the thing?!
Tom Noonan: Right (Laughs). This isn’t entirely well known, but there was a matrimony of sorts between two very different backgrounds. Klaus, without question, was the security expert and remains the security expert in the partnership. My background out of Georgia Tech was automatic, real-time control systems. I spent the first eight years of my professional life designing and implementing computer control systems for everything from weapons delivery systems to nuclear power plants and everything in between. The thought occurred to us in those early meetings that we could build an automatic control system for threats - something that would detect, analyze and prevent a threat dynamically and intelligently. That was a quantum thought forward for security which, at the time, was static and policy-based. It was not intelligent or dynamic meaning you had a firewall, you set the policy, let Web traffic through, let mail traffic through, let FTP through and the presumption was that all traffic coming through those ports will be good and the ports that we block will keep the bad people out.
But our premise was, it won’t take long for people to start exploiting systems and the more open the network gets vis-à-vis letting people through, you will not have an intelligent way to discern between good and bad - much less have the ability to actually prevent that activity from happening in the execution cycle of the threat.
Angel Mehta: What exactly does that mean? [Laughing]
Tom Noonan: Put it this way…anyone can go back and review a firewall log and say, “Yeah here it is. Last month this connection was made and it was that connection that was the bad connection.” What we wanted to do was build a system that would operate in the millisecond it takes to actually COMPROMISE the system – and then detect it, analyze it and prevent it within that timeframe. So that’s the vision for what we continue to pursue today. In fact, the first phase of these dynamic threat protection systems that we’re delivering this year are really to me the first manifestation of that vision… 8 years later.
Angel Mehta: I always love comparing past plans or expectations to present reality. Did you expect ISS would be a $243m company in less than 10 years?
Tom Noonan: I did not. In fact, I don’t know what we thought at the time…(Laughing). I mean, I know what we thought in terms of the technology and the opportunity but as to what we viewed as reasonable growth, I have no idea. I mean, I still have the original business plan that showed us in 2004 being a $100 million dollar company. So we beat that target…that much I know.
Angel Mehta: I remember reading a marketing tenet in a bubble-era magazine that went something like, “You can either convince a customer that he’s got a disease and sell him a cure or sell him a cure for a disease that he already knows he has”. Early stage ventures in the bubble seemed to be all about the former…and historically, it seemed liked security was only a priority to any given buyer after a breach. Has the market finally crossed over yet to the tipping point where they actually view security as a ‘need to have’ before the breach actually occurs?
Tom Noonan: I honestly believe we’re at that crossover point right now. And you know what else? I honestly believe that September 11th was the seed of that crossover point.
Angel Mehta: Makes sense…
Tom Noonan: Sept. 11 brought western awareness regarding the issues of security to a frightening crescendo. You know westerners thought they were safe. Europeans thought that security ended at the borders of the EU …and what we realized was security and insecurity had become globalized almost overnight. Most ‘buying’ behavior is emotional anyway. There’s an interesting off-shoot to this, Angel, that when I retire someday I am going to go back and analyze it and figure out why…
(Angel laughs) You know, I’ve gone to engineering school and I’ve gone to business school so I’m probably overeducated from a school perspective - but one of the things that I have promoted quite passionately is that companies attempting to do ROI studies on standalone protection systems are wasting their time. Security should be viewed from a total cost of ownership perspective. The guys looking at ROI are not convinced that they need security and they’re saying, “Should I invest in security? What type of return is it going to deliver to my shareholder?” And the only thing you can do is deal with statistical evidence in the world to determine how much return you’re really going to get because you never know where or how or when you’re going to have a security problem.
Angel Mehta: Just like we didn’t know where or how or when 9/11 was going to happen…
Tom Noonan: Exactly. Nobody is questioning all the money we’re spending now (on defense) and the same is true of security. If you fundamentally believe you need it then you set out philosophically with the mindset ‘I want the best for the least cost of ownership’.
But if you don’t fundamentally believe you need it…I have presided over many ROI sessions where these ridiculous assumptions were made. I would propose to you that most ROI calculations that were presented to CEO’s and CFO’s from about 1998 to 2000 were fraught with bad assumptions…meaning, e-commerce sites are put in to automate 50 percent or 100 percent% of a company’s business but things like security, performance management and other things were left out! Sure, it makes the ROI look even better but at the end of the day I think those costs should have been included in the projects.