Inside Symantec’s tech transformation
Symantec chief information officer Sheila Jordan has spent four years leading IT during one of Silicon Valley’s most noteworthy corporate change efforts.
The story of Symantec’s recent transformation starts with a strategic aspiration: to position the company as a major disruptor in its chosen sector of cybersecurity. Over the span of five years, the company went through two major divestitures, selling Veritas to a private equity group in 2016, and Website Security to DigiCert in 2017. The company also made two large acquisitions, Blue Coat in 2016 and LifeLock in 2017, followed by three smaller ones. Symantec then initiated two intensive rounds of restructuring that included reducing head count, which laid the groundwork for a subsequent wave of growth.
In doing all this, the company reoriented its purpose. It went from selling enterprise software to providing the world’s leading cybersecurity platforms for both consumers and global enterprises, and shifted business models from product orientation to subscription-based. The company also went through a deeply felt cultural change, including a new emphasis on diversity at the top management level. Lastly, Symantec changed CEOs twice, finding solid ground with Blue Coat alumnus Greg Clark at the helm.
Symantec chief information officer Sheila Jordan played — and continues to play — a pivotal role overseeing the redesign and consolidation of the company’s technological infrastructure. Jordan joined Symantec in 2014, soon after the initiative began. Jordan previously served as a senior vice president at Cisco Systems and Disney, not just in IT but also in finance, supporting sales and marketing. Her technical expertise and enthusiastic, matter-of-fact approach to simplifying the company’s digital technology became a model for Symantec’s customers. She’s also one of Silicon Valley’s most prominent female executives, in part because of her ability to spot trends in the industry, and stay ahead of the curve.
Strategy+business caught up with Jordan in her Mountain View, Calif., office to discuss Symantec’s transformation and the changes taking place in Silicon Valley today.
S+B: How would you describe your role in Symantec’s transformation?
JORDAN: I was hired back in 2014 to bring information technology back in-house from a previous outsourced model and to build a world-class IT organization. I knew that would be a significant challenge, and I thought it would be a lot of fun. At that time, I had no idea that the entire company was about to change.
Then came the Veritas separation. A divestiture of this sort is significantly more complicated than an acquisition. We were becoming two separate companies with our own independent ecosystems of processes and systems: WANs, LANs, sites, data centers and labs, enterprise resource planning (ERP) systems, applications, laptops, and mobile devices. Everything had to be split apart, including all the data. We decided to do it in a comprehensive way, to take this opportunity to start cleaning up processes and simplifying everything.
In 2016, with the Blue Coat acquisition, we made a similar choice. We could have just jammed the two companies together, with many legacy and redundant applications running concurrently. Instead, we chose to simplify.
We strategically transformed every aspect of the company and took the opportunity to think tactically and long-term. This resulted in a number of accomplishments, including consolidating into one customer relationship management system. We are currently one release away from consolidating multiple ERPs into one ERP; reworking our business processes and eliminating product SKUs; and streamlining our distribution channels and systems to make doing business with Symantec easier.
S+B: What had to happen inside the company to make the transformation succeed?
JORDAN: People talk about “digital transformations” as if they were all about technology. In the grand scheme of things, the technology is the easy part. More importantly, you need to focus on enhancing your customers’ experience in buying your products and services. For instance, since your customers use mobile devices, your software interfaces must be as mobile-oriented as your customers are. At Symantec, we focused on four factors: speed, alignment, strategic decisions, and communication.
S+B: Let’s take these in order. What does focusing on speed and alignment mean in practice?
JORDAN: We’ve become much faster and more aligned at Symantec. Through this alignment, we were able to develop a plan that integrated six companies and divested two. Between April 2017 and November 2018, we went through eight major software releases, which included significant changes to ERP, CRM, and foundational data and reporting systems, with minimal business disruption. This is unheard of in the ERP world. Each major release included an average of 24 different functions, from marketing to engineering to finance. This equates to essentially a release every other month. We used an agile approach, with development, integration, and user acceptance all happening concurrently. Because of the business and IT alignment, the quality of each release was exceptional.
