CEO Spotlight: Tom Noonan, Internet Security Systems
By Angel Mehta, Managing Director, Sterling-Hoffman Management Consultants
While most software companies continue to struggle, enterprise security is one of the few sectors left that continues to expand - and red hot Internet Security Systems (ISS) is leading the charge. Angel Mehta, Managing Director at Sterling-Hoffman, talks to CEO Tom Noonan about growth strategy, an entrepreneur's Christmas, and the emergence (finally) of enterprise security as a mission critical priority.
Angel Mehta: I was at a conference earlier this year and the consensus amongst investors seemed to be that security is and will be the hottest software segment for a couple of years. ISS is clearly one of the trailblazers…so if you could identify three things that you need to make happen….three challenges to meet in the next six months… what would they be?
Tom Noonan: Key challenges right now within my control or outside my control? Because I would probably look at this in two dimensions. Of course, there are those things that are subject to market risk which quite frankly none of us control but we all worry about a lot anyway. And then you have those things associated with operational risks. I prefer to focus on the latter - the operational side.
Angel Mehta: Let's start there. I think most people have heard enough about the war and accounting scandals at this point. [Laughing]
Tom Noonan: Agreed. So on the operational side…number one is what I would call our 'solutions strategy' which is the development and delivery of our next generation dynamic threat protection system. It has been under development here for a number of years. I think it represents a core supplanting technology in the industry…meaning that it will operate in a way that will minimize the dependence on legacy security technology in corporations, business and governments around the world. I would say that is one of our top priorities right now as those systems will begin coming to market this year.
Number two is 'activity associated with marketing expansion'. The new platform is creating additional market opportunity for us. Traditionally, we've served the larger more 'security-elite' corporations who have extraordinary security requirements both in terms of efficiency and flexibility….but this new generation of dynamic threat protection systems will actually make world-class security available to the masses.
The packaging, the pricing, the promotion and the placement, which is the market expansion piece of this, are causing the company to undergo a metamorphosis in our distribution channels, programs and plans as well as our overall go-to-market strategy.
Think about it: today, we are serving 11,000 enterprise customers…but with this new generation of products, we believe the opportunity increases to hundreds of thousands of businesses - smaller ones from say a couple of thousand employees up to ten thousand employees - that quite frankly have been overlooked. They've been largely untouched by the security marketplace. That's a huge gap.
Angel Mehta: So let me ask you... Gartner predicted earlier this year or late Q4 2002 that growth in security space is probably going to slow down. Has that been ISS' experience so far this year?
Tom Noonan: That has not been our experience; however, I think growth in all technology markets has slowed from the blinding pace of '95 to 2000.
Angel Mehta: Of course...
Tom Noonan: So I would acknowledge it from that perspective - but you know, security is a very, very broad term. It's a maturing marketplace for the legacy products that have been with us since the days that preceded Internet technologies like standalone firewalls, standalone anti-virus systems, etc. But those are giving way to new dynamic and integrated protection systems like this dynamic threat protection technology and system that we are introducing.
So I think you are going to see a slowing in the traditional security products that were developed as single threat-oriented-type technology.
Angel Mehta: You mean like anti-virus?
Tom Noonan: Exactly. These were designed to stop a virus but not a Trojan or a worm or a remote control device or a pest or a back door.
The other would be a firewall…they're probably the most prevalent security platform that exists on a distributed network; however, architecturally these systems were designed long before things like peer-to-peer communications…before even the Web was around and so most security breaches compromise the Web protocol and the e-mail protocol. Every firewall and every corporate network lets HTTP or Web traffic in and out and it lets e-mail in and out. So what the bad guys do is exploit the underlying technology as a weakness. So yes, I think you'll see a slowing in the traditional technologies and a displacement market evolve for systems that deal with today's threat as opposed to yesterday's problem.
Angel Mehta: Let's go back a few years. How did you get to know Klaus (founder of ISS)? Tell me about that original partnership…what is it that you saw early that made you ditch Dunn & Bradstreet for a start-up? This was before startups became the in-thing, right?
