Word to the wise: Buckle up
Q&A When it comes to Internet security, Jerry Ungerman knows perhaps better than most that it's a rough world out there.
The president of Check Point Software Technologies spends his days counseling information-technology executives on the benefits of firewalls and virtual private networks. Actually, he does a lot more than offer disinterested advice. Even amid the dot-com implosion and the general malaise affecting IT spending, Check Point has had a better story than most to tell to Wall Street.
The company beat earnings estimates for its June quarter, with revenue up 57 percent from the same period the year before. Meanwhile, management told analysts that it expects profits to be up 50 percent this year. That good news is primarily due to the veritable explosion in cybercrimes and hacking, a trend that has given a needed boost to the Internet security sector.
Once a mainframe maven, Ungerman has helped Check Point establish itself over the last three years as the de facto standard for firewalls, considered the second-most-popular Internet security technology after antivirus software, according to a 2001 survey by the Computer Security Institute.
To be sure, the company finds itself in a business where all the trend lines are pointing north. Market researcher IDC recently predicted that the Internet security market would grow an average of 23 percent annually for the next five years, hitting $14 billion in 2005. Business consultancy Gartner expects companies to spend 10 times more of their IT budgets on security by 2011.
Ungerman spoke in a recent interview about developments in the Internet security business and his plans for Check Point.
Q: How did you get into security?
A: I joined Check Point almost three years ago. I
had been in the computer business for many years--primarily
on the mainframe and storage side, high-end services
and solutions--and we just happen to run into each
other.
Coming from the mainframe area, where there is
also an interest in security, what do you see as the
big difference between that era and today?
Then it was very much internal to the IT department...(authorizing)
who could or could not get to the mainframe. And now
it's about the network and the Internet, so it is
much more of an external vs. an internal view. You
are still trying to protect the same assets but at
a different point. It used to be about putting a perimeter
up. But now it's about allowing access but doing it
securely. Because of the Internet and networks, that
has made it a much different and much more important
focus.
Check Point has been a darling of the security
market for quite a while. What do you think you do
that others don't do?
There is a broad umbrella that is called Internet
security. It encompasses a lot of different technologies:
content filtering, URL filtering, intrusion detection,
PKI authentication and authorization. We're in what
is considered the core of the most fundamental piece
of the security business, which is firewalls and virtual
private networks. First and foremost, it is the only
one of all the different security technologies, in
a macro sense, that provides true security. It decides
who gets in and out of a network. So it provides all
the access control necessary to provide the security
for an enterprise.
The tech slump has hit many security companies
as well, but Check Point is expecting 50 percent profit
growth this year. Why is that?
I think that gets back to the same point. It's because
we are bringing out firewalls and VPNs. Firewalls
are must-have, not as discretionary as the other kinds
of technologies. Also, our VPN technology saves companies
a lot of money. So I think those two products combined
together is what helping us, relative to the others.
We don't have the same growth rate that we had a year ago, and we find the market very challenging, very difficult. And we don't think anything is totally immune to the macroeconomic environment we are in. But we do seem to be on a relative basis doing better than most everyone else.
Do you think companies now saying, "We don't
need new computers, we don't need to expand our information-technology
budget," are instead coming around to saying, "Let's
get our security straightened out"?
Yes, they are. This is all about using the Internet--gaining
the efficiencies and effectiveness of communicating
to your employees, your partners, customers and suppliers,
while using the Internet as your communication backbone.
To do that, you need to focus on securing those connections.
So this is about saving money, increasing your overall
corporate productivity, but you can't do it unless
you secure those connections to the Internet, which
is why there still is a focus on security. It is important
to note that although security is among the top few
issues that CIOs or corporate executives are focused
on, even with that, we probably only make up 2 to
3 percent of an IT budget.
Do you think it also points to some housecleaning?
A lot of companies saying, "If we are not going to
grow, at least do it right"?
I don't know about doing it right, but the more they
open it up, the more they need to secure it. Eight
years ago, after we started in the business, securing
your network meant shutting it down, not letting anyone
into it. Well, today it means opening it up if you
are going to be effective in the e-business world,
but opening it up securely, which is why people are
adding so much more security technology than anybody
thought would happen in as little as four years ago.
