Filer: VERITAS Software Corporation
Subject Company: VERITAS Software Corporation
Commission File No. of Subject Company: 000-26247
The following transcript contains forward-looking statements, including statements regarding industry trends, such as supplier consolidation and growth in security attacks, benefits of the proposed merger involving Symantec Corporation and VERITAS Software Corporation, such as improved customer and platform coverage, improved product capabilities and lowered customer costs, post-closing integration of the businesses and product lines of Symantec and VERITAS, future stock prices, future product releases and other matters that involve known and unknown risks, uncertainties and other factors that may cause actual results, levels of activity, performance or achievements to differ materially from results expressed or implied by the statements in this transcript. Such risk factors include, among others, deviations in actual industry trends from current expectations, uncertainties as to the timing of the merger, approval of the transaction by the stockholders of the companies, the satisfaction of closing conditions to the transaction, including the receipt of regulatory approvals, difficulties encountered in integrating merged businesses and product lines, whether certain market segments grow as anticipated, the competitive environment in the software industry and competitive responses to the proposed merger, and whether the companies can successfully develop new products and the degree to which these gain market acceptance.
Actual results may differ materially from those contained in the forward-looking statements in this transcript. Additional information concerning these and other risk factors is contained in the sections of Symantecs and VERITAS most recently filed Forms 10-K and 10-Q entitled Business Risk Factors or Factors That May Affect Future Results. Symantec and VERITAS undertake no obligation and do not intend to update these forward-looking statements to reflect events or expectations regarding the circumstances occurring after the date of this transcript.
Additional Information and Where to Find It
Symantec Corporation has filed a registration statement on Form S-4 containing a preliminary joint proxy statement/prospectus in connection with the merger transaction involving Symantec and VERITAS with the SEC on February 11, 2005. Any offer of securities will only be made pursuant to a definitive joint proxy statement/prospectus. Investors and security holders are urged to read this filing (as well as the definitive joint proxy statement/prospectus when it becomes available) because it contains important information about the merger transaction. Investors and security holders may obtain free copies of these documents and other documents filed with the SEC at the SECs web site at www.sec.gov. In addition, investors and security holders may obtain free copies of the documents filed with the SEC by Symantec by contacting Symantec Investor Relations at 408-517-8239. Investors and security holders may obtain free copies of the documents filed with the SEC by VERITAS by contacting VERITAS Investor Relations at 650-527-4523.
Symantec, VERITAS and their respective directors and executive officers may be deemed to be participants in the solicitation of proxies from the stockholders of Symantec and VERITAS in connection with the merger transaction. Information regarding the special interests of these directors and executive officers in the merger transaction is included in the preliminary joint proxy statement/prospectus of Symantec and VERITAS described above. Additional information regarding the directors and executive officers of Symantec is also included in Symantecs proxy statement for its 2004 Annual Meeting of Stockholders, which was filed with the SEC on July 30, 2004. Additional information regarding the directors and executive officers of VERITAS is also included in VERITAS proxy statement for its 2004 Annual Meeting of Stockholders, which was filed with the SEC on July 21, 2004. These documents are available free of charge at the SECs web site at www.sec.gov and from Investor Relations at Symantec and VERITAS as described above.
The following is a transcript of a roundtable discussion in which John Thompson, Chairman and Chief Executive Officer of Symantec Corporation, participated at the RSA 2005 Conference on February 15, 2005 and which has been posted to a joint website hosted by Symantec and VERITAS as well as VERITAS internal website. Statements made by participants in the roundtable discussion who are not affiliated with Symantec or VERITAS should not be deemed to be attributed to or endorsed by either Symantec or VERITAS.
Final Transcript Conference Call Transcript SYMC Symantec at RSA 2005 Conference Event Date/Time: Feb. 15. 2005 / 11:15AM PT Event Duration: N/A Thomson StreetEvents streetevents@thomson.com 617.603.7900 www.streetevents.com 1 © 2005 Thomson Financial. Republished with permission. No part of this publication may be reproduced or transmitted in any form or by any means without the prior written consent of Thomson Financial. |
Final Transcript SYMC Symantec at RSA 2005 Conference CORPORATE PARTICIPANTS John Thompson Symantec Corporation Chairman and CEO Jon Oltsik Senior Analyst, Information Security, Enterprise Strategy Group Richard Jackson ChevronTexaco Chief Information Protection Officer Tom Jones State of California Department of Health and Human Services Rich Baich ChoicePoint Chief Information Security Officer Malcolm Kelly Reuters Global IT Security Director CONFERENCE CALL PARTICIPANTS David Bank Wall Street Journal Riva Richmond Dow Jones Jeff Englander Kaufman Brothers Analyst Carrie Kirby San Francisco Chronicle Curtis Schauger CIBC Analyst Tim Klasell Thomas Weisel Partners Analyst Garrett Bekker Tradition Asiel Securities Analyst Joe Menn LA Times PRESENTATION John Thompson - Symantec Corporation Chairman and CEO Good morning or afternoon to everyone. Im John Thompson. Im the chairman and CEO of Symantec and I welcome all of you to this roundtable discussion. Ours is a wonderful forum for security specialists, both customers and solution providers to come together to talk about whats going on in our industry, how together we can do a better job of protecting the critical infrastructure thats been amassed around the world. And more importantly, where we think the industrys going. I have certainly have had my opportunity to share my views this morning and hopefully some of you had an opportunity to hear that. With me today are a number of experts lets call them that - from industry, both from the market analyst side as well as the user side, who will talk about this concept of security and availability. And while we at Symantec have been, for the last 18-24 months, suggesting to the market that there was a fundamental shift that had to go on, many of you have wanted your proof points of that, not just from Symantecs point of view, but from the point of view of users or people who truly are missioned with the responsibility for protecting critical assets that customers have deployed in their infrastructure. And so, what Id like to do is have these panelists give you a point of view and then open it up for questions after each of them has had an opportunity to speak. So, let me introduce each of the panelists to you and then well move on from there. First, from the Enterprise Strategy Group, is Jon Oltsik, to my immediate left. Next, the Chief Information Security