Tom Noonan: Well, the early meetings with Klaus and I did not take place in person. - it was in cyberspace. At the time, at D&B, one of the great fears was that the Internet was going to make D&B's business model obsolete. D&B, of course, at the time was known as the world's leading information company and the promise of the Internet in those early days was free and ubiquitous information. So if you were an information company that had cornered the market on selling and managing proprietary information that no one else had access to…well, that was a threatening promise.
Angel Mehta: Right.
Tom Noonan: So in researching that for D&B, one of things that became very very clear to me was that one of the fundamental challenges to using the Internet to automate business commerce was the very fact that it was designed originally and manifestly to be open and easy to access - and so you had this conundrum. Business could utilize the Internet but it would be insecure and, therefore, problematic.
I actually met Klaus by reviewing some of his on-line posts on security bulletin boards about vulnerabilities in internet-worked UNIX systems. I know that he was coming from a Georgia Tech domain which is my alma mater…and I was living in New York during the week but then returning to Atlanta on the weekends. So we arranged a meeting. There was nothing specific in mind other than to talk about this 'Internet' thing.
Angel Mehta: And yet he got you to max out your credit card to fund the thing?!
Tom Noonan: Right (Laughs). This isn't entirely well known, but there was a matrimony of sorts between two very different backgrounds. Klaus, without question, was the security expert and remains the security expert in the partnership. My background out of Georgia Tech was automatic, real-time control systems. I spent the first eight years of my professional life designing and implementing computer control systems for everything from weapons delivery systems to nuclear power plants and everything in between. The thought occurred to us in those early meetings that we could build an automatic control system for threats - something that would detect, analyze and prevent a threat dynamically and intelligently. That was a quantum thought forward for security which, at the time, was static and policy-based. It was not intelligent or dynamic meaning you had a firewall, you set the policy, let Web traffic through, let mail traffic through, let FTP through and the presumption was that all traffic coming through those ports will be good and the ports that we block will keep the bad people out.
But our premise was, it won't take long for people to start exploiting systems and the more open the network gets vis-à-vis letting people through, you will not have an intelligent way to discern between good and bad - much less have the ability to actually prevent that activity from happening in the execution cycle of the threat.
Angel Mehta: What exactly does that mean? [Laughing]
Tom Noonan: Put it this way…anyone can go back and review a firewall log and say, "Yeah here it is. Last month this connection was made and it was that connection that was the bad connection." What we wanted to do was build a system that would operate in the millisecond it takes to actually COMPROMISE the system - and then detect it, analyze it and prevent it within that timeframe. So that's the vision for what we continue to pursue today. In fact, the first phase of these dynamic threat protection systems that we're delivering this year are really to me the first manifestation of that vision… 8 years later.
Angel Mehta: I always love comparing past plans or expectations to present reality. Did you expect ISS would be a $243m company in less than 10 years?
Tom Noonan: I did not. In fact, I don't know what we thought at the time…(Laughing). I mean, I know what we thought in terms of the technology and the opportunity but as to what we viewed as reasonable growth, I have no idea. I mean, I still have the original business plan that showed us in 2004 being a $100 million dollar company. So we beat that target…that much I know.
Angel Mehta: I remember reading a marketing tenet in a bubble-era magazine that went something like, "You can either convince a customer that he's got a disease and sell him a cure or sell him a cure for a disease that he already knows he has". Early stage ventures in the bubble seemed to be all about the former…and historically, it seemed liked security was only a priority to any given buyer after a breach. Has the market finally crossed over yet to the tipping point where they actually view security as a 'need to have' before the breach actually occurs?
Tom Noonan: I honestly believe we're at that crossover point right now. And you know what else? I honestly believe that September 11th was the seed of that crossover point.
Angel Mehta: Makes sense...
