Software more effective at fighting malware

Blue Coat CEO says embedding security in chipset not capable or flexible enough to track and catch ever-changing malware; underscores need to extend security protection to mobile devices.
Written by Tyler Thia, Contributor

Integrating security into the hardware will not be sufficient in monitoring and blocking malware, and is not a direction Blue Coat will be heading toward anytime soon, according to the security vendor's CEO and president, Michael Borman.

In fact, he believes software will remain a more effective way to track and catch malware.

In an interview with ZDNet Asia, the newly-minted CEO said he hopes to leverage his 30 years of experience in the IT industry to accelerate the company's growth and expansion, especially in the Asia-Pacific region.

The executive joined Blue Coat last September after rising through the ranks at IBM, where he was vice president of worldwide sales until 2008. He also served as CEO of Avocent until the company was acquired by Emerson Electric in 2009.

Borman told ZDNet Asia that rich media such as video as the next great application, and urged enterprises to make bandwidth provisions to facilitate this demand and ensure network traffic remains efficient.

He also discussed the company's growth strategy and efforts to stay competitive as well as shared his thoughts on his evolving management styles.

Q: What is an enterprise's most critical application today?
Borman: It is the Internet--not Salesforce.com, not SAP, not Oracle financials. Every department uses the Internet, from marketing to sales to finance, for appraising and other purposes. For a staff member at a branch office to access the Web to view content, he would have to go through a VPN connection into the mainframe, and out to Web content such as YouTube or Facebook, then back into the corporate data center and out to the branch office. These machines are connected for security's sake but at the same time, an acceleration of rich media needs to happen so enterprises need to look at how to ensure both functions work properly at the same time.

Intel, with McAfee, is looking to embed security into chips. Do you this is a feasible idea?
You have to have a certain amount of logic in it, and in reality, if you think about the number of bots that get created, the amount of malware out there, it doesn't make sense. Malware can infect a machine that's up online for 30 seconds by sending text messages or other sophisticated ways. Hardware on application-specific integrated circuit (ASIC) will not be able to keep track of the ever-changing malware, so I think it software will remain a more effective way to catch these viruses.

We don't have any plans to build custom ASICs or custom software coded into hardware on a chip. I don't think it will be flexible enough to meet the sophistication of security measures we need. Our community-based Webpulse security service, which analyses Web requests, does a very good job to sieve out malware-laden links. It transmits out all the real-time current threats.

What are the different users that make up this community?
The community of 73 million Web users includes consumers who use our K9 product, about 800, 000 of them, as well as our secure Web gateway (SWG) appliance users, several million of them. Now we also have mobile devices that go through the networks of companies like Vodafone and others which have implemented the SWG appliances, and these make up tens of millions within the Webpulse community. It's good that we have a mixture of mobile, home and enterprise users.

Do you leverage consumers as a testbed before pushing out products to the enterprise market?
Partially, yes. Before we announced our Proxy One security appliance, we ran our company's network on it. Our employees also used a new cloud-based security technology that we developed before it was made publicly available in the United States.

We try to get all the bugs out and make sure the system runs smoothly. For K9, we announced a simple way to secure the Apple iPhone and iPad which is currently one of the top 100 free apps, and is now part of our overall security architecture. If we come up with mobile support in the future, we may use a different architecture, but we're trailing the approach.

As more people adopt personal smartphones and tablets for work, is there a need to extend security protection into those devices? Where do you think the line should be drawn?
Clearly the requirement is there. The market is fragmented right now and it is still difficult to understand what the exact long-term strategy is. For example, the iPhone, which I paid for. I use it as a personal device but I also use it for personal and work e-mail. Should my company make me go through a gateway? That's some of the business challenges that companies need to face. I think if you use it for work, then the company can require you to go through security measures such as the SWG in order to protect its host server from malware.

Technology-wise, is there a difference in adoption mindset across the different Asian markets? And how is your Asian segment of the business doing?
The Chinese are faster adopters than Japanese. When I worked at IBM, the Japanese were always the most stringent about quality and demanded that when we put a product out, they wanted us to be able to continue to support it for 10 years. They were strict about the length of time for support because of their demand for high quality. In general, the quest for quality in Asia is there, but Japan stands out as being the most demanding.

Japan contributes to a significant part of our Asia revenue, and somewhere between 18 and 22 percent of the company's revenue, which is generally higher that other markets. It is a key force. We also have quite a lot of resources in China, with major offices in Shanghai, Beijing, Guangzhou and Shenzhen.

With just five months into the CEO job, what is your growth strategy for the company?
In short to medium term, the strategy is to grow a WAN optimization visibility and our CacheFlow business where we're made the investment and we're into that right now. In the longer term, we'll introduce the cloud security service in other markets worldwide. This offering is expected to help with growth across all portfolios, drive larger accounts as well as markets.

Several of your competitors including Symantec and Trend Micro have already pushed out their own cloud offerings, but you have only recently launched yours in the United States. Are you a little late?
We may be late but our products are definitely better. A couple of cloud offerings out there have captured some market share but our approach and priority, when you compare them side by side, you'll understand that we're much better.

So I think we're a little late to the market, but it has just begun. The cloud security market is not over, it is just starting.

Any acquisition plans coming up?
First, as a company, you have to make sure you have the right corporate strategy, one that everybody agrees on and right now, we're going to be in the business of WAN optimization, optimization acceleration visibility and security.

You figure out which functions you need based on your weaknesses or things you need to build for the next year, then you figure out whether it is cheaper to build or buy. We're now in that process of figuring out and our team of business developers is looking at acquisition in these areas.

If things progress, we may see more of it. We've already identified some potential candidates. We're going to stay very focused on our core values so we won't be acquiring companies in other specialization.

This is your third CEO position, how has your management style changed? What have you learnt?
I was President and COO of Blue Martini Software, and CEO of Emerson Electric, and in between I was in IBM. I think my management style has changed over time and age. You still want to be forceful and want to win, but you need to be more of a coach than somebody who screams and yells. So I think my style is to build an aggressive team and encourage them to solve problems.

How different is it managing Asians from Americans?
I think there's a lot of difference because Asians make up a big group, and the way you manage a Singaporean will be different from a Japanese. Some are happy to fight vocally, while others need consensus and don't want conflict. I think you need to understand those cultures to handle the things differently. As for Singaporeans, I think they are not looking for conflict but are more open to debate issues, while other cultures aren't so open. The key is to have a style that's flexible and be able to deal with them differently.

Editorial standards