Word to the wise: Buckle up

Q&A When it comes to Internet security, Jerry Ungerman knows perhaps better than most that it's a rough world out there.

The president of Check Point Software Technologies spends his days counseling information-technology executives on the benefits of firewalls and virtual private networks. Actually, he does a lot more than offer disinterested advice. Even amid the dot-com implosion and the general malaise affecting IT spending, Check Point has had a better story than most to tell to Wall Street.

The company beat earnings estimates for its June quarter, with revenue up 57 percent from the same period the year before. Meanwhile, management told analysts that it expects profits to be up 50 percent this year. That good news is primarily due to the veritable explosion in cybercrimes and hacking, a trend that has given a needed boost to the Internet security sector.

Once a mainframe maven, Ungerman has helped Check Point establish itself over the last three years as the de facto standard for firewalls, considered the second-most-popular Internet security technology after antivirus software, according to a 2001 survey by the Computer Security Institute.

To be sure, the company finds itself in a business where all the trend lines are pointing north. Market researcher IDC recently predicted that the Internet security market would grow an average of 23 percent annually for the next five years, hitting $14 billion in 2005. Business consultancy Gartner expects companies to spend 10 times more of their IT budgets on security by 2011.

Ungerman spoke in a recent interview about developments in the Internet security business and his plans for Check Point.

Q: How did you get into security?
A: I joined Check Point almost three years ago. I had been in the computer business for many years--primarily on the mainframe and storage side, high-end services and solutions--and we just happen to run into each other.

Coming from the mainframe area, where there is also an interest in security, what do you see as the big difference between that era and today?
Then it was very much internal to the IT department...(authorizing) who could or could not get to the mainframe. And now it's about the network and the Internet, so it is much more of an external vs. an internal view. You are still trying to protect the same assets but at a different point. It used to be about putting a perimeter up. But now it's about allowing access but doing it securely. Because of the Internet and networks, that has made it a much different and much more important focus.

Check Point has been a darling of the security market for quite a while. What do you think you do that others don't do?
There is a broad umbrella that is called Internet security. It encompasses a lot of different technologies: content filtering, URL filtering, intrusion detection, PKI authentication and authorization. We're in what is considered the core of the most fundamental piece of the security business, which is firewalls and virtual private networks. First and foremost, it is the only one of all the different security technologies, in a macro sense, that provides true security. It decides who gets in and out of a network. So it provides all the access control necessary to provide the security for an enterprise.

The tech slump has hit many security companies as well, but Check Point is expecting 50 percent profit growth this year. Why is that?
I think that gets back to the same point. It's because we are bringing out firewalls and VPNs. Firewalls are must-have, not as discretionary as the other kinds of technologies. Also, our VPN technology saves companies a lot of money. So I think those two products combined together is what helping us, relative to the others.

We don't have the same growth rate that we had a year ago, and we find the market very challenging, very difficult. And we don't think anything is totally immune to the macroeconomic environment we are in. But we do seem to be on a relative basis doing better than most everyone else.

Do you think companies now saying, "We don't need new computers, we don't need to expand our information-technology budget," are instead coming around to saying, "Let's get our security straightened out"?
Yes, they are. This is all about using the Internet--gaining the efficiencies and effectiveness of communicating to your employees, your partners, customers and suppliers, while using the Internet as your communication backbone. To do that, you need to focus on securing those connections. So this is about saving money, increasing your overall corporate productivity, but you can't do it unless you secure those connections to the Internet, which is why there still is a focus on security. It is important to note that although security is among the top few issues that CIOs or corporate executives are focused on, even with that, we probably only make up 2 to 3 percent of an IT budget.

