Security Management Software: Symantec Wins Securely

Symantec's winning overall average score of 76 in the 2002 VARBusiness Annual Report Card (ARC) category of security management software was a convincing seven points ahead of second-place Check Point Software. Symantec scored outright victories in 13 of the 15 performance criteria, including a tie for first place in one and a four-point victory in the all-important loyalty subcategory, with a score of 79. But the outstanding scores for almost every criterion aren't good enough for John Schwarz, Symantec's president and COO, who isn't satisfied with his No. 2 score (two points behind Check Point) in the managing channel conflict criterion.

Report Card Score

"Symantec is far and away the most channel- aware and channel-friendly company I know," Schwarz says. "We have an absolute policy of fulfilling our business through our channel partners and do 95 percent of our business that way, remunerating our sales- people [so] they get credit for the sale no matter how the sale was made."

Symantec is also working to improve its e-business portal, a criterion in which it tied for second with Network Associates with a score of 61. IBM's Tivoli brand had the best e-business portal in 2002, VARs say. "We have work to do," says Schwarz of Symantec's

e-business strategy. "Our whole Web strategy is under review. We have globally deployed Seybold's CRM tool, and we'll use the e-channel component of that tool to create a very automated Web-based interface between our salespeople and the VAR in that territory."

True security management software is still in its infancy, with Symantec and other companies in the midst of major product launches, creating significant opportunities for VARs."In the past, customers would have acquired an antivirus tool and a firewall tool, and called it a day. But Code Red and Nimda a year ago pointed out graphically that those two tools were insufficient. So a new series of tools, including intrusion-detection and integration of tools onto the platform, was introduced," Schwarz says. "When you get to this level of complexity, the do-it-at-home solution is no longer a viable option, particularly not for smaller businesses. So they have begun to look for assistance from experts, creating a whole new market opportunity for [VARs]."

To help VARs cash in on this opportunity, security companies are developing comprehensive solutions that manage security products from multiple vendors. This month, for example, Symantec plans to launch Symantec Security Management. Schwarz says it will "deliver a single point of management from which the whole infrastructure can be managed."

Although Symantec won the hearts and minds of VARs in the 2002 ARC survey, it will face tough competition going forward, says Laura Koetzle, a security analyst in researcher Forrester's infrastructure group. "It's tough to say where the [security management software] market is going," Koetzle says. "It's very much up for grabs."

While vendors, such as Symantec, that specialize in point products including antivirus software are coming out with comprehensive security managers, traditional systems-management vendors are also developing security products, and "a bunch of start-ups are also aiming to fill the security-management hole," Koetzle says.

The Sept. 11 attacks caused a tremendous increase in awareness of the need for security that is just now translating into spending, Schwarz says. "It has taken customers about a year to go through the planning cycle, and the federal government is just now beginning to release new spending to address security holes," he says.

But businesses still have a way to go before security becomes a normal business expense, Koetzle says. "Businesses realize security is important, but it's still not treated as an ordinary business risk like fire or flood, which can be mitigated with property/casualty insurance," she says. "Information security is really just another business risk that has to be rationally assessed."

VARs are an essential component of a comprehensive response to security threats. "You need a response capability for when your information-security defenses fail, because they will," Koetzle says. "Management software can help handle security incidents, for example, with incident-tracking systems. However, information-security-incident response is first and foremost a people-process thing, creating potential opportunities for VARs."