Previous Next

Articles

January 2009
Tom Parish

JohnThompson.jpg

 

During John Thompson's decade as CEO of Symantec, a $6 billion enterprise security company, he transformed the company from a consumer-based software publisher to a leader in Internet security, data protection and storage management. Thompson led an effort to diversity Symantec's product portfolio through more than 20 strategic acquisitions, especially the controversial $11 billion purchase of Veritas. Revenues during Thompson's tenure increased tenfold to more than $6 billion. In October 2008, Thompson announced his early 2009 retirement from Symantec. Enterpriseleadership.org recently sat down with Thompson to discuss the strategy for growing Symantec, the challenges of executing on that strategy, and the future growth prospects for the company.

 

Here's what he had to say:

 

EL. How has the downtown in the economy affected Symantec?

 

JT. No company can hide from customers that must deal with challenging economic times. We aren't different in that regard. With that said, we have technologies that companies need to have now. With data volumes growing at more than 50 percent a year for the average large company, they have to secure and to manage that information. If you look at the nature of our product portfolio, we have a certain level of insulation during difficult economic times.

 

Our primary products include security management, storage management, and backup and recovery. We target the largest companies in the world. More than 70 percent of our business comes from corporate and government customers. The rest of our business comes from consumers around the world.

 

EL. In 2005, Symantec began a diversification strategy with the acquisition of Veritas. Why did you decide to acquire a storage management company?

 

JT. We were interested in the backup and recovery components of the Veritas portfolio. A security company tries to keep bad things from affecting an organization's network or its systems environment. Because we had seen so many attacks in 2003 and 2004, we knew we wouldn't be able to stop all of these attacks. We, however, looked at how we could help customers recover to the appropriate level of operational control when an attack did occur. As a result, recovery tools and storage management tools became an important part of our realization that our job wasn't to just keep bad traffic out, but it was to keep an organization's systems up and running. The recovery capability became a critical component of that process.

 

EL. What is the company's mergers and acquisition strategy?

 

JT. Mergers and acquisition are an integral part of our business model. We have said to investors that we'd like to spend about half of the free cash flow from operations on mergers and acquisitions. That would translate into about $800 million per year. We want to focus it around two or three important elements. One focus is to look at enhancing the effectiveness of our core businesses, such as our core anti-virus business and our core backup business. These businesses tend to grow in the mid- to high-single-digit range. The second focus is on enhancing elements around the core that would provide higher growth.

 

While backup and recovery are an important part of what we do, email archiving, for example, is a similar function, but offers growth. While backup is an important element of what we do, disk space backup and data duplication are areas of very high growth. Can we acquire our way into related or adjacent areas that act as catalysts for growth?

 

Our third focus is to look for areas that three or five years from now have the potential to be high growth engines for us, but also would provide high volume. We recently acquired MessageLabs, a UK company that will complement our on-premise software appliance business, but it will give us a new marketing path or route.

 

EL. When you talk about high growth, what figures are you aiming for?

 

JT. We typically look for anything that is above 20-percent growth. We said to Wall Street that we expect to grow as a company at between eight and 12 percent per year. Ten percent is the midpoint of that. We consider anything twice that or greater to be high growth.

 

EL. Why hasn't Symantec adopted more of a build versus a buy strategy?

 

JT. We've built much of our technology. In fact, we spend about 15 percent of our revenue on research and development. While we acquire much of our stuff, the nature of the security business has been that the threats change constantly. From 1998 to 2002, venture capitalists in Silicon Valley and in Israel funded more security startups than any other type of company in the technology industry. Each of them had a unique twist on how to solve a particular problem. We aren't so smart that we have a foundry on every great idea. To that end, we want to continue to innovate on our own, but, at the same time, we also want to be open to external forces coming in. We use a model similar to open innovation. We innovate ourselves, but we're open to outside ideas, and we're also open to investing in companies where we might be able to help them move the security spectrum along.

 

EL. Can you describe the business process for updating the corporate strategy?

 

JT. It's an on-going process. I have a direct report who runs corporate strategy and business development. We go through a quarterly review of what our portfolio looks like, what things in the portfolio we should eliminate and what things we should acquire. We're looking for acquisitions that will enhance our core, that will represent high growth, or that will reposition us for large market opportunities with healthy growth for five to 10 years. At the annual board retreat, we share our detailed views on these subjects with the board members. Each quarter, we talk to them about the performance of the organizations we've acquiring during the past 12 months, and the prospects of organizations we might consider for the next couple of quarters. We have a healthy dialog about the long-term view of what we're trying to accomplish, the performance of what we've done, and the prospects of things that could be on the horizon during the next six months.

