Q&A: Websense's CEO Outlines Security Challenges In Troubling Times

At a time when malware is rising to unprecedented levels, many customers are faced with tough decisions about how to cut IT security budgets while finding new technologies to get the most for their security dollars. And with the majority of malware delivered via the Web, many anticipate that Web security solutions will have to accommodate the customer's declining security spending as well as the ever-changing threat landscape.

Everything Channel spoke with Gene Hodges, CEO of Web security company Websense, San Diego, Calif. in a phone interview to get his take on the impact of the challenged economy on the channel, end user customers, emerging security technologies and new threats going into 2009.

In light of the Wall Street collapse and credit crisis, what strategies has Websense implemented to survive and remain profitable going into 2009?

We have a fantastic business model and industry placement for a recessionary economy. All of our revenue is taken pro rata. From a P&L perspective, a good portion of our 2009 revenue is already done. In Q4, 85 percent of our 2008 revenue is on the books and certain. That allows us to follow what I characterize as using the downturn as a time to try to improve our position with the channel and taking share in the marketplace.

Sponsored post

What affect does the credit crunch have on your end user customers? Do you see customers cutting their security budgets?

What we're going to see in security overall is the end user being more miserly. There's going to be fierce price and margin competition on legacy security implementations that protect infrastructure.

I think that business managers have gone beyond cutting IT or growing IT. As I talk to our CIO, my discussion with him is what areas can and should we disinvest in. We expect that to play out as disinvestment in the form of increased price competition in legacy products. We would expect to see less money in margins for antivirus. Some of that money is going to the bottom line.

Overall spending will not tank, but I think our reseller principals, they're going to see a lot of margin and price pressure on their largest product lines. It's just going to get a lot worse.

How do you see the declining economy affecting the channel?

This is a time of pretty serious concern for a lot of people who are resellers. It's going to be a pretty tough year for most of those companies in terms of margins. In IT security, margins are going to be crushed. The message is, there are still ways for them to improve their bottom line.

How is security in general weathering the economic downturn? And what areas of security are most likely to survive?

Web security in a Web 2.0 environment are going to be areas that weather the storm fairly well. The Web security arena is one where you try to go on the offense with business applications, building your user community. Those types of initiatives are more directly relatable to keeping the top line up.

Some of those savings will be made available for the newer threats, such as DLP, the Web 2.0 security and hosted security services. In the U.S., we're going to see a slowdown in spending overall. We're seeing more CSOs and CIOs of medium-sized companies ask, "Why are we spending this much the way we always have in these legacy areas?"

DLP actually plays in two directions. It plays in a positive market by preventing damage as an insurance policy and prevents the risk from acquisitions and layoffs with purposeful data loss. This is when employees are most angry. Most data loss comes from laziness. But when the economy gets bad, you have to worry about willful theft of information.

Those areas -- Web 2.0, DLP and the cloud security services -- will be fairly strong for distributed accounts. They simply don't have the manpower to put the boxes out there.

Do you currently see customers leaving hardware security solutions and gravitating toward managed security services as the economy worsens?

More distributed organizations will move more in that direction simply because they'll have more pressures on their budgets. With centralized organizations we wouldn't expect to see big shifts. That always involves costs, and companies that are fairly well-served will tend to go more value-focused than what I'd characterize as strategic expansion.

What kind of opportunities does that mean for partners?

Most of our partners are running a 70-30, 60-40 mix between product resale and service margin. That will continue to shift. We think we will tend to have a 60-40 services focus.

Next: Innovation Will Change The Industry

What do you think about the wave of consolidation in the industry, such as the McAfee-Secure Computing and Symantec-MessageLabs acquisitions?

I think that security has a very long track record of having giant fish eat middle-size fish, which eat small fish. As long as the bad guys keep innovating, that leaves the need for innovation and technology that feeds this food chain.

McAfee is going to have some indigestion. They're going to have a very hard job positioning and selling incompatible product lines until they can get those product lines integrated.

MessageLabs will be easier to integrate [for Symantec] because of its in-the-cloud services. I think they'll be able to do quite a lot with that.

Would Websense consider merging with a larger vendor?

The company is for sale, one share at a time. On the other hand, I think our board and our shareholders believe that the fairly rapid improvement we've shown in cash flow generation is going to continue to improve. Now we see some significant top-line synergies coming back into this market.

It would have to be for a lot of money.

In 2009, what will be some of the biggest threats users will face?

There's a long road that the industry has started down in targeted, data-oriented threats. The Storm Botnet has been quiet now for about two months. It's not that botnets are going away, it's that boutique botnets have taken its place. Those boutique botnets are tearing out more targeted data-trawling attacks and replaced them with more targeted data-phishing and pharming attacks. It probably just means there's more data mining.

If you're a student of organizational structure, the bad guys are creating a true 21st century Internet organization, with no taxes and are completely virtual. Employees in the front office rarely see each other and there are completely flexible work rules. In the back office, they are highly targeted, menacingly ruthless organized criminals willing to make money off of your grandmother. So if one is speculating, if you project the focus of organized data collection into our current environment, there will be lots of financial scams.

These organizations can set up Web sites that relocate that site every 36 hours. How do you jump all over that when a Web site is in Romania in the morning and China in the afternoon? To me, it's pretty hard.

What kind of technologies is Websense investing in to combat those threats?

The very best techniques in the market today see the bad stuff as it comes down the wire. You can't be sure of the Web sites as you were last year. This basically obsoletes reputation technologies and quantitative data. It's really a pretty scary thing. Google Docs have lots of compromised subsections. You can't say no to Google. You need to have the technology to say no to one tenth of one percent of Google that is compromised. It changes literally hour by hour. You can't do that by whitelisting or blacklisting.

The only way you can stay up with that stuff is looking for data-oriented malware coming off that site in real-time. Whitelisting is probably less reliable now. Over time, whitelisting becomes obsolete. Blacklisting and reputation becomes obsolete. I think that means there's an opportunity for the channel to sell real-time Web 2.0 technologies.

What kind of opportunities will there be for partners in regard to Web 2.0 technologies? Do you see solutions like DLP being commoditized?

The pipeline in those real-time technologies for new businesses is actually larger than the classical Web filtering pipeline.

Everything always commoditizes over time. We're seeing our price points go up significantly. This Web security stuff, as we've said publicly, was first estimated to be between 10 to 20 percent of our enterprise account base. Now it's between 30 and 50 percent. That's a lot of opportunity.

It's going to get ugly. I don't think (security) is going to deteriorate. But the businesses where the IT security spend drops from 5 percent to 2.5 percent will mean a much bigger shift in where it's spent than I think apparent at first blush.