During John Thompson's decade as CEO of Symantec, a $6 billion enterprise security company, he transformed the company from a consumer-based software publisher to a leader in Internet security, data protection, and storage management. Thompson led an effort to diversity Symantec's product portfolio through more than 20 strategic acquisitions, especially the controversial $11 billion purchase of Veritas. Revenues during Thompson's tenure increased tenfold to more than $6 billion. In October 2008, Thompson announced his early 2009 retirement from Symantec. Enterpriseleadership.org recently sat down with Thompson to discuss the strategy for growing Symantec, the challenges of executing on that strategy, and the future growth prospects for the company.

Here's what he had to say:

EL. How has the downtown in the economy affected Symantec?

JT. No company can hide from customers that must deal with challenging economic times. We aren't different in that regard. With that said, we have technologies that companies need to have now. With data volumes growing at more than 50 percent a year for the average large company, they have to secure and to manage that information. If you look at the nature of our product portfolio, we have a certain level of insulation during difficult economic times.

Our primary products include security management, storage management, and backup and recovery. We target the largest companies in the world. More than 70 percent of our business comes from corporate and government customers. The rest of our business comes from consumers around the world.

EL. In 2005, Symantec began a diversification strategy with the acquisition of Veritas. Why did you decide to acquire a storage management company?

JT. We were interested in the backup and recovery components of the Veritas portfolio. A security company tries to keep bad things from affecting an organization's network or its systems environment. Because we had seen so many attacks in 2003 and 2004, we knew we wouldn't be able to stop all of these attacks. We, however, looked at how we could help customers recover to the appropriate level of operational control when an attack does occur. As a result, recovery tools and storage management tools became an important part of our realization that our job wasn't to just keep bad traffic out, but it was to keep an organization's systems up and running. The recovery capability became a critical component of that process.

EL. What is the company's mergers and acquisition strategy?

JT. Mergers and acquisition are an integral part of our business model. We have said to investors that we'd like to spend about half of the free cash flow from operations on mergers and acquisitions. That would translate into about $800 million per year. We want to focus it around two or three important elements. One focus is to look at enhancing the effectiveness of our core businesses, such as our core anti-virus business, and our core backup business. These businesses tend to grow in the mid to high single digit range. The second focus is on enhancing elements around the core that would provide higher growth.

While backup and recovery is an important part of what we do, email archiving, for example, is a similar function, but offers growth. While backup is an important element of what we do, disk space backup and data duplication are areas of very high growth. Can we acquire our way into related or adjacent areas that act as catalysts for growth?

Our third focus is to look for areas that three or five years from now have the potential to be high growth engines for us, but also would provide high volume. We recently acquired MessageLabs, a UK company that will complement our on-premise software appliance business, but it will give us a new marketing path or route.

EL. When you talk about high growth, what figures are you aiming for?

JT. We typically look for anything that is above 20 percent growth. We said to Wall Street that we expect to grow as a company at between eight percent to 12 percent per year. Ten percent is the mid point of that. We consider anything twice that or greater to be high growth.

EL. Why hasn't Symantec adopted more of a build versus a buy strategy?

JT. We've built much of our technology. In fact, we spend about 15 percent of our revenue on research and development. While we acquire much of our stuff, the nature of the security business has been that the threats change constantly. From 1998 to 2002, venture capitalists in Silicon Valley and in Israel funded more security startups than any other type of company in the technology industry. Each of them had a unique twist on how to solve a particular problem. We aren't so smart that we have a foundry on every great idea. To that end, we want to continue to innovate on our own, but, at the same time, we also want to be open to external forces coming in. We use a model similar to open innovation. We innovate ourselves, but we're open to outside ideas, and we're also open to investing in companies where we might be able to help them move the security spectrum along.

EL. Can you describe the business process for updating the corporate strategy?

JT. It's an on-going process. I have a direct report who runs corporate strategy and business development. We go through a quarterly review of what our portfolio looks like, what things in the portfolio we should eliminate, and what things we should acquire. We're looking for acquisitions that will enhance our core, that will represent high growth, or that will reposition us for large market opportunities with healthy growth for five to 10 years. At the annual board retreat, we share our detailed views on these subjects with the board members. Each quarter, we talk to them about the performance of the organizations we've acquiring during the past 12 months, and the prospects of organizations we might consider for the next couple of quarters. We have a healthy dialog about the long-term view of what we're trying to accomplish, the performance of what we've done, and the prospects of things that could be on the horizon during the next six months.