Officer and a true security professional from ChoicePoint, Rich Baich. From the State of California, which is one of the largest state government users of information technology, from the Department of Health and Human Services, Tom Jones, and Malcolm Kelly, who is from Reuters, one of Symantecs very important customers and a very avid user of information security technologies. We certainly believe that these individuals are representative of how technology is being deployed today and, more importantly, are forward-thinking in their view of how technology will be deployed tomorrow. So, let me have Jon Oltsik set the context for this discussion this morning. Jon? Jon Oltsik - Senior Analyst, Information Security, Enterprise Strategy Group Thank you, John. Can you hear me? Is my mic on? Okay. So, I should start by saying this is just another day at the office for me because my days are usually spent talking to technology vendors and users and institutional investors. That includes calls here and there from the press, so, just another day. Thomson StreetEvents streetevents@thomson.com 617.603.7900 www.streetevents.com 2 © 2005 Thomson Financial. Republished with permission. No part of this publication may be reproduced or transmitted in any form or by any means without the prior written consent of Thomson Financial. |
Final Transcript SYMC Symantec at RSA 2005 Conference But the subject matter is where is security going? How is the security industry changing. And Im a relative newcomer to the security industry. Ive been covering security for about 2 years now full-time. But in terms of where security is going, I have to say weve seen this movie before. And those of who fit in the information technology industry for a long time will all say that. So, for instance, I started my career in 1987 at EMC Corporation. And back then, when we sold disk subsystems, what we sold was head disk assembly RPMs and we sold IO and we sold controller intelligence. And now, what the storage industry sells is information lifecycle management, so its the management of data for business context. Is this data important? Where does it have to go? Does it need to be archived? Does it need to adhere to regulatory compliances? So, things like that. Later on in my career, I was very involved in system and network management. And at the time, what wed do is wed look at router portability and SNMP mid. And wed look at usage statistics. Well, now if you look at whats happening in network management and systems management, its all about business process management. So, what I want is a tool that will give me a view of all of the systems, all of the networks that comprise some business process or critical application, and I want to use those metrics to help me make business decisions on SLAs, on performance, on capacity planning, things like that. So, when I got into security, I saw a number of point tools, I saw a number of disparate solutions, I heard a lot of talk about technologies and it just occurred to me, this has to change, this has to migrate to a much more business-centric industry. And what John said downstairs and what youll hear throughout the day and on the show floor is were in the process of doing that. That we really are changing information security to address business risk, not technology widgets. Are we there yet? Absolutely not. Absolutely not. Anyone who does what I do or what these guys do will tell you that just from our data, 66% of companies in a recent survey told us they were impacted by a worm in the last 12 months, in spite of the fact that there are technologies to help there. 14% of those said that the impact was severe. Were still getting troubled by this. Now, on the other side, on the Veritas side of the business, we know from our heritage which was in storage at ESG, 30-40% of backups fail. And its for a number of reasons. This isnt a Veritas reflection. Its because of media problems, hardware problems, human error, configuration problems. But when backups fail, that means data is not protected. That means I lose critical data. That means that there are things that I cant do productivity-wise because the data is gone. So, when Im asked where is the security where is security technology going, I wrote a column in C-NET at the beginning of this year and I said this is the year of the BUT. And I dont mean that in an anatomical way. This is a 3-letter acronym. And so, B-U-T. The B stands for back. So, we know that 64% of companies still say that they have a high investment in perimeter security. The numbers drop down precipitously when you look at other areas. So, we have to get back from the perimeter. We have to protect critical assets wherever they live. And we have to protect critical data. And I can tell you that storage infrastructure is extremely insecure. So, the U in BUT stands for up. And what I mean there is up the technology stack. So, Port 80 is wide open, Port 25 is wide open. We know that those are attack vectors. We need to do a better job of protecting critical applications. And were seeing some of those solutions come into play. But most companies or many c ompanies still havent figured that out. We also need to write more secure codes, which is something thats a work in progress. And so, finally, the T in BUT stands for together. And this has a couple of meanings. One is weve got to sell security solutions. No one can manage disparate (indiscernible). No one can manage disparatelog files. Its not giving us an enterprise picture. So, we need to address that very quickly. And the other thing is we need to integrate all these solutions and integrate them across so that, again, like the system network management guys, we get a business view of security for critical infrastructure and critical applications. So, let me just conclude by saying that in our research, we asked people to identify the type of traffic that was most vulnerable to attack. And unquestionably, people said e-mail. 46% of people said e-mail versus 22% for Web traffic. And so, clearly a problem. That Johns company they have purchased BrightMail. (ph). They just put out a new appliance called the 8100, very deep inspection for spam and for antivirus. And Microsoft just bought Sybari the other day. They realize this is a problem. But we know from what we do that its impossible to manage user accounts in e-mail. It creates a massive storage problem. People dont back up Exchange like they back up their Oracle databases, so theres a lot of data thats unprotected. And a lot of the compliance issues require that data be archived. So, today on The Wall Street Journal, I saw that someone I think it was JPMorgan Chase, but I hope Im not wrong because Im saying this. But they were just fined $3.1 million because they didnt provide the e-mail evidence in a court case so they were liable. And they had to pay a $3.1 million fine. So, e-mail archiving is important, too. So, just to summarize, when you look at the e-mail environment, its not about spam and antivirus. Thats a piece of it. It has to be a comprehensive risk management solution for a critical application and thats where I see security going. It has to broaden. It has to get on the point tools realm and it has to be integrated for a business solution. Thomson StreetEvents streetevents@thomson.com 617.603.7900 www.streetevents.com 3 © 2005 Thomson Financial. Republished with permission. No part of this publication may be reproduced or transmitted in any form or by any means without the prior written consent of Thomson Financial. |
