Indeed, the software-publisher business, an intermediary model that had flourished in the early days of PC software, had largely disappeared with the consolidation of the industry and the spread of the World Wide Web, which let any enterprising programmer distribute his or her software directly to consumers. Companies such as Broderbund Inc., which resold independent developers’ programs, were gone. The might of the industry now lay with larger software developers that could leverage an essential technological base, as the Microsoft Corporation did with the Windows operating system, and the Oracle Corporation did with its relational databases.
A Serial Acquirer
Symantec had no time to build a technological base, so it had to buy one. The acquisitions had to follow the evolution of security needs. In the early days of the personal computer, hacker attacks were primarily associated with viruses, little programs that, like their biological counterparts, used their hosts to replicate — sometimes benignly, sometimes not. Security software used to be synonymous with antivirus software, and blocking these intruders was a simple matter of scanning for known code patterns. But because hackers have become more sophisticated, and attacks have mutated to include industrial espionage and potential terrorist actions, enterprises now face a broad range of so-called blended threats.
Combating these more varied threats requires a more varied, and more proactive, approach to security software. Vulnerability assessment programs help enterprises determine their risk exposure; intrusion detection identifies unauthorized uses of the network before they cause damage; virtual private networks and authentication services allow remote privileged users to get past the firewalls designed to keep intruders out. Security management keeps track of all these systems, chronicles security “events,” and distinguishes genuine threats from false alarms.
The only piece of this extensive puzzle that Symantec already owned was antivirus, so the company had to become a serial acquirer. Its historic strategy had been to buy disparate products to pump through its distribution channel; now each acquisition was intended to add a piece to the business portfolio and broaden its base in enterprise security technology. Each deal strengthened Symantec’s position in the security market; each added to the company’s technology base, and, perhaps even more important, to its talent pool.
“At that point in time, it was almost impossible for Symantec to hire anybody,” Mr. Thompson says. “We were not hip; we were a publisher, not a developer; we were not a dot-com; and we had a history of layoffs. My strategy was to acquire little companies, and pay about $1 million a head. I felt that would get us the talent we needed, and hopefully some technology, too.”
In February 2000, it acquired L3 Network Security, which offered products and consulting services designed to help enterprises assess their vulnerability to hacker attacks and rapidly detect systems intrusions when they did occur. Some of the world’s largest companies were already using L3’s Retriever and Expert products to design, implement, and manage network security.
Symantec followed that deal with an $18 million investment in Brightmail Inc., which makes products that enable service providers to manage and protect their e-mail systems. Symantec had previously partnered with Brightmail, whose technology filters messages to block spam and e-mail–borne viruses and could be extended to provide other forms of content control.
To enter the enterprise market, not only did Symantec need new engineering talent, it needed sales talent. The logistics of selling $100,000 products to corporations are vastly different from those of selling $100 products to consumers. And one of the critical differences between consumer software and the enterprise business is the sales channel. Symantec sold products such as Norton Utilities and ACT through big distributors, who in turn sold them to retailers who stacked the yellow boxes on shelves for consumers. Some of the products were also sold preinstalled on personal computers from such companies as the Dell Computer Corporation and Compaq. A limited number were sold by subscription, with upgrades delivered online.