'Devil's in the details' for security

newsmaker Trend Micro CEO Eva Chen says some female stereotypes are an edge for her in the security field, such as being "detail-minded", and shares biggest security threat she faced in her more than 20 years in the business.
Written by Jamie Yap, Contributor

newsmaker TAIPEI--Gender is not something Trend Micro CEO Eva Chen thinks about in her leadership role, but if the female stereotype of being detail-oriented and meticulous has any truth in it, it is certainly an advantage in running global security vendor in an industry where "the devil's in the details".

Chen co-founded Trend Micro in the United States back in 1988, together with her brother-in-law Steve Chang and her sister Jenny. She was first executive vice president until 1996 and then CTO until 2004. In 2005, she took on the reins of CEO when Chang stepped down from the post to become chairman.

Though she has been in her current post for about seven years now, Chen--who was on Forbes Asia's 50 Power Businesswomen 2012 list--admits she has a "business face but [was] a techie in mind". According to her, the monthly meetings with engineers and architects in the company are what she enjoys the most about her job.

That these two roles--business person and techie--have to work in tandem is all the more notable in today's so-called "hacktivism" age where large corporations, including security vendors, face much media scrutiny if they get hit by security breaches or hacks. While Chen acknowledged that no security company ever wants to be a victim of hackers, she said such attacks can be turned into a "great experience" for vendors to understand what their customers really go through, come up with improved products and services, all of which ultimately benefits both customers and the security industry overall.

In March 2008, Trend Micro itself found that its Japanese and United Kingdom Web sites were compromised by a malicious iFrame injection.

During her interview with ZDNet Asia on the sidelines of the company's CloudNext conference in Taipei, Taiwan, Chen shared what she considered to be the biggest security threat in her more than 20 years in the industry, and how she gets inspired to come up with security innovations. Her efforts in the field have had their fair share of recognition, the latest being the Cloud Security Alliance (CSA) Industry Leadership Award this year.

You were first CTO, then CEO of Trend Micro. You also have two master's degrees--one in business administration and another in management information systems--from the University of Texas. Do you consider yourself more techie or businesswoman at heart?
I have a business face with a techie mind and I think everybody who knows me will agree with me (laughs). Until now, I still run our architect meetings every month and talk with our architects and designers. Not only do I feel that it's my most enjoyable time, but I also find that is the best contribution I can make. Because at the end of the day, what we provide to our customers is a product, so designing a product well is the best contribution I can do for this business. So I'm still a techie in mind, but I can take on shareholder meetings (laughs).

As someone who runs a major security company, how do you react when you see headlines that competitors such as RSA and Symantec have had their data hacked into?
There're several factors. One, I always remind our engineers in the company that their job is not just about developing better products, but also writing solid code. That is important. We implement a lot of processes before we release any product, such as internal hacking onto our own code.

Another part is that actually being hacked is also a great experience for us to understand what our customers themselves really experience. In the past, we used to just say "Okay, you got hacked? We'll kill the connection and clean the computer. And we're done". But now, because of the experience we had, we can also offer customers legal advice such as who should you contact when you get hacked or help with cybersecurity insurance policy writing. A lot of times, customers don't know what to do when they get hacked. They don't know that they need to inform who and what kind of processes they need to go through. Based on our own experience, we started to think, when customers suffer an attack, there're other things that need to be taken care of.

And I guess, mentally speaking, the attacks on security vendors such as ourselves actually make us all feel a greater fighting spirit against hackers. We feel like, "We want to make sure we beat you".

So it's beneficial for security vendors to get hacked?
Of course we all hope that it never happens to any of us. Even to my competitors, I hope it doesn't happen. We're all fighting the hackers. I think when attacks happens, it benefits the whole industry. Because we will have to step up our security level, and we will, because of that, benefit our customers ultimately.

Trend Micro's sites in Japan and the U.K. were compromised back in March 2008. How did you feel then?
Frankly, as a security vendor, we face this challenge every day. Of course hackers want to challenge the security vendors. Antivirus agents are one of the most widely distributed security agents, and you see that for a lot of malware, the first thing it does is to disable the antivirus.

You've been in the IT security industry for more than 20 years. What has so far been the one single biggest security trend or threat you've witnessed?
I still say it's the advanced persistent threat (APT). Why? Because first, it is very sophisticated and hard to defend against, and second, its impact can be huge. Stuxnet already demonstrated it could hack into a government's infrastructure. So I think APT is the biggest one and the biggest challenge for security vendors. That's why we spend a lot of time and resources to deal with this.

With the rise of cyberespionage between countries--and the potential political repercussions--do you think security companies have an obligation to help or they should not interfere?
It is making the security vendors' job more difficult. I don't know if this is a good analogy, but security vendors are like tool providers. We provide the "weapon", but we don't know who is going to use it and how they are going to use it. I just try to provide the best tool for security and hopefully these are in the right hands.

How do you feel when you being one of the few female CEOs in IT becomes a topic of discussion--great or irate?
I rarely think about that, but I don't mind. Because it's a fact that I'm female. And if it can make more girls willing to come into the IT industry, I'm totally for it!

In that case, do you feel that you being a woman or the stereotypes associated with women is an asset or liability in how you view IT security and how you run an IT security company?
Everyone has different leadership styles. And maybe female and male leaders do have differences and they both have their own weaknesses and strengths. In security, the devil is in the details, you better be detailed-minded. So I feel that if anyone has that stereotype about women, I have the advantage. And I will also say women are more considerate than dominant, and in today's management world, collaboration is more important than one person's say. So most of the time, I do think being a woman is an advantage to running an IT security firm.

Speaking of leadership, you've spearheaded various security initiatives under Trend Micro. What inspires you to come up with these ideas to constantly innovate the company's security solutions?
I know this sounds too business-like, but the truth is our vision statement has never changed, no matter what we do. That vision statement is a world safe for exchanging digital information. Every time, no matter what the vision or innovation of a product, it is always based on how people exchange information.

Trend Micro is a very "simple-minded" company and we have a laser focus on security. So all the inspiration always come from the vision statement, not my vision.

The reason why we came up with server security was because we started to see people exchanging information through servers, and therefore that's the best place to put security. The next innovation was Interscan when we saw that people were exchanging information through e-mail, so definitely, virus will also be exchanged through e-mail. So we put security on the e-mail gateway.

Now we see people are sharing information through cloud. Whether it is a social networking cloud or virtualization where the infrastructure is shared, that's where we need to put security.

When you became CEO in 2005, you decided to create four business units: enterprise business, small and mid-size business (SMB), consumer, and the SOHO (small office, home office) segment. Do you see Trend Micro more of a consumer or enterprise player now?
Back then that was first thing I did as CEO--segmentation by customer type. We believed that the security needs for consumer users, SMBs and the enterprises were different. Before 2005, we tried to serve all the customers with the same technology, product and philosophy. So back then it wasn't that I wanted to place more emphasis on consumers, but that I believed we needed to specially design security products for consumer, SMB and enterprises. That philosophy hasn't changed. I believe because of that philosophy, we did grow our consumer and SMB business. In 2005, our consumer business was about 17 percent of our overall revenue. Now it's about 35 percent of overall revenue in 2011.

Editorial standards