CRN Interview: Trend Micro CEO Eva Chen

With five patents to her name, Trend Micro CEO Eva Chen conceptualized several of the security company’s key innovations, including the Network VirusWall, an appliance for protecting multiple network segments and servers. She recently visited with Editor Heather Clancy and Associate Editor Thomas Zizzo to discuss the company’s aggressive move into the small- and midsize-business market as well as provide insight on the state of security in other countries.

CRN: You have a very aggressive partner recruitment going on right now. Can you talk about what types of partners and why now?

CHEN: We're going after the SMB customer segment. These are the customers that don't have IT security, they don't have IT specialists and therefore we designed a special product and service package called Worry Free for the small- and medium-size business customer. This type of customer, we believe, can only be reached by the smaller reseller. ...This type of smaller reseller, they probably are not so IT-savvy. So the product you design for them to sell needs to be very simple.

CRN: How do you find these companies? Are they partners of existing competitors? Are they small-business VARs that don't have a security focus now? Who are they?

CHEN: Several things. Yes, like you mentioned, they were originally competitors' resellers or partners' resellers, but they weren't selling [antivirus] or security software. For instance, our partnership with Cisco [Systems] adds to another layer for the networking resellers. They were selling routers and switches before, but because we work with Cisco to have this security inside the Cisco gear, now we were able to reach these resellers. Some of the resellers started to buy and sell security products.

CRN: You keep referencing international markets. You have such a global outlook. Could you give a sense of where the United States stands with respect to security vs. other countries? Where are we ahead, and where are we not ahead? How does the U.S. scene differ from other markets?

CHEN: I think the U.S. market is the most ahead on the security front. However, in Europe, we see more strict restrictions, and therefore the enterprises in Europe usually incorporate more security products. I would say they adopt the new technology much faster than in America. They are very aggressive with the new security regulations. For instance, in Germany especially, and in Japan, the privacy law is a very important part of security. ... In the U.S., the antispam market started to mature last year. But in Asia, in Japan, it just started. And in Europe even, it just started because spam wasn't such a big problem for them. Now it's starting to get there.

CRN: India and China are of interest to our readership because of the offshore outsourcing movement. How do China and India stand as far as the state of security technology?

CHEN: I would say that they're still very early. In terms of their infrastructure, they are very early. For instance, the spam sent in open relay. The variety of [the spammers] are still in China. The spammers are using Chinese machines to relay their spam. So overall, the infrastructure is not very mature yet in China. In India, I think there's a big difference between those offshore, big outsourcing companies like Wipro or Infosys or these companies that have thousands and thousands of employees with major outsourcing centers. For those companies, their security has to be very advanced because they do work for IBM and Cisco, and they need to comply to their standards. Therefore, for those big companies in India, the security infrastructure is pretty sophisticated.

CRN: How important is it that a VAR or a systems integrator in the United States understand the policies in other countries, such as Europe? I think we have a very domestic point of view on security trends. How important is it that they start learning about other countries, and is there anything that you're doing to help educate the partners about cross-border opportunities?

CHEN: Because threats have no boundaries, our partners have to understand how other countries are doing their security. ... The companies and their customers have subsidiaries overseas. They have vendors and suppliers overseas that want to make sure their security and their headquarters policy can be deployed or standardized overseas. So if you're a VAR supplying this security product and services to the headquarters in the U.S., and if you are able to understand for different countries, security practices or infrastructure provides them adequate services. I think it's a great value for IT people.

Trend Micro is quite global, and we started this type of program. For instance, Toyota has a lot of plants in Singapore, Malaysia and Thailand, and [the company was] trying to standardize all of its security practices. So they have a spinoff company, which is actually an IT reseller. We were working with them to enable them to deploy Trend Micro's products to all of these different subsidiaries and remotely monitor all of these security practices in Singapore, which is where this VAR was located. But these smaller companies are located all over the world. That probably is a trend. Networks have no boundaries, and therefore security has no boundries. You have to reach out to all the different places. CRN: One observation that some have made about the SMB push in security is that it's in part because the enterprise market is becoming saturated and somewhat commoditized. Are you following some of the same strategy there?

CHEN: Even though 95 percent of customers already have antivirus or antiworm software deployed, they say their top concern is viruses and worms. So that is a big gap. What the vendor is offering and what the customer wants is not matched yet. Whoever has the answer and can fill this gap and come up with a product that makes sense to the customer will get the market share. When we research, we ask them why they see this gap. What it is that doesn't fulfill their needs?

There are three big questions [for customers]: Where did the viruses come in, and how did it get into my network? If I don't know how it got into my network, there's no way I can do risk prevention or mitigation, right? But right now, the antivirus software or the security product only tells me that the computer is compromised. How, I don't know. That's why we've come up with this overall monitoring, so we can provide a map of how this threat got into your network and the root cause analysis of this. So this is the first question.

The second question they always ask us--and that is very hard to answer--is why don't you tell me earlier? ... Why don't you do the prevention better? So that's why we started access control policy enforcement. Because if you cannot enforce a policy, there's no way you can stop the threat in advance. ... Just like when you do business with someone, you need to check the credit reports of the other business. [So] when you connect with someone's network, when someone's computer tries to get onto your network, you need to know this device's credibility. ...

The last question a customer always asks is, how well am I being protected? I want to know my scorecard, especially compared with my peers. We also enable our partner to provide this type of service, a risk assessment part they can use to rate a company's security practices.

Those three big questions need to be answered for customers. And how to answer it: There are technology solutions and products, and most of all how do we work with our partners to answer those questions. I don’t think one single vendor by itself offers products to answer those questions. Probably the VAR knows the customer’s network topology better than Trend Micro. But Trend Micro has the threat knowledge. So when you have the two added together, you can answer the threat.

CRN: Can you summarize your priorities?

CHEN: Trend Micro has already transformed from an AV company to a threat management protection company because the environment changed and we were required to cover more threats. But we still are very specialized on best-of-breed threat protection. The second thing is that this is software as a service. The software is just an agent to deliver the services, so it’s a software-as-a-service model. And the third one is that the network is our platform. We cannot see Windows as the platform, or Linux as the platform. It’s the whole network as the platform. Because the threats, the viruses, they use the whole network as their platform to spread. So, for the protection to be effective, you need to view the network as the platform. Because of that, the new technology that we are introducing is first the IT reputation service. Establish the network that you can trust. Know who is getting onto the network, and what devices are getting onto the network. Are they credible?