EL. Are you looking at technologies that relate to security?

JT. Yes! We acquired Altiris, a company that does device management. The technology relates to security. For example, before you distribute software to desktops in a corporation, you need to make sure that the software has all of the appropriate patches, that the hardware reflects all of the appropriate changes, and that a process exists for cataloguing everything so you can keep track of it. When a network attack occurred in 2003, we discovered that the vector of the attack had been present in the Windows operating environment for more than six months. If we had systems management tools to update the configuration and to update the software, we could've eliminated that attack vector. Having management tools tied to our security tools represents the opposite side of the same coin. Security resides on one side, while device management, on the other side.

EL. Do you have a particular methodology you use for measuring the success of technology investments?

JT. We look at several key metrics. Is the technology relevant to what we do today? Does it fit into our core business? Can our sales team move it? Do we have synergy with either the go-to-market side or the engineering side? We look at the transaction based on revenue synergies and a growth play or cost synergies, such as consolidation. If it's a revenue play, we want to make sure that the investment enables Symantec to grow at its projected rate or better. Altiris is a good example of a high-growth company. Its growth is in the high teens. We've acquired other companies that are growing at 30 percent per year. We have been able to sustain those growth rates and to accelerate them.

EL. Have any of the companies you've acquired turned out to be bad choices?

JT. Yes! Mergers and acquisitions are a little like internal development. We've built several products that didn't work quite as we had anticipated, and we had to fix them. Likewise, we've bought one or two things that didn't work for us. This's truly an exploration. If you assume that 100 percent of your mergers and acquisitions transactions will work as planned, then, as a leader, you put yourself in a very naive position. The challenge comes when you recognize that something isn't working as you planned, and you have to decide what actions to take to correct the course that it's on. We have experience going down this road.

EL. Five years from now, will Symantec be largely a services based company?

JT. I envision software as a service or cloud-based services being a larger percentage of our revenue mix, but I don't expect it would be the predominant base of our revenues. We haven't disclosed what our internal cloud-based services represent. For example, last year, MessageLabs had $125 million in revenue. That's a small amount.

Having been in the industry for many years, I'm a bit critical of my colleagues who would argue that cloud computing is the next great thing that's going to change the world. Nothing changes as fast as the soothsayers would suggest. While I think cloud-based services or software as a service will, take on a greater proportion of how customers avail themselves of software, it won't eliminate the need for software companies in general.

EL. How are you helping organizations carry out their IT Infrastructure Library (ITIL) framework?

JT. All of our enterprise products comply with ITIL. In fact, our Altiris product will help you determine how well your enterprise complies with the ITIL framework. ITIL has capabilities around service delivery and service management. Likewise, our Altiris suite has an IT service management component.

EL. How is the piece of the managed service business doing for Symantec?

JT. It's has had good growth in the mid teens to low 20s. It's an area that will get more focus over the next year or two as corporations decide its too taxing for them to handle managing their firewalls, managing their intrusion sensors, and managing their email security infrastructure for spam and anti-fraud. It makes sense to outsource these things to a delivery expert such as us. Tough economic times like this force customers to evaluate whether or not they should managing these things themselves or they should rely on trusted experts.

EL. Does your Symantec's stock price still fluctuate whenever the media reports a major security breach?

JT. Not at all! A few years ago, chatter on the nightly news about the latest virus attack would have a corresponding impact on our consumer-installed business revenue. We've seen less visibility about broad-based attacks of late, and thus our consumer business hasn't had that external catalyst. An incident like TJ Maxx or some of the other data breaches that have occurred provide us to remind our sales team, and in turn, our customers, with our the importance of our data loss prevention technologies. The growth in data breaches prompted us to acquire a leading solution in that space by a factor or two or three. It also has great momentum

Interview conducted by Elizabeth Ferrarini at elizabethferrarini@yahoo.com