 

EL. Are you looking at technologies that relate to security?

 

JT. Yes! We acquired Altiris, a company that does device management. The technology relates to security. For example, before you distribute software to desktops in a corporation, you need to make sure that the software has all of the appropriate patches, that the hardware reflects all of the appropriate changes, and that a process exists for cataloguing everything so you can keep track of it. When a network attack occurred in 2003, we discovered that the vector of the attack had been present in the Windows operating environment for more than six months. If we had systems management tools to update the configuration and to update the software, we could've eliminated that attack vector. Having management tools tied to our security tools represents the opposite side of the same coin. Security resides on one side, while device management, on the other side.

 

EL. Do you have a particular methodology you use for measuring the success of technology investments?

 

JT. We look at several key metrics. Is the technology relevant to what we do today? Does it fit into our core business? Can our sales team move it? Do we have synergy with either the go-to-market side or the engineering side? We look at the transaction based on revenue synergies and a growth play or cost synergies, such as consolidation. If it's a revenue play, we want to make sure that the investment enables Symantec to grow at its projected rate or better. Altiris is a good example of a high-growth company. Its growth is in the high teens. We've acquired other companies that are growing at 30 percent per year. We have been able to sustain those growth rates and to accelerate them.

 

EL. Have any of the companies you've acquired turned out to be bad choices?

 

JT. Yes! Mergers and acquisitions are a little like internal development. We've built several products that didn't work quite as we had anticipated, and we had to fix them. Likewise, we've bought one or two things that didn't work for us. This is truly an exploration. If you assume that 100 percent of your mergers and acquisitions transactions will work as planned, then, as a leader, you put yourself in a very naive position. The challenge comes when you recognize that something isn't working as you planned, and you have to decide what actions to take to correct the course that it's on. We have experience going down this road.

 

EL. Five years from now, will Symantec be largely a services-based company?

 

JT. I envision software as a service, or cloud-based services being a larger percentage of our revenue mix, but I don't expect it would be the predominant base of our revenues. We haven't disclosed what our internal cloud-based services represent. For example, last year, MessageLabs had $125 million in revenue. That's a small amount.

 

Having been in the industry for many years, I'm a bit critical of my colleagues who would argue that cloud computing is the next great thing that's going to change the world. Nothing changes as fast as the soothsayers would suggest. While I think cloud-based services or software as a service will take on a greater proportion of how customers avail themselves of software, it won't eliminate the need for software companies in general.

 

EL. How are you helping organizations carry out their IT Infrastructure Library (ITIL) framework?

 

JT. All of our enterprise products comply with ITIL. In fact, our Altiris product will help you determine how well your enterprise complies with the ITIL framework. ITIL has capabilities around service delivery and service management. Likewise, our Altiris suite has an IT service management component.

 

EL. How is the piece of the managed service business doing for Symantec?

 

JT. It's has had good growth in the mid-teens to low 20s. It's an area that will get more focus over the next year or two as corporations decide it's too taxing for them to handle managing their firewalls, managing their intrusion sensors, and managing their email security infrastructure for spam and anti-fraud. It makes sense to outsource these things to a delivery expert such as us. Tough economic times like this force customers to evaluate whether or not they should managing these things themselves or they should rely on trusted experts.

 

EL. Does your Symantec's stock price still fluctuate whenever the media reports a major security breach?

 

JT. Not at all! A few years ago, chatter on the nightly news about the latest virus attack would have a corresponding impact on our consumer-installed business revenue. We've seen less visibility about broad-based attacks of late, and thus our consumer business hasn't had that external catalyst. An incident like TJ Maxx or some of the other data breaches that have occurred provide to remind our sales team, and in turn, our customers, with the importance of our data loss prevention technologies. The growth in data breaches prompted us to acquire a leading solution in that space by a factor or two or three. It also has great momentum.