Do you think it also points to some housecleaning? A lot of companies saying, "If we are not going to grow, at least do it right"?
I don't know about doing it right, but the more they open it up, the more they need to secure it. Eight years ago, after we started in the business, securing your network meant shutting it down, not letting anyone into it. Well, today it means opening it up if you are going to be effective in the e-business world, but opening it up securely, which is why people are adding so much more security technology than anybody thought would happen in as little as four years ago. Because now they have to protect more and more nodes, connect more offices, allow more remote access connections, and protect the network down at lower levels as they have opened it up.

Do you think the security situation is getting worse?
It's getting a lot worse. Reported hacking attempts in the year 2000 went up 77 percent over 1999. That's a pretty sizable increase and, again, most of the experts will tell you that the vast majority of hacking is not yet reported. There are too many negative implications associated with that. The companies don't acknowledge that they had their network hacked. So, yeah, it's on the increase.

As corporations continue to use the Internet--and I think the growth will continue to explode, especially as we move into wireless--and you start tying in partners, customers and suppliers, it's even a bigger issue to focus on. Fortunately, the technology is in place to allow them to actually secure the data much more effectively than they could in a traditional private network.

You mentioned that a lot of hacking is not reported because of the stigma. Yet, on the other hand, companies can't really secure themselves. Do you think that we will get to a middle ground where people might say, "Yes, we were hacked, but we were able to mitigate the damage," and thus remove that stigma?
I don't know if it's a stigma as much as they don't want the rest of their constituents to know that their data is vulnerable (because) they might not want to do business with them. There are always going to be attempts, and if you have the right security architecture, you'll see that, you'll know that, but you will have prevented it.

Are we a long way away from being able to deal well with network attacks?
The technology is in place; it's just a matter of people spending the money, putting people in place, and taking it seriously. But there are millions of businesses out there that could be vulnerable. There are going to be millions of businesses that are going to need the Internet, and they will need to be secure.

What do you think needs to be done policy-wise to help large corporations and those forming the backbone of the economy?
I don't think they need the help of the government. I am very impressed with enterprises. They understand it. They get it. In fact, I think they get it better than the government. Usually, when the government gets involved, it's how to catch people, not how to prevent it. You can't do this through legislation. IT just needs to be more aware and understanding of the importance of security.

A lot of people focus on privacy and privacy policies, but they don't ask, How are you going to secure that data that you said you won't give to anybody? It is up to the individual businesses and consumers. There is a whole awareness philosophy that the government could get into, could help foster.

What are the big challenges for security and for Check Point?
The biggest challenge is the pervasiveness of the Internet and the use of it as we are moving into broadband with cable modems and DSL. What everybody loves about (broadband) is it's always on and (has) high performance, but if it's always on in a shared environment, it's always vulnerable. So that is exposing some new concerns for both corporations and consumers that they may not have had before. Wireless is another very big opportunity that if you are going to connect a wireless device into a network, it is going to again have to be a secure connection.

I think we're going to be moving into (a period) where the Internet is going to play a bigger and bigger role as a communications backbone for consumers as well as businesses. If you get a smart home of the future that has multiple IP devices in it, you are going to want to protect that home; that's going to require a firewall at the residential gateway to protect everything in there, especially when you are gone. And corporations are the same way. If they are going to take advantage of these broadband, high-speed connections for their employees, whether they are in a hotel, in an airport, or at home...that's going to be the new perimeter--every individual desktop.

Is there still a lot of room to grow in the firewall space?
Oh, yeah. We have about 80,000 customers today, and there's an opportunity to secure 10, 20, 30 million customers. We can see firewalls and VPNs as a market opportunity in a good economy of 50 to 60 percent growth opportunities for many, many years to come. We are at the very early stage of deploying the type of technology that we have.

In the end, do you think a firewall is going to be something that anyone on the Internet is going to need?
Yes. With every kind of device. So, it's not just everybody, but every kind of device that is going to connect to the Internet--so every PC, every PalmPilot, every cell phone. We are very confident in where we are today in development, when third generation is here, which is the bandwidth necessary to make it a viable data device, that we do have the security technology that will fit both at the gateway as well as on the device itself.