Final Transcript SYMC Symantec at RSA 2005 Conference John Thompson - Symantec Corporation Chairman and CEO Thank you, Jon. Let me introduce our next speaker, who I failed to introduce as I was going down the line. I apologize. Hes Richard Jackson, the chief information protection officer for ChevronTexaco. Richard, welcome. Richard Jackson - ChevronTexaco Chief Information Protection Officer Good morning or good afternoon, whichever time zone you happen to be in. Let me give you a little bit of information about the scope of ChevronTexaco first, and then Id like to talk about something we call digital intensity. Weve got 52,000 employees who are out there in over 175 countries. We sight over 10 million credit card customers throughout the world. From an IT perspective, we have over 40,000 desktops in use. We have over 8,000 laptops, over 750 LINUX and UNIX servers. And we support about 1,800 locations, including 1 or 2 sales reps running around parts of Asia and Africa with a laptop and an Internet link back to the network. Thats complexity. And thats also indicative of a lot of data that we collect and store and manage. ChevronTexaco operates throughout the value chain of the oil and gas industry. We explore, produce, ship, refine, market products on a daily basis. Let me give you some indication of what the role of the storage and information is in this value chain. At any given time, weve got about 50, 3-dimensional (indiscernible) in place, generating over 350 terabytes of data that gets stored. We have 100 simulation models in effect, generating over 10 terabytes of information. A large oil field will have over 1,000 input-output measurement points. Our data strength can be 10 gigabytes per day per offshore field fields. Our large refinery has over 30,000 instrumentation input and output points and you know its over a terabyte a year of process data. Im going to look at the value share a little bit more here. Our enterprise systems we have over 4 million commercial transactions per day handled by our ERP systems all of generates data thats stored and managed. Over 1 million e-mail transactions per day, excluding a lot of the spam that we filter out. Our internal network traffic is now at a terabyte a day. Relatively speaking, we saw about 500 terabytes of data stored currently throughout the world. Managing that data, securing that data, accessing that data is critical to our operation and our livelihood. So, the challenge that we see ahead of us is that, with this kind of storage, you have to be able to find what you need when you need it, which is availability. You have to be able to trust what you find and when you use it, which is integrity. And you have to manage control of who has access to it once you collect it and store it. And you also have to keep what you need so that you have it when you need it, which is a compliance issue. And you have to do all of this at an affordable cost. So, whats really important, from my perspective, safe reliable operations, we have to operating safely, not only from a security standpoint, but from a personnel and environment perspective. We have to maintain the integrity of the data. It has to be protected from unauthorized access, confidentiality has to be maintained and it cannot be altered. Decision quality is critical in our industry. When we make a decision, we make an investment, we live with it for 30 years. We cannot rip out an oil field or an oil platform. We have to live with it. The decision quality is critical, so the integrity of the data is paramount for us. Managing the lifecycle of information. We have to make good decisions on what data to collect, but once weve done that, we have to store and retain it. And we have to be able to find it. I spend a lot of time looki ng for files on my hard drive. Maybe Im unique in that capacity, but I suppose that some of you have the same problem that I have, which is finding what I need when I need it and finding the right version of what I have. Cost control critical for us. We have to maintain tigher control on costs. So, let me leave you with a couple of parting thoughts. Our focus on cost control and optimizing the value chain drives our decisions on our business partners in many ways. Included are companies offering integrated solutions with a global support capabilities that align with and improve our business processes are what I look for. This is important to controlling costs because point solutions can be very costly. I personally look for companies with a great management team, a good track record and strong financials that transforms itself periodically, the lawyers remain relevant to the marketplace and a better sort of customers as well as its investors. Symantec certainly fit that description, so Im very much looking forward to seeing their strategies around the Veritas acquisition and what they bring to the table for the marketplace. Thank you. John Thompson - Symantec Corporation Chairman and CEO Thank you very much, Richard. Now, lets move onto Tom Tom Jones. Tom Jones - State of California Department of Health and Human Services Hi. I represent the public sector version of this panel and we are not immune, believe me, even back in the days when all we had was a mainframe to rack up, we were still a little bit vulnerable. But one of the things I want to position you with is the size of the data center that we have at Health and Human Services. Its got about 150,000 customers. It has 2,500 routers. It has it represents 70 major departments that fall primarily, obviously, within the Thomson StreetEvents streetevents@thomson.com 617.603.7900 www.streetevents.com 4 © 2005 Thomson Financial. Republished with permission. No part of this publication may be reproduced or transmitted in any form or by any means without the prior written consent of Thomson Financial. |
Final Transcript SYMC Symantec at RSA 2005 Conference Health and Human Services. So, our protection requirements are focused, as you might imagine, towards the HIPAA regulations because we deal with a lot of electronic personal health information. And protecting that its about 300 terabytes worth of data that we have. And its very, very difficult. Its very weve tried many, many different kind of tacks on how we were going to protect the data. We felt that it was important for us to deal from the perimeter and work our way in and I think that thats the wrong strategy. I think that we revisited now that the members of our, basically, security advisory counsel have said that its probably more appropriate that we take a different view. Of course, if you listen to Bill, all we have to do is wait a couple more months and it sounds like all our problems are going to be solved anyway. But I think we probably are not going to look to the culprit for the solution, as least for awhile. Okay? So, that doesnt necessarily mean that Im anti-Microsoft product. Dont get me wrong. But I know that most of our problems seem to come from Microsoft attack exploits. One of the things that I think weve done is that weve moved away from scan and permit technology, especially in the area of IDSs to more proactive scan and lock. Its been around in AV forever. Its been around in firewalls forever. And what weve decided to do is, at least at the perimeter and at various touch points within our network again, a very, very robust network its 2,500 sites. All Cisco-powered, by the way. Is to actually place IPSs in line where we can actually do the best for our customers. Were