We used similar methods to build our global subscription platform, which is the platform used to sell our cloud SaaS [software-as-a-service] products. To enhance speed and simplicity, we modeled our user interface on the Amazon experience: In just a few clicks your order is completed.
Customers and partners want a seamless experience. They don’t want to see internal organizational handoffs. Helping the business articulate the customer journey has [given us] a compelling way to think horizontally, and from a customer lens, versus a functional view.
We brought IT, the business units, and the other functions in sync. For instance, when we realized we couldn’t get everything done in the April ERP system release, we decided to push some features to May. This meant the businesses would have to absorb a manual process for a short period of time. They agreed to this in advance because we all shared our expectations up front and we spent a fair amount of time on communication.
I am also super proud of the way our engineering, marketing, and IT teams work together. For the global subscription platform, engineering owns the common cloud, where the security SaaS products get provisioned. Marketing owns the navigation, user experience, and content on the website for our direct small- and medium-business customers. IT owns the ordering and cash systems — and of course, connects the entire platform together. But we all own and are accountable for the entire experience.
In that context, I love that IT people are naturally systemic process thinkers; we see horizontally. We know how customers experience the company. We can add value in broader groups by pointing out duplications, gaps, and dependencies.
Big Decisions and Communication
S+B: You said another factor was “strategic decisions.” What does that mean?
JORDAN: I was referring to the way we organized the design and implementation of the transformation activity. There are two councils. Every other Friday, a program council that oversees the details of the change process meets for two hours to go through business and IT issues. Then, major strategic decisions are discussed once a month by a more senior group: the program board. This board includes the CEO and business unit general managers. During these sessions, we have changed our pricing structure for small businesses, rethought our channel strategy, and simplified our product offerings.
S+B: How do you make the councils work?
JORDAN: We set expectations through the way we work. Flawless execution is not optional for us. It’s mandatory. We’re all in this together, and we’re all accountable.
For example, we learned to celebrate what we call “reds.” These are the issues that people can’t solve on their own and have to bring up at the program councils. In the past, people weren’t comfortable saying, “I’m red this week.” They didn’t want their colleagues to know. We were not leveraging the power of the room and our colleagues.
We created an environment where it feels safe to walk into a council meeting and say, “I’m red.” It just means that you are off track and might need the room’s help, whether it’s a trade-off with a colleague or sometimes the help of the top management team, to get back on track. Setting that tone relieves pressure and stress, raises accountability, accelerates course corrections, and sets expectations along the way.
This is where mutual trust and respect among teams are important. I can say at a program meeting, “I can’t get that done for this release; it’s impossible.” Or, “My team says we looked at it 12 different ways, and it won’t work this time.” But then I can offer to put it in the next release and ask them, “What are the implications for you because of this decision?” and know they’ll answer candidly. That kind of trade-off and negotiation is amazing. I’ve worked on transformation and integration for two years, and I honestly don’t think there’s been one dramatic moment. There have been many healthy debates, but it hasn’t become negative, with pointing fingers or a blame game. This culture has allowed us to be so successful. We are using our critical resources and mental energy to solve real customers issues and real business problems.
S+B: What about the fourth factor you mentioned: communication?
JORDAN: I can’t articulate enough how important frequent and relevant communication is. Change inevitably leads to fear and uncertainty. The employees need many snippets of communication, even if the leaders don’t have all the answers. We need to reassure people, “it’s OK” or “we’ll get this.” After joining Symantec and building a world-class IT team with hundreds of members around the globe, I began publishing an internal weekly blog — just a couple of paragraphs of critical events or projects, recognition, calls to action, and news. I think I’ve missed four weeks in four years. Whenever I missed it, I immediately heard from my employees, “Where is the blog?” People want to hear what’s happening. In an indirect way I am creating a community within the IT organization. Infrastructure wants to know what is happening in the application space and vice versa. Employees love to know their job is important, and it’s up to leaders to explain how it all fits together.
Bringing Cultures Together
S+B: What was the cultural change at Symantec like from your perspective?
JORDAN: It [has been] huge. Four years ago, I probably would have said, “Culture is important. But it’s not critical.” Today, I think work on culture is indispensable. Our company mission is to protect the world. Anyone in the company can lean in against that statement; it’s empowering, but you also have to set goals and be clear on how you are going to fulfill that mission.