Tom Noonan: Sept. 11 brought western awareness regarding the issues of security to a frightening crescendo. You know westerners thought they were safe. Europeans thought that security ended at the borders of the EU …and what we realized was security and insecurity had become globalized almost overnight. Most 'buying' behavior is emotional anyway. There's an interesting off-shoot to this, Angel, that when I retire someday I am going to go back and analyze it and figure out why…
(Angel laughs) You know, I've gone to engineering school and I've gone to business school so I'm probably overeducated from a school perspective - but one of the things that I have promoted quite passionately is that companies attempting to do ROI studies on standalone protection systems are wasting their time. Security should be viewed from a total cost of ownership perspective. The guys looking at ROI are not convinced that they need security and they're saying, "Should I invest in security? What type of return is it going to deliver to my shareholder?" And the only thing you can do is deal with statistical evidence in the world to determine how much return you're really going to get because you never know where or how or when you're going to have a security problem.
Angel Mehta: Just like we didn't know where or how or when 9/11 was going to happen...
Tom Noonan: Exactly. Nobody is questioning all the money we're spending now (on defense) and the same is true of security. If you fundamentally believe you need it then you set out philosophically with the mindset 'I want the best for the least cost of ownership'.
But if you don't fundamentally believe you need it…I have presided over many ROI sessions where these ridiculous assumptions were made. I would propose to you that most ROI calculations that were presented to CEO's and CFO's from about 1998 to 2000 were fraught with bad assumptions…meaning, e-commerce sites are put in to automate 50 percent or 100 percent% of a company's business but things like security, performance management and other things were left out! Sure, it makes the ROI look even better but at the end of the day I think those costs should have been included in the projects.
Angel Mehta: There's a lot of analysts that imply over time that the best of breed players in the space are going to lose market share to the larger systems management guys like Tivoli or BMC or CA and I'm sure that's a problem you've thought about - it's not a new question… What's the strategy for dealing with it?
Tom Noonan: Well, the strategy for dealing with it quite frankly is one word: 'quality'. If I had to add another word it would be 'depth'. Size is not a strategy. I mean, you know WorldCom and Tyco and many other companies should hopefully resoundingly tell the world that just getting big doesn't necessarily mean that a smaller company can't compete.
Our strategy is very very focused on the customer and on the quality of the protection that we are providing them and that goes FAR beyond technology. That goes into our expert research and development capabilities, our intelligence, our managed protection services. If you look at the larger companies, they have been unable to innovate. Companies like Cisco have acquired probably 50 security companies in the last 5 years…even companies like Symantec that are out there trying desperately to diversify outside of the consumer anti-virus business.
The other element of that comes down to personal choices of talented people. Most very high quality security experts don't want to go work for a big conglomerate where security is a small part of the business. They want to go to a company that lives, dies and breathes by the sword and we do that. We're willing to put our reputation and, quite frankly, our brand on the customer's network and guarantee results. If security is a side business for you that's not something you're going to feel comfortable doing.
Angel Mehta: At $243 million in revenue, have you reached a point where you're automatically on every short list for enterprise security projects - or is there still a need to brand-build per se to the point where market share is still more important than earnings?
Tom Noonan: You know I think it's a multi-faceted discussion, but clearly market share drives earnings if you do it right. We're focused on earnings but most importantly we're focused on executing the long-term strategy of the company. If I was focused exclusively on earnings I would not be spending 18 percent of revenues on R&D. The security industry average is about 10 percent. Why are we spending 18 percent? Because we're building the future.
Angel Mehta: One analyst I talked to a few months ago commented that ISS' success has really been due to a lack of competitive offerings. Is that true?
Tom Noonan: No. There were absolutely competitive offerings throughout our history. In fact, in March of 1995 a freeware product called SATAN was released…it was directly competing with the ISS Internet scanner which was the only product we had back then. ....Cisco acquired our largest competitor in 1997… IBM acquired two or three of our other competitors…Network Associates acquired our other competitors…If I look back over the history of this company…when we lacked competition in any one area, we got stale. There has always been competition.