working our way back from mission-critical servers all the way back to the perimeter and putting in that defensive depth strategy. One of the things that is particularly problematic for us, obviously, is because of HIPAA compliance issues is how you deal with secure transport. Obviously, in your Web applications, you have SSL opportunities, legacy applications that are using Passport and tools like that and have plug-ins that will actually give you either IPSec or SSL or AES type encryption, but also when youre dealing with the applications themselves, were finding that most of the developers who are contractors, who may not even be around anymore, probably did not such a good job. Were using tools now to be able to scan those applications, determine if theyre vulnerable for buffer overflows or crossite (ph) scripting or Tipo (ph) injections or broken wings and things like that and were finding, to our actually that its not as good as we had hoped. And so that means that theres a lot of reengineering on some of the applications that have actually been out there and could have been exploited over time. Were finding also that we need to have some kind of secure email. Mission critical services include email now. And so weve got to look for someone whos going to be able to provide some way of being able to protect electronic protected health information as its processed through email. Were looking at various point solutions. We think that Symantec actually has got a really killer solution when you match that Brightmail product that Richard just talked about or John just talked about with Voltage. Were really excited about that relationship and see if we cant actually provide it as a service offering to our customers. The data center itself gets hit with about 2.2 million attack signatures a month. And that seems like and were pretty successful at blocking them. Weve got a very, very committed security advisory council, weve got a very, very committed security operations group and so were v ery passionate about this stuff. And one of the things that Id hope that in fact I could take exception with John on is the fact that maybe there is a silver bullet out there; maybe there is a single vendor solution. We had it when we deployed point solutions. We ended up with theyre not integrated to the degree that we need, theyre not scalable to the degree that we need, they more interface than integrate, user interface, system administration, a lot of these things become issues for us. Were hoping that in fact someone does emerge as the winner and were very hopeful in that area. But one of the things I think is extremely important is that a couple of years ago I started coming to these shows and I used to ask the vendors, Listen, I got a problem because I provide extreme amount of VPN and ROV access. How can I block an infected asset from getting into my network and, at my direction, either let him in or not. And most of the vendors were saying, Oh, we can do that or We should be able to do that or No ones ever asked that. And so the key issue was for me not Slammer, it was Blaster because if you remember when Blaster came out now, you actually could have all the patches in place and still have an infected device. And so what I was trying to say is since we have a lot of ROC and laptop users that are hitting our networks, how do I keep this guy out? Now we have solutions where before all we were getting was vendor lip service. And I think thats good, thats a trend. We see that. But I can tell you right now, also my personal experience, spyware is right now its on the hype cycle, it is still hot. I took a completely naked machine yesterday, this is absolutely not the machine had never been on the Internet at all, it had been patched, it was current, we had 3 versions of spyware on there; 2 were real-time, 1 was the beta version of Mr. Gates product. And I got on there, went to 5 Websites, simply did copies of some JPEGs for a valentine that I was building, just little kitty cats, and when I got done I had 179 critical objects on the machine and 2 viruses and 1 Trojan. Now you figure that out. Were still not there yet. Anyway, thats where I think we need to throw our energy because thats the thing thats killing us. Not only is it going to kill everybody in this room, its going to kill everybody out there, too. Anyway, thank you very much for your time. John Thompson - Symantec Corporation Chairman and CEO Thomson StreetEvents streetevents@thomson.com 617.603.7900 www.streetevents.com 5 © 2005 Thomson Financial. Republished with permission. No part of this publication may be reproduced or transmitted in any form or by any means without the prior written consent of Thomson Financial. |
Final Transcript SYMC Symantec at RSA 2005 Conference Well, few businesses are more information intensive than ChoicePoint and here from ChoicePoint is an old friend, Rich Baich. Youre up. Rich Baich - ChoicePoint Chief Information Security Officer Thanks, John. Im going to take a little different approach. Let me take you back. If you go back to the 90s and you think about kind of the whole evolution of how the Internet and businesses have taken off, youll quickly remember it was routers and switches and it moved to a network management system. And I think security is in the same transformational mode that network management was in the 90s. Now that were here in the 2000s, you go back, in 98, 99, security began to hit the headlines, firewalls, couple of years later, IDS, antivirus was thrown in there, the marketplace continues to emerge, youve got intrusion prevention, anomaly detection, security event management, all these different point solutions. And when you look at the life cycle of security, eventually it all has to come down to some type of managed system. And the management of that system is geared towards business operations. And the key point that I want to make today is it is not security, its a business enablement. During the keynote, several people talked about many phrases, business survivability, technology adversity business, its a very true battle. Out there among the executive ranks right now, one of the most difficult things is to be a leader, to be a change agent, to be a pioneer because were working off a system that was established off of a CIO who came to light in the early 90s, then a CTO and now you have a CISO. Is CISO the right title? I think John did a great job of comparing the different names that are out there from security officer to risk management officer. Heck, it could be a compliancy officer as far as it goes. But the critical point is leadership. In the organization, positioning the security as a service enabler, as a business enabler is key. Theres still a little bit of confusion when I actually talk about it being an infrastructure ploy. Whether its infrastructure or not, it doesnt really matter. The key point is that an individual that has that responsibility, they have to stay focused on whats the value they bring to the organization. And that value is business enablement, enablement being defined as availability, enablement being defined as integrity of data or confidentiality. Regardless of the industry, theres a dependence on the Internet and that Internet somehow, some way, is taking information from each and every organization, whether its email or whether its database pulls, whether its applications that perform analytics, but the key thing is that as leaders, we have to focus on making sure that availability is there. We have