 

Interview conducted by Elizabeth Ferrarini at elizabethferrarini@yahoo.com

| More
1,068 Views 0 Comments Permalink Tags: article, governance, security
Tom Parish

GerryMcCartney.jpg

 

If you think being a CIO at a major university has fewer headaches than being a corporate CIO, think again. The two environments are both different and come with their own set of challenges, according to Gerry McCartney, CIO and vice president of information technology at Purdue University. Based in West Lafayette, Indiana, Purdue has more than 40,000 undergraduate and graduate students, more than 6,000 faculty members, and expends about $400 million a year in support of research system-wide, using funds received from the state and the federal governments, industry, foundations, and individual donors.

 

McCartney knows what he's talking about. His experience cuts across both the professional side of managing IT and the academic side of IT leadership. Before McCartney's CIO appointment at Purdue, he was assistant dean for technology at Purdue's Krannert School of Management, where he taught in the executive MBA program and in the engineering program. He also was the associate dean and CIO at the University of Pennsylvania's Wharton School. He holds a doctorate in sociology and in anthropology from Purdue and diplomas in advanced computer programming and systems analysis from the Graduate School of Engineering at Trinty College, in Dublin, Ireland.

 

Enterperiseleadership.org recently sat down with McCartney to discuss how he makes strategic capital investment decisions, and what key differences exist between the CIO leadership role in academe versus working in a major corporation. Here's what he had to say:

 

EL. Can you describe the structure of IT at Purdue?

 

GMc.We have about 1,000 IT professionals. Half of these people work for me. The rest, are in the various schools, departments, and administrative officers. These people meet the local needs of end users. I run the central IT services or the enterprise organization. The challenge is how to define a central service versus an edge service. My group manages the data center, ERP, all of the classrooms and labs, video production facilities, telephone services, all of the networks, and IT security for the campus. We even oversee a large research enterprise.

 

My $70 million budget has different colors of money. Half of that amount comes from the university for us to run the operation. The rest of the budget goes for recharge activities. For example, you can recover your cost of phones and networks. Because end users pay for these services, we don't have to invest any company dollars in them.

 

EL. Is there a formal process for the way you make investments in IT?

 

GMc. It's by the area. We need to distinguish between areas that are strategically important to the institution. Put this way, we need to excel at some things, while we can get away with just being good at other things. When we buy servers, for example, we try to get them at the best price we can. Because servers are a commodity, there's no competitive price advantage when it comes to buying them.

 

During the past two years, we've made several capital IT investments -- one was for $3 million and other, $1 million. Both investments concerned a research computer. In this case, research is our most strategic activity. We leveraged funding elsewhere on campus. We didn't have a board or a review committee. We put out a shingle that says we're interested in doing this and who is interested in being with us. We both built and bought a fairly large machine. About 75 percent of the funds for the machine came directors from researchers' pockets.

 

EL. Is that the way you normally make capital IT investment decisions?

 

GMc. That's the way we do it for research. On the other hand, if it's an ERP system, we handle it different because all of the funding comes from the center. It looks like a corporate purchase and goes through the board of trustees. It has many levels of approval and people poking at it.

 

EL. What would be your involvement with an ERP system purchase?

 

GMc. The need for a new ERP came from the business owners, which include the vice president of finance, the university treasurer and the director of human resources. They review our systems and decide if they're good enough or if we need to make a strategic change here. They would involve us as technical advisers and implementers. However, we outsourced the implementation of our current SAP system to Bearing Point, a consulting company.

 

EL. What role do you play in the governance process for making capital IT investment decisions?

 

GMc. I'm on the executive steering committee as a technical adviser. All of the governance committees have representatives from my staff. To this end, I have representation on all the committees that would be involved in this type of a decision.

 

I should point out that ERP isn't an IT project, but it's a business project. Now that we've completed the implementation of the ERP system, finance and human resources have given us the responsibility for managing and operating this system. The original owners of this ERP have now become users of our system. The relationship changes somewhat. Now, we're talking about amendments to systems where things go through our normal set of processes.

 

EL. Are there other influencers outside the university that having input into capital IT investment decisions?

 

GMc. Not in any significant way! The business owners might talk to their colleagues from other institutions. The board of trustees takes an active role in these types of decisions, by reviewing quarterly reporting.

 

EL. Do you monitor and track these investment decisions?