S+B: What other cultural issues did you have?
JORDAN: With acquisitions, you have different cultures to integrate, like having a blended family. Symantec, Norton, Blue Coat, and LifeLock all had different cultures. It’s important to take the time to establish the “new culture” that takes the best of the best from each acquisition. This takes time, so it’s important to focus on the work that can be done immediately. If you’re organized correctly, and you create a blend of the employees from different companies, you end up with a diverse team and a culture with diverse perspectives and experiences. Maybe it’s the nature of IT, with a significant demand and volume of work, or how the teams were organized, but in our case, almost overnight, it became irrelevant where someone came from.
What mattered was that we showed up as a cohesive IT organization, solving Symantec’s complex problems and working toward improving efficiency for our customers, partners, and employees. The work will form the culture, especially if you all feel like you’re in the same boat, and it will drive the level of respect, trust, and credibility higher.
S+B: If you had to advise a company going through similar changes, is there anything else noteworthy you’d tell them about the transformation process that you haven’t mentioned?
JORDAN: Celebrate successes, frequently. We managed the restructuring and acquisition while simultaneously running the business, with quarter-ends, financial closes, and all of the normal demands on IT to run and operate a multibillion-dollar company. The journey is long, and people think they’ll celebrate when it’s done. But you’re never really done. It’s going to be continuous change forever. Take time along the way to make people feel recognized and valued. Offer low-cost celebrations or organize a community event. That will give them the motivation and inspiration to continue.
Female Leadership in Technology
S+B: You’re one of the most prominent women in Silicon Valley, at a time when many tech companies are trying to increase their proportion of female executives. How does this issue come up at Symantec?
JORDAN: Our diversity initiative is a big priority for our CEO, Greg Clark. It’s crucial to see male CEOs take this seriously. They’re the ones who have to lead when we start to change deeply held thinking and biases. [Clark is active in CEO Action for Diversity and Inclusion, a coalition of business leaders launched in 2017 to address these issues more effectively. Tim Ryan, PwC’s U.S. chair, is the chair of the group’s steering committee.] Our CHRO, Amy Cappellanti-Wolf, is also super-passionate about this.
S+B: What is driving this change? Why now?
JORDAN: One factor, of course, is the broadening awareness of diversity issues in the tech industry. The younger generation is also forcing change. Millennials think about diversity differently; they grew up going to school with people from different geographies and ethnicities, as well as shifting gender norms and expectations. As we bring that mind-set into our companies, it leads to a reverse mentoring for the rest of us. The millennials are teaching us what it looks like to not have ingrained biases against other groups, and I love that.
Right now, women make up 26 percent of the global workforce at Symantec, which is above average for the industry. According to Steve Morgan of Cybersecurity Ventures, women represent 20 percent of the global cybersecurity workforce and [that proportion] continues to grow.
Further, our most recent set of summer interns were 60 percent women. That’s much better, but still not good enough.
S+B: Is the gender issue different in technology than in other industries?
JORDAN: It is, just because the percentage of men is so much higher. When I visit our banking or retail clients, for instance, there are more women everywhere, at all levels of the organization. Of course, in just about any company, the higher you go in the hierarchy, the lower the percentage of women tends to be.
S+B: Do you think that’s changing now?
JORDAN: I’ve studied this for years. Although some women stop advancing in their careers when they hit personal life events, whether it’s having children or caring for aging parents, many continue to face challenges around lack of mentorship, limited access to opportunity, or feelings of isolation. We need to create ways for people to work that match life’s challenges and simultaneously open up an opportunity. Again, millennials set an example. They are growing up in a world where everything is a service. They can get whatever they want: software, food, gas, a ride, clothes. They click and it’s there. Fast-forward 10 years, and we’ll maybe have an open marketplace of work assignments based purely on merit. I’ll take on a project that looks exciting for one company; and then do another project for a different company. In that context, maybe women will have greater access to opportunity, will experience less bias, and won’t opt out at the rate they are today.
S+B: Does having a greater female presence make a difference in the way a company handles a transformation?