to change the way we talk. So many times you hear people talk about were going to do a project. Its not a project; its a business process. In general, I talk about security as 60% is process, 30% is people and only 10% is technology. The technology needs to come after the process has been defined and the people have been identified to ensure the survivability of it. So if you look at the way the marketplace is maturing, and I have to give Symantec kudos, availability is an important facet. If you look at the holistic approach to security, you have an asset. You have to know what it is. Once you understand that asset, you have to label it. And theres lots of different ways you can label it and well just make it simple and well say critical versus non-critical. From there you can then correlate a risk, what security posture do I need, what availability posture do I need, how important is the confidentiality and integrity of that inf ormation. And then from there you define a process and you choose a technology to mitigate the risks. But if you dont know the if you dont know what the asset is and you havent taken the time to label it through a data classification program, classification program, then youre just spending money without thinking through the issue. And how do you come to that conclusion? It has to be a business decision. As a chief information security officer, I cannot stay in my office and make decisions; I have to go out to the business leaders to make sure I understand their business and let them understand the compliancy issues to the business that might relate back to the different regulations that are out there. Immediate response would be were not regulated. Well, were not regulated potentially, but our partners are regulated. So those regulations will filter down to us. Just because youre not a financial institution, if you do business with a financial institution, you basically fall on the GLBA because thats going to be a requirement to do business with them. So I think we have to look at how were describing what were doing. And in general, this is all movement towards a risk model. Whether you want to call it operational risk, compliancy or just risk in general, the reality of it is risk is a business decision. Most organizations, if you mention whos the chief risk officer, who does risk management, you end up finding out it has to do with insurance or financial derivatives. So we have a language that we have to change. But the reality of it is what value that we bring as security executives to an organization deals with mitigating risks and ensuring that the risks meet customer demand. And those customer demands have a security profile, an availability profile and a requirement when it comes to confidentiality and integrity. So the intertwining of privacy, availability and security is really the same language, just different terms. And its going to take ambitious change agent leaders to try to get that across. And one of our biggest problems is that corporate infrastructure and how do we translate that. So John, I want to say thanks and hopefully youll carry that thought forward and help us get the respect, the empowerment that we need to transform security from a technology integration solution to a business enabler through risk mitigation. John Thompson - Symantec Corporation Chairman and CEO Thomson StreetEvents streetevents@thomson.com 617.603.7900 www.streetevents.com 6 © 2005 Thomson Financial. Republished with permission. No part of this publication may be reproduced or transmitted in any form or by any means without the prior written consent of Thomson Financial. |
Final Transcript SYMC Symantec at RSA 2005 Conference Thanks very much, Rich. Our last speaker certainly does represent an information intensive business. Its Reuters. And so Malcolm Kelly, welcome. Malcolm Kelly - Reuters Global IT Security Director Thanks, John. You have heard that information really is the lifeblood of most organizations but none more so than Reuters. We are an information company and we recognize the importance we play in providing accurate and timely news to the world. We always have journalists and photographers all over the world, major world events, major news events. And I havent bumped into any yet, but I wouldnt be surprised if there were a couple hanging around RSA 2005. Were well known as a media news organization. Most of our revenue actually comes from financial services organizations. Again, we provide all sorts of systems and data to investment banks, insurance companies, and that data, too, has to be accurate and it has to be available when they need to use it. It has to be available. Indeed, many of the worlds leading financial services organizations have built their own systems which rely on market data feeds from Reuters and other market data providers as well. And so those systems really at the heart of their business have to be available. Youve also already heard today about some of the regulatory requirements organizations face. Indeed, financial services organizations in particular also have to (inaudible) their supplies. Richard just mentioned it. But as an integral part of some of their systems then, that regulation compliance feeds down into the systems and the market data feeds that we provide these clients. So weve an important role in playing in their organizations and demonstrating the compliance of their systems. Now information security professionals always worried about the confidentiality, integrity and availability of information as the famous CIA acronym. However, these disciplines have usually resided in different parts of an organization using different processes, different products, different source set. And the focus today within Reuters is on service. Service is our number 1 priority. But we also recognize that we need to have secure information feeds (ph), maintaining the right level of security. Too much security is just as bad as too little. So it is trying to achieve that balance between availability and between integrity. I strongly believe there is a place for suppliers (ph) to the information security industry to bring these aspects together, certainly the strategy Symantec progressing now is moving down that path and really interested in that. Its key for us at the moment in Reuters about service, about availability, but in also ensuring integrity. And in certain cases the confidentiality aspects around privacy, et cetera. Being able to deal with any of the threats to information that may materialize and its not necessarily viruses and worms, its also hardware failure, its also acts of God . Being able to deal with invasion of privacy in a manner that maintains a resilient service is key to the best in the future for all of us. I know our clients expect that of us, so we in turn expect that of our suppliers. Thank you. Thomson StreetEvents streetevents@thomson.com 617.603.7900 www.streetevents.com 7 © 2005 Thomson Financial. Republished with permission. No part of this publication may be reproduced or transmitted in any form or by any means without the prior written consent of Thomson Financial. |