 

GMc. With the ERP system, the business owners monitored the investments because it was their dollars. For research, we're the fiscal coordinator for that. We monitor and do all of the negotiations. The monitoring for the research computer was a short process. We went from the first meeting on February 29 to having the supercomputer spinning disks and running jobs on May 5. That was the entire process. It's a very handmade activity.

 

EL. Have you encountered a bad investment decision in your career in IT?

 

GMc. It's easy to make a bad investment decision. The systems are so tightly coupled into our other systems. There's no discipline. During the 1990s, no one worried about what anything cost. It reminded me of an Oklahoma land chase with everyone trying to get things up and running in the shortest amount of time. During the past five years, we've started to ask what should we think about the value of it, and what's it worth to us. If you want to ask the latter question, then you need to know what is IT costing you.

 

EL. What do you hear from your corporate colleagues about assessing the value of IT?

 

GMc. That's something that many of my corporate CIO colleagues have shared with me. Based on discussions my colleagues have had with their CFOs, I've gotten a clearer picture of how IT runs completely differently than the rest of the company. CIOs know in gross what things cost them. For example, 20 percent of a global brewery's corporate budget went for IT. The brewery's CIO started to ask why the CIO couldn't give him precise costs for specific IT tasks. The CEO said that if he asked plant managers at any of the company's breweries how much would it cost me to change the color on this label from blue to teal, they could tell the CEO down to the penny. On the other hand, if the CEO asked the CIO how much it would cost to redesign a header on an email package, the CIO would have no idea of the cost. They can't give you discrete costs. They have no experience doing that.

 

EL. Where do you see difference between the corporate IT group and the business units?

 

GMc. During the 1980s and 1990s, the role of IT became more significant in most organizations. To this end, CIOs became the keepers of the keys to the IT domain. Things have changed. Business people today know more about IT than IT people know about the business. Business people have become more comfortable with their technology and better-informed consumers of it, as well. If you were a good COBOL programmer in 1986, then you'll be unemployed today. That skill has no value for us at all. If you where a good CPA in 1986, you're probably still a good CPA today. Many IT skills have a short shelf life. IT people can't live in glass houses thinking they're doing important stuff, they have to move with the times.

 

EL. What makes working in IT in a university differ from a corporation, and what do you look for in IT talent?

 

GMc. Universities have a unique culture, similar to the two-class system found in law practices and in hospitals. I look for people who've worked in those bifurcated societies where there is a rainmaker and it's not you. Rainmakers in hospitals are the doctors, and in law firms, the lawyers. At a university, it's the professors. The support staff, which IT is part of, enables these rainmakers to do their job.

 

Corporations, by their nature, tend to treat everybody the same. So, if you've only worked in a corporation, you won't get the bifurcated model, where many people see themselves empowered to make decisions. When I interview people, I always ask them about their experience with decision making or their experience handling conflict. At a university, a letter from president won't solve the problem as in a corporation. There everyone sits down and listens. So, good IT candidates for a university need to know how to listen, to collaborate, to negotiate, and to set their personal feelings aside.

 

EL. What's are the top three problems IT people have trouble with?

 

GMc. I have laid off some people because I needed the money for something else. Agility is the key characteristic of a successful IT operation. Agility means change and change means people coming and people going. IT people find it hard to deal with change. It's kind of ironic because IT is all about change. A cadre of hardcore IT people has deep technical skills. The sweet spot is to find those IT people who have genuine technical skills and genuine business skills. Those people are a challenge to find right now.

 

Some companies don't regard their CIOs as business leaders. How many CIOs do you know that have moved into other non-IT positions? What credibility does a CIO have to run marketing or finance? If a CIO is doing his or her job right, they should be the only senior executive, other than the CEO, who has a global view of the organization. They could be dealing with all of these people daily, but this doesn't mean they are. Many CIOs like to think of themselves as technology directors. If that's the case, they should be CTOs, not CIOs.

--

Additional Reading - Sponsor Link:
Managing the Business of IT: Maximizing the Power of Service Resource Planning, the Next Step in Business Service Management

 

Interview conducted by Elizabeth Ferrarini at elizabethferrarini@yahoo.com

| More
993 Views 0 Comments 0 References Permalink Tags: agility, article, governance, it_investments

Actions

Popular Blog Posts

© Copyright 2005-2009 BMC Software, Inc. Use of this site signifies your acceptance of BMC's Terms of Use and Privacy Policy.   Feedback