JORDAN: You often read that it does, because it is said that women are typically more empathetic than men. But that may be a stereotype. To drive transformation, you need diverse thinking, regardless of age, gender, ethnic background, sexual orientation, or any other specific characteristics.
What matters most is the job we have to do. I am the CIO for Symantec. I don’t hide my identity as a woman; I wear dresses, jewelry, and makeup, and I certainly can personally relate to the constant challenges of a working mom with young children. However, the fact that I’m a female doesn’t motivate any of my decisions as CIO.
The Future of Cybersecurity
S+B: How would you describe the outcome of Symantec’s transformation?
JORDAN: Symantec now has two strategic business units. Our enterprise business strategy is based on Symantec’s Integrated cyber-defense platform. On the consumer side, with the acquisition of LifeLock, we’ve established ways for people to independently protect their identities and their privacy. We just introduced Norton Privacy Manager, an app that helps consumers understand and take control of their privacy and protect themselves online. We live in a new digital world where people are constantly sharing their personal information, and that information might be mined for profit. Through this app, we offer our customers ways to protect their data and their privacy, for themselves and their families.
The exciting part of our strategy is that it addresses the historical fragmentation of the security industry. Many CSOs have said that they’re loaded up on security tools in their environment. In fact, our recent Internet Threat Security Report (ITSR) indicated that on average — in a large enterprise company — there are between 65 and 85 security tools. Eighty-five tools! Now that’s quite fragmented. I believe Symantec is perfectly positioned to remove that complexity and improve efficiency by delivering our Integrated cyber-defense platform. Budget-wise, this service typically lowers costs for our customers — it’s easier technically and it saves them money.
We also know that consumer and enterprise security are interrelated. If individual employees become more aware of security issues and walk in the door more secured, with less risk of compromise, that makes the job of any CIO easier.
S+B: How do you track the external trends in terms of threats?
JORDAN: Symantec operates the world’s largest civilian threat intelligence network, and one of the most comprehensive collections of cybersecurity threat solutions. We also have thousands of engineers in the organization, including those working directly on the products, who are engaged in threat intelligence. Symantec is responsible for seeing and detecting things before anyone else does, and we’re using that intelligence to warn others.
Cybercriminals are getting smarter. If conventional cybersecurity is like locking the front door of your home, they’re finding ways to come in the side door, a window, or a crack in the molding. And they’re often lingering undetected and hanging out, just watching. You don’t even know they’re inside until they act.
Cyber products now have to have a significant amount of artificial intelligence and machine learning built in. They must go to new lengths to protect the most sensitive data of an enterprise, such as payment card industry [PCI] data, credit card information, and now — with GDPR [General Data Protection Regulation] in effect — privacy data. In earlier times, a security operations center analyst used to analyze the data logs after a breach, searching for clues. Today, we need to get at that needle in the haystack much more quickly.
S+B: How should top management be thinking about these issues?
JORDAN: Security represents a big risk to any enterprise. We’ve seen all too many cases where, if it’s not managed well, it can have damaging implications. “Are we secure?” is a simple question. The answer is extremely complicated. For example, how do you make sure every employee is security aware? What are you doing to prevent someone from accidentally leaving a laptop in the wrong place?
“When you fix your cybersecurity, you’re essentially cleaning house; you now know your infrastructure, applications, and data much better.”
In general, boards should spend more time talking about security. In some ways, it is as critical as the financials of a company. The security posture should not be delegated to a subcommittee. Every member of the board really needs to understand the security posture of their company. At the C-suite level, cybersecurity is often assigned to the CIO or chief security officer, but the responsibility of security needs to be broader. Security is a business strategy. Just as with other business strategies, you must consider executive alignment, process, policy, communication, and, of course, technology.
It’s not just about protection. There is a cost and efficiency play involved. Your legacy servers and systems may get used only once a quarter, but they sit there every day with no monitoring, providing another way for bad guys to enter. When you fix your cybersecurity, you’re essentially cleaning house; you now know your infrastructure, applications, and data much better. You can design your systems from the ground up to be more security aware, resilient, and easier to use.
- Amity Millhiser is vice chair of PwC and chief clients officer of PwC US. She is based in Silicon Valley.
- Art Kleiner is editor-in-chief of strategy+business.