Angel Mehta: So if you could point to let's say three things that allowed ISS to get out ahead in the early years…three things that you did right…what would they be?
Tom Noonan: First, it's a philosophy that says get out on the end of the limb because that is where the fruit is. We never had an abundance of capital to spend. The company was built on a shoestring and a credit card…multiple credit cards, and so that cultural idiom of getting out on the end of the limb would have to be key.
A second point would have to be clarity of vision.
We never looked at ourselves as being in the Internet scanner business or in the intrusion detection business. We always operated at a higher level and we operated at a higher level because we knew what we wanted to be when we grew up which was a fully automated protection system that could detect and prevent known and unknown threats to our customers. It really was a visionary concept. We may never achieve that level of technology in my lifetime but we're going to pursue it.
A third point…and it's a greatly overused cliché…but I would say that 'people' would be the last key point. We had a management team in this company shortly after the founding that worked together better than anything I have seen in my life. It's a group of people that believed in the vision, deeply cared for people, they were outrageously competitive and it showed in everything we did. We REALLY really looked for people who we thought could be passionate about what we were doing. It's something that I believe in my own personal philosophy…you can't compete with people who love what they do because they don't view what they do as work. They will out run you, they'll out play you…they'll do whatever it takes if they truly love what they do. It's difficult to compete with that, especially in those early years. It gets harder to enforce that as things grow up…but its still part of the underlying spirit and culture of this company.
Angel Mehta: I want to go back to 1994 for a second. You left a secure position with D&B and this was before the exodus of corporate executives to startups even began.
Tom Noonan: Yeah.
Angel Mehta: A couple of people have said to me recently that the best CEO's have to put business ahead of family. What do you think?
Tom Noonan: It's a huge problem. When Klaus and I hooked up, I had not even discussed it with my wife…I just resigned and came home and told my wife that in three weeks I would be home full-time but we wouldn't have any insurance and we wouldn't have any salary but that I would at least be in Atlanta. That was pretty shocking at first because I was not unlike any other person with three young kids…mortgages and car notes and all that other stuff that you have to deal with.
I can remember my wife in Christmas of 1995…we were beyond financially ruined at that time. I had a ton of credit cards and we spent all of our money…our employees hadn't been paid for about a month and I had forged my wife's 401K Plan (she was a Delta flight attendant out of college)…she had maybe $2,000 dollars in the thing. I used it to payoff a contractor who threatened to quit if he didn't get some payment and he was writing our GUI which was critically important to get this damn thing to market. To save money, we had planned not to have Christmas at home because we just figured the kids were all so young they wouldn't know the difference. Four or five days before Christmas, my wifesays to me, "I cannot live this way. I'm going to get that $2,000 dollars and we're going to give the kids a real Christmas."
And man… I went upstairs and thought, "How the hell do I tell her that I spent that money?" It seems like nothing today but that was a lot of money back then. I finally told her and I thought the house was going to come down.
Angel Mehta: I guess that's what you call an entrepreneur's Christmas…so what happened??
Tom Noonan: We finally got some money from people who had bought and were using the software but hadn't paid in almost three months. It was only $20 000 but it let us pay everyone internally and keep the lights on until we could get venture funding. I could go on with these stories forever - I'm sure all entrepreneurs can. Those were wonderful days. A little frightening but wonderful.
Tom Noonan is Chief Executive Officer of Internet Security Systems. Prior to ISS, Tom held senior management positions at Dun & Bradstreet Software. He was Ernst and Young's Entrepreneur of the Year in 1999, and was recently appointed by President Bush to the newly formed National Infrastructure Advisory Council (NIAC),For more information or to send feedback to Tom, email: email@example.com
Angel Mehta is Managing Director at Sterling-Hoffman Management Consultants, a retained executive-search firm focused on conducting CEO, VP Sales, and VP Marketing searches for enterprise software companies. He can be reached via email at: firstname.lastname@example.org