Final Transcript SYMC Symantec at RSA 2005 Conference QUESTION AND ANSWER John Thompson - Symantec Corporation Chairman and CEO Thank you very much to all of the panelists. This is now your opportunity to ask questions of all of us here on the panel. And there are microphones that are around the room, so if you raise your hand someone will heres one. Carrie Kirby San Francisco Chronicle I apologize if you went over this before I entered the room, but was wondering what your reaction was to Microsofts announcement this morning that their antivirus product will be coming out this year and that theyre going to be giving away spyware for free. And also I was wondering... John Thompson - Symantec Corporation Chairman and CEO Theres no new news there. Carrie Kirby San Francisco Chronicle Right, did you know when? John Thompson - Symantec Corporation Chairman and CEO Weve all been saying this year some time. Actually its now later than we thought, so it shows you how difficult this challenge is. So the fact that theyre going to have something late in the year as opposed to midyear as we had originally forecasted suggests that this is not a problem thats easily solved. Carrie Kirby, San Francisco Chronicle Did the prospect of this have anything to do with your decision to diversify Symantec? John Thompson - Symantec Corporation Chairman and CEO Not at all. We had been on a path as a company to be a bigger player in the enterprise security space for a long time, in the enterprise software space for a long time. And so I could care less about what Microsoft does. Im more focused on what our customers needs are and how we can do a better job of serving them. Curtis Schauger CIBC This question is more geared towards the customers up here. It would seem that those models proposed by Symantec, the power of it is addressing diversity, particularly as we think of the battle between Linux and Microsoft and its dominance the server and client landscape. How much value do you put on enabling diversity across your platforms and still maintaining availability and security? And does that balance of power in terms of a vertically integrated vendor offering the entire stack completely, they could make it available, but is there inherent weaknesses of doing that and when does the balance or is the balance going to shift. How do you grow diversity for diversitys sake? Tom JonesState of CaliforniaDepartment of Health and Human Services Can I get that one? Unidentified Speaker Sure thats fine. Tom JonesState of CaliforniaDepartment of Health and Human Services Ill give you a quick in fact, we went through this last March. Were a full-service data service data center, AFPISV (ph), to a lot of customers, and we dont just use Microsoft in our shop. And so, when we are going out and looking at an enterprise tool that had, basically, a central console, it had the ability to take feeds from all of your intrusion systems, your firewalls, your center live (ph), et cetera, be able to integrate or interface to an org management, a threat management system, to be able to ultimately drive work for patch management and deployment it couldnt distinctly just be Microsoft. For us, it wouldnt work. We could SMS for that. We didnt pick SMS, and in fact what we did is we invited actually Symantec which was late in the game because of their acquisitions of On-Technology to participate in a bake-off of tools that were enterprise driven to able to allow (ph) heterogeneous patch management and work and drive work effectively, and w ere talking about anything that we have on any platform. Symantec is always going to be a part of that for sure, but we actually brought in several other vendors that did that and excluded vendors that only did for archaic (ph), and we ended up with a better product I think. Its going to be scalable, and its going to take us into that 21st century service delivery model that we really need to do. Linux is a part of that, and we see that coming. Microsoft will always be a part of that. New open source that we dont even know about yet will be a part of that. Got mainframe issues, AIX issues, UX issues, Solaris issues we all have that. So, it couldnt be simply a solution that was just targeted using SMS as the baseline for it. Thomson StreetEvents streetevents@thomson.com 617.603.7900 www.streetevents.com 8 © 2005 Thomson Financial. Republished with permission. No part of this publication may be reproduced or transmitted in any form or by any means without the prior written consent of Thomson Financial. |
Final Transcript SYMC Symantec at RSA 2005 Conference David Bank - Wall Street Journal Steve Bank (ph) with the Wall Street Journal. John, do you think the link between security and availability is the rationale for the Veritas deal, and the panelists here and others seem to buy that argument. The stock market rewarded that as well though, and I think you said that the initial deals would all come back and I think later you said you were surprised, the haircut (ph) youve taken. John Thompson Symantec Corporation Chairman and CEO Im not allowed to use those terms anymore. (LAUGHTER) David Bank Wall Street Journal Are you still surprised? And what is the market missing or what does the market know that youre missing? John Thompson - Symantec Corporation Chairman and CEO Well, I think thats a better question for this crowd than for me. We are determined to get this done. There is no backing down. This is by far the most profound thing that our company can do to serve the needs of our customers. And so, regardless of how the equity markets respond to the transaction, were moving ahead because its the right thing for the technology category that we are part of. Now that being said, most investors have some difficulty dealing with change particularly when the change is as monumental as they perceive this change is and, hence, they respond as they have with Symantec. But in the past when other companies, and we, have made changes in our strategy to address a broader range of opportunities theres been the haircut (ph) as you called it, not me, that has occurred in the equity markets and it has come back, and I firmly believe that that will happen here that as we successfully integrate Veritas into our company, you will see the light and the representation or value of the equity will respond correspondingly. Tim Klasell Thomas Weisel Partners question for the customers as well. You all, sort of, spoke to the vision of the integrity of the process in how, maybe, Symantecs working (ph) with Veritas may be able to create. Inside of your organization, are you organizing your people like that? Do you think youll start making purchase decisions around this, or will we still for some time see the security guy and in the data center, the storage and backup guy? Malcolm Kelly Reuters Global IT Security Director Ill just respond to that. Im responsible for operational security sources within the bigger operations department that provides services. Were actually organizing now to bring that together as part of a risk and control department looking at the whole aspect of risk and control within operations, so that will include power supplies and data sensors and availability issues across the whole spectrum. So were certainly bringing it all together. Rich Baich ChoicePoint Chief Information Security Officer If I could add to it, I mean were not talking about anything new. This is business continuity planning. So if it comes down to how as an organization approaching security in my particular organization I also had DRBCP, so I welcome the opportunity to operate and, kind of, focus the efforts around that much more because if not. I had another whole organization that I have to go across to go through collaboration to get it done. So I think this will actually help put it availabiltiy as part of the purchase process of some organizations where it may not already