Because now they have to protect more and more nodes,
connect more offices, allow more remote access connections,
and protect the network down at lower levels as they
have opened it up.
Do you think the security situation is getting
worse?
It's getting a lot worse. Reported hacking attempts
in the year 2000 went up 77 percent over 1999.
That's a pretty sizable increase and, again, most
of the experts will tell you that the vast majority
of hacking is not yet reported. There are too many
negative implications associated with that. The companies
don't acknowledge that they had their network hacked.
So, yeah, it's on the increase.
As corporations continue to use the Internet--and I think the growth will continue to explode, especially as we move into wireless--and you start tying in partners, customers and suppliers, it's even a bigger issue to focus on. Fortunately, the technology is in place to allow them to actually secure the data much more effectively than they could in a traditional private network.
You mentioned that a lot of hacking is not reported
because of the stigma. Yet, on the other hand, companies
can't really secure themselves. Do you think that
we will get to a middle ground where people might
say, "Yes, we were hacked, but we were able to mitigate
the damage," and thus remove that stigma?
I don't know if it's a stigma as much as they don't
want the rest of their constituents to know that their
data is vulnerable (because) they might not want to
do business with them. There are always going to be
attempts, and if you have the right security architecture,
you'll see that, you'll know that, but you will have
prevented it.
Are we a long way away from being able to deal
well with network attacks?
The technology is in place; it's just a matter of
people spending the money, putting people in place,
and taking it seriously. But there are millions of
businesses out there that could be vulnerable. There
are going to be millions of businesses that are going
to need the Internet, and they will need to be secure.
What do you think needs to be done policy-wise
to help large corporations and those forming the backbone
of the economy?
I don't think they need the help of the government.
I am very impressed with enterprises. They understand
it. They get it. In fact, I think they get it better
than the government. Usually, when the government
gets involved, it's how to catch people, not how to
prevent it. You can't do this through legislation.
IT just needs to be more aware and understanding of
the importance of security.
A lot of people focus on privacy and privacy policies, but they don't ask, How are you going to secure that data that you said you won't give to anybody? It is up to the individual businesses and consumers. There is a whole awareness philosophy that the government could get into, could help foster.
What are the big challenges for security and
for Check Point?
The biggest challenge is the pervasiveness of the
Internet and the use of it as we are moving into broadband
with cable modems and DSL. What everybody loves about
(broadband) is it's always on and (has) high performance,
but if it's always on in a shared environment, it's
always vulnerable. So that is exposing some new concerns
for both corporations and consumers that they may
not have had before. Wireless is another very big
opportunity that if you are going to connect a wireless
device into a network, it is going to again have to
be a secure connection.
I think we're going to be moving into (a period) where the Internet is going to play a bigger and bigger role as a communications backbone for consumers as well as businesses. If you get a smart home of the future that has multiple IP devices in it, you are going to want to protect that home; that's going to require a firewall at the residential gateway to protect everything in there, especially when you are gone. And corporations are the same way. If they are going to take advantage of these broadband, high-speed connections for their employees, whether they are in a hotel, in an airport, or at home...that's going to be the new perimeter--every individual desktop.
Is there still a lot of room to grow in the firewall
space?
Oh, yeah. We have about 80,000 customers today, and
there's an opportunity to secure 10, 20, 30 million
customers. We can see firewalls and VPNs as a market
opportunity in a good economy of 50 to 60 percent
growth opportunities for many, many years to come.
We are at the very early stage of deploying the type
of technology that we have.
In the end, do you think a firewall is going
to be something that anyone on the Internet is going
to need?
Yes. With every kind of device. So, it's not just
everybody, but every kind of device that is going
to connect to the Internet--so every PC, every PalmPilot,
every cell phone. We are very confident in where we
are today in development, when third generation is
here, which is the bandwidth necessary to make it
a viable data device, that we do have the security
technology that will fit both at the gateway as well
as on the device itself.