be. Unidentified Speaker Richard Jackson ChevronTexaco Chief Information Protection Officer Id like to address that also. We are also integrating our information risk components into a single entity, and the strategy is to try to influence the procurement process. I think its critical because typically when youre out procuring products and services, the focus is on functionality, performance, and security becomes an afterthought. So were going to try to inject risk into the selection process early on. Jon Oltsik Enterprise Strategy Group Senior Analyst, Information Security The gentlemen from the Wall Street Journal asked before about that action. As I said before, I talked to full constituencies. Usually, this is not a big surprise. This does make intuitive sense, and even, say, companies with functional barriers of, say, a networking group, a storage group, a security group theyre still working vertically on business processes so its an application environment, business process, its reducing business risk. So theyre looking at Symantec and saying okay I get it, but let me see what happens versus the Wall Street guys who are acting very tactically may not understand all the Veritas products, may not understand all the Symantec products. So, what youre hearing from the users is really, kind of, everyday logic in their world. Garrett Bekker Tradition Asiel Securities |
Sort of falling under the same theme that last question, basically, what I was trying to get it I was wondering, maybe, if there have been any changes in the purchasing decision that are made, the way you view purchasing decisions from either the security or storage Thomson StreetEvents streetevents@thomson.com 617.603.7900 www.streetevents.com 9 © 2005 Thomson Financial. Republished with permission. No part of this publication may be reproduced or transmitted in any form or by any means without the prior written consent of Thomson Financial. |
Final Transcript SYMC Symantec at RSA 2005 Conference side, if there is any change, what has been driving that? Is it compliance? Rich Baich ChoicePoint Chief Information Security Officer Ill take, I guess, first digs at that. It comes down to business continuity planning. I think its being driven by customers, partners, and potentially future regulations that organizations have to ensure that they have a survivability plan in place. Its one of the most difficult things to do in an organization, and the market is maturing. The customers are getting I wont say smarter but more demanding. As a result of that, youre seeing much more, I should say, service level agreements, and consequently organizations now I can speak to my own as well as colleagues Ive talked to out there theyre putting security as part of the acquisition process and actually I can take it a little bit further. Post 9-11 commission has been, I think, an amendment to (inaudible) The Clinger-Cohen Act in the government which actually requires information security to be part of all acquisitions. So, I think in general people have recognized the importance, but its a change in process that has to happen. Tom JonesState of CaliforniaDepartment of Health and Human Services One of the things that Ive noticed is that theres a lot of uncertainty right now in how you spend your dollars. In the government, obviously, they have to do more with less. Everybodys familiar with California State government issues, but one of the things that is very difficult for us is some of the maturing that Richard just talked about is creating confusion on how to spend your dollars wisely because youre seeing, for example, a convergence of a lot of functionality either into that - maybe you already have solutions for and you dont want to duplicate. In other words, you want to really be able to buy right. You want to buy properly integrated systems, or if youre going to walk away from technology make sure that youve got the right kind of replacement technology and theres a lot of evaluations that are going on, and frankly some of the vendors are actually doing some market control by announcing stuff thats really vaporware (ph) right now. And Im not going to mention anybody, but thats a problem for us because if youre already kind of connected with one vendor and youre looking this way, and theres a product coming, you might have a tendency not to buy and then youve got risk because youve got vulnerability you cant protect against. So from our perspective, its very, very an issue, its a huge issue on how we buy. Richard Jackson ChevronTexaco Chief Information Protection Officer Our processes are being driven by, I think, three factors Business Process Enablement, which is indicative of the recognition of having certain process in place, you need to have risk understood and managed. Second issue is compliance. A lot of the regulations are beginning to impact us in a significant fashion and we have to actually comply with all of those laws and regulations. But clearly, theres costs because if they dont do it right the first time, eventually I find out about it and theyve got to redo it over again, and thats a cost factor and we cant afford to pay duplicate costs. Joe Menn The LA Times Hi. This is for Mr. Thomson and I apologize for harping on this as somebody said weve seen some of these movies before. Youre doing a lot more with spyware, anti-spyware products there were just press releases so apparently is Microsoft. Yours arent free. Theres is. Youre not a monopoly, they are. Has there been any... John Thompson - Symantec Corporation Chairman and CEO I wish I was. (LAUGHTER) Joe Menn The LA Times ... any internal consideration of pointing out any anti-trust issues to the EU... John Thompson - Symantec Corporation Chairman and CEO Id rather fight Microsoft in the marketplace because were convinced we can whip them. So this is not about showing up in Washington or whining on someones doorstep about what Microsoft can or might do. To the extent that they violate the position of prominence that they have, well be watching, but whining in Washington about press releases or pointing to left field by Bill and his team, I mean, of what value is that? Riva Richmond Dow Jones Reva from Bajon. This is a follow-up actually, this question. Since Microsoft is going to offer some level of viral protection for free John Thompson - Symantec Corporation Chairman and CEO You get what you pay for. Remember that. Riva Richmond Dow Jones Well, whats that going to do to the spyware market at least for the consumer? For the panel, to what degree does that begin to address this issue for you, or is it not enough? Thomson StreetEvents streetevents@thomson.com 617.603.7900 www.streetevents.com 10 © 2005 Thomson Financial. Republished with permission. No part of this publication may be reproduced or transmitted in any form or by any means without the prior written consent of Thomson Financial. |
Final Transcript SYMC Symantec at RSA 2005 Conference John Thompson - Symantec Corporation Chairman and CEO Ill defer to the customers. Tom Jones State of California Department of Health and Human Services I told you yesterday I was just trying to build a Valentines Card for a friend of mine and I did nothing innocuous, and I had two active real time pest spyware agents running and another one that were all familiar with Ad-Aware running, and all I did was to right-click copies and I told you that you know if it could happen to me behind my firewall, behind my protection systems knowing full well what Im doing imagine what is happening every single day to consumers. Obviously, were jabbed about the possibility of getting integrated spyware prevention. Ive been trying to find out where Symantec and CA and everybody else is going in terms of their real time protection because thats where I think the real value is. This after-the-fact scanning, thats cool. Ive been scanning my machines for over a year using these SpyBot and Ad-Aware tools every night, and I continually find stuff everyday and I dont go to sites that are problematic. I simply went to Google search for Turkish Angora, American Standard, and Pento Max right-mouse click each of those and put them onto a card, said Happy Valentines Day, sent it off, looked at my machine - 179 critical objects. This is a problem, okay, so weve got to get some solutions. I know we dont want to talk about packaging in terms of tools but it is a lot of people would say, wow this is really cool and it is real cool, but one of the tools that I had up running was Microsofts basically anti-spyware beta one. It didnt get the things that it said it should have gotten, okay. Rich Baich ChoicePoint Chief Information Security Officer I just want to make sure one thing. I know 9-0 Enterprise (ph) has anti-spyware in it, and I think 10-0 (ph) is going to have an industrial (ph) grade, so Im confused that the next Symantec includes it in their product for free. John Thompson - Symantec Corporation Chairman and CEO Our view of the market has gotten good. The spyware market has a temporal financial value. In other words, theres a moment in time when certain portions of the market will, in fact, be willing to pay incrementally for advanced protection and removal capability. And since we are a for-profit software company, it is our intent to look for the opportunity to seize on that temporal moment in time. However, as time moves on, its clear that large enterprise buyers, for sure, and to a lesser extent in the early timeframe, consumers and small business owners will not be willing to pay for that level of capability. They will expect that to be dealt with in malicious (ph) or Malware detection. So our strategy has been to incorporate detection capability, and spyware detection capability has always or not always but certainly in the current version of the NAV product has been there what were doing in the Almagen release, which is the internal code name, is giving you advanced detection capability and removal capability for a broader range of threats. Its in there. Its not about going now and saying youve got to pay me a little bit more. Admittedly, if theres a sales person out there that wont try to get a little bit more for it, I want to know his or her name. Jeff Englander Kaufman Brothers Analyst Jeff Englander from Kaufman Brothers. The dismissal Carly Fiorina from Hewlett Packard has been - John Thompson - Symantec Corporation Chairman and CEO What does that have to do with this? (LAUGHTER) Jeff Englander - Kaufman Brothers Analyst I like the risk of big mergers. Can you differentiate for us this merger and your experience, any lessons you may have learned there? And to the customers, what you would like to see with Veritas (ph) as the merger proceeds forward to avoid any similar mistakes moving forward? John Thompson - Symantec Corporation Chairman and CEO I cant speak for what HP did, but I can speak for my experience both at IBM and at Symantec. And Ill preface this with saying, Gary Bloom and I in our roles as CEOs have done almost 30 transactions. So its not like we are novices or neophytes at this notion of acquiring and integrating companies and, more importantly, their people into our organizations. The two things that are critical in every transaction first, the speed of decision making. Make sure that you have issues that are brought forward that are fact-based and you are prepared to make decisions right then. And part of the reason we chose to, this time, unlike all of the other transactions weve done, we chose to engage outside consultants to help us because it will remove or eliminate some of the emotion from the rendering of facts, hence making decisions a heck of a lot easier. Second point is the broad and repetitive nature of the communications process that has to go on, and clearly when the organizations are going to amass roughly 6,500 people from one company and 7200 or 7300 from another company, there is an enormous communications task. Not just internally but externally as well. And so, speed of decision making and clarity of communications are the most important things for us to make sure we get done right if were going to be successful in this process, Thomson StreetEvents streetevents@thomson.com 617.603.7900 www.streetevents.com 11 © 2005 Thomson Financial. Republished with permission. No part of this publication may be reproduced or transmitted in any form or by any means without the prior written consent of Thomson Financial. |
Final Transcript SYMC Symantec at RSA 2005 Conference and I am convinced that we will be, independent of what happened at HP; I dont know much about that. John Thompson - Symantec Corporation Chairman and CEO Well take one more and wrap it up. Ok. (PAUSE) Alright, well, look, thank you very much. First, let me thank the customers for sharing their point of view. We value not only their confidence in our company but their willingness to speak out about their view of how the industry will evolve, and I appreciate your interest in what were doing and how were going to make Symantec a success. Thank you very much. DISCLAIMER Thomson Financial reserves the right to make changes to documents, content, or other information on this web site without obligation to notify any person of such changes. In the conference calls upon which Event Transcripts are based, companies may make projections or other forward-looking statements regarding a variety of items. Such forward-looking statements are based upon current expectations and involve risks and uncertainties. Actual results may differ materially from those stated in any forward-looking statement based on a number of important factors and risks, which are more specifically identified in the companies most recent SEC filings. Although the companies may indicate and believe that the assumptions underlying the forward-looking statements are reasonable, any of the assumptions could prove inaccurate or incorrect and, therefore, there can be no assurance that the results contemplated in the forward-looking statements will be realized. THE INFORMATION CONTAINED IN EVENT TRANSCRIPTS IS A TEXTUAL REPRESENTATION OF THE APPLICABLE COMPANYS CONFERENCE CALL AND WHILE EFFORTS ARE MADE TO PROVIDE AN ACCURATE TRANSCRIPTION, THERE MAY BE MATERIAL ERRORS, OMISSIONS, OR INACCURACIES IN THE REPORTING OF THE SUBSTANCE OF THE CONFERENCE CALLS. IN NO WAY DOES THOMSON FINANCIAL OR THE APPLICABLE COMPANY OR THE APPLICABLE COMPANY ASSUME ANY RESPONSIBILITY FOR ANY INVESTMENT OR OTHER DECISIONS MADE BASED UPON THE INFORMATION PROVIDED ON THIS WEB SITE OR IN ANY EVENT TRANSCRIPT. USERS ARE ADVISED TO REVIEW THE APPLICABLE COMPANYS CONFERENCE CALL ITSELF AND THE APPLICABLE COMPANYS SEC FILINGS BEFORE MAKING ANY INVESTMENT OR OTHER DECISIONS. © 2005, Thomson StreetEvents All Rights Reserved. Thomson StreetEvents streetevents@thomson.com 617.603.7900 www.streetevents.com 12 © 2005 Thomson Financial. Republished with permission. No part of this publication may be reproduced or transmitted in any form or by any means without the prior written consent of Thomson Financial. |