The Demise of Symantec
To listen to a recording of the author reading this column go here.
I am picking up on disturbing news about Symantec. First a reseller from Colombia that I was chatting with at the recent RSA Conference in San Francisco informed me that he was there to find a solution to fill a gap created by Symantec abandoning all but its top resellers. Second, another industry veteran told me that Symantec is abandoning all but its most profitable 2,000 customers. That will leave over 100,000 Symantec customers looking for alternatives. It’s a good time to be CrowdStrike, Blackberry Cylance, or Carbon Black.
Symantec’s evident strategy—post Broadcom acquisition—is insane and doomed to failure. Historically, this move is only matched by the tremendous blunder that Symantec made under John Thomson when it acquired Veritas.
Let’s look at Symantec’s history and it’s place in the cybersecurity industry eco-system. Much of the following is excerpted from my recent publication, Security Yearbook 2020.
Anti-virus products predated the internet. The 1980s were a time when viruses were transferred from machine to machine via floppy disks. The original anti-virus vendors grew from companies that provided a variety of utilities for the nascent PC industry. File storage, system optimization, disk cleaning, data erasure, backup and recovery, and anti-virus made up bundles sold by software companies that primarily addressed the consumer market. As PCs invaded the workplace, so did viruses. And as networks became predominant in the ’90s, viruses began to spread over the wire instead of through dirty diskettes. As viruses became more and more virulent, the importance of AV grew, as did the AV market.
The Symantec name came from a small software company founded in 1982 by Stanford grads to create a database program for the new IBM PC. It was acquired by a smaller competitor, C&E Software in 1984. The combined company retained the Symantec name and shipped its first major product, called Q&A, in 1985. Sales that year were $1.4 million.
Under its CEO at the time, Gordon Eubanks, Symantec embarked on a strategy of acquiring niche products and taking them to market. In 1987 Symantec acquired tools for project management (TimeLine), presentations (Think Tank) and compilers for the Macintosh (Think C and Think Pascal), and an email system called InBox.
Symantec went public in 1989 and its stock took off, giving it the currency to continue to acquire companies including Peter Norton’s PC software company, Norton Utilities, for $60 million in stock. Symantec also acquired a C++ compiler and pcANYWHERE for remote desktop management. By 1993 Symantec even got into the contact management business when it acquired the makers of ACT!, from Contact Software International.
In October 1993 Symantec finally entered the AV market when it acquired Cleveland-based Certus International Corp. Five years later, it acquired the AV products of both Intel and IBM. Symantec also acquired Fifth Generation Systems, which had a contract with a small company in Jerusalem called BRM for anti-virus software. That acquisition gave BRM the capital to invest in Check Point Software.
Eubanks stepped down from Symantec in 1999 to be replaced by John W. Thompson, an executive from IBM. Thompson had a 28-year career at IBM, rising to the role of General Manager of the Americas. He had little experience with security products, but was tasked with growing the enterprise security business of Symantec. He embarked on divesting the company of non-security products like the Internet Tools division and the Visual Café product line, as well as ACT! He then started acquiring security companies such as Axent Technologies, a firewall vendor, L-3 Network Security for vulnerability management , and Seagate’s Network Storage Management Group. He also looked briefly at Finjan Software. He passed on that investment, but was so impressed with Finjan’s CTO, Ron Moritz, that he later hired him as Symantec’s CTO. Moritz defined Symantec’s acquisition strategy, which he termed the NSSSM strategy: networks, systems, storage, and security management.
Very early in his tenure, Thompson relates, Symantec suffered a breach on a Friday. He asked “Who’s our CISO?” They did not have one. By the following Monday morning Symantec had appointed its first CISO.
Under pressure to keep Symantec’s stock price up, Thompson continued an aggressive acquisition strategy, culminating in 2004 with the largest acquisition in the software industry for the time: the $13.5 billion purchase of Veritas, a data center software and storage company. The best evidence that this was a major blunder for Symantec is the valuation for the Veritas division when it was spun out to investors led by the Carlyle Group in 2015 for $8 billion. 
Under John Thompson Symantec continued to grow through acquisitions. It played an important role in the overall industry, offering an alternative to an IPO to many high-flying startups with good technology. The big paydays for investors and founders fueled more startups and more investments.
Sygate, acquired on August 16, 2005, had a series of desktop tools including a popular PC firewall which Symantec discontinued after the acquisition. It also gave Symantec a Network Access Control (NAC) product. 
Altiris was acquired on April 6, 2007 for $830 million. It produced system and asset management software. At the time Thompson told analysts, “Added to our portfolio, (Altiris) makes us infinitely more competitive with the likes of a Microsoft.” 
Vontu, a data loss prevention (DLP) company, was acquired November 5, 2007 for $350 million. 
PCTools, another PC utility company focused on security, was acquired August 18, 2008. PCTools was run as a separate company until Symantec killed it in May 2013. 
AppStream, a provider of application virtualization software was acquired on April 18, 2008. 
MessageLabs was one of Symantec’s larger acquisitions. It paid $695 million in November, 2008 for the online messaging and web filtering company. 
PGP was acquired June 4, 2010, for $300 million.  The Pretty Good Privacy software was originally a free encryption solution that mirrored RSA’s encryption algorithms. It was created by Phil Zimmerman. The technology was acquired by Network Associates and then spun out to PGP Corporation, formed by Phil Dunkleberger and John Callas. The acquisition, along with Guardian Edge, announced at the same time (an additional $70 million) gave Symantec an endpoint encryption solution.
The Verisign certificate business was acquired August 9, 2010 for $1.28 billion.  It was the end of an era for the first certificate authority to sell SSL certs recognized by the major browsers. Versign, which eventually got out of the security business, had decided to focus on its remarkable cash cow of maintaining the top level domain servers and collecting a fee for every .com, .net, and .name domain. Symantec later spun this business off to Digicert in November, 2017 for $1 billion. 
RulesSpace, acquired in January, 2010, provided content URL filtering services for many ISPs. 
ClearWell Systems was acquired May 19, 2011, for $390 million. It provided ediscovery solutions for legal firms. 
LiveOffice, a cloud email and messaging archiving company, was acquired on January 17, 2012. Price: $115 million. The products were already integrated with ClearWell’s discovery solutions. 
Odyssey Software for device management including mobile devices was acquired March 2, 2012. It was followed by Nukana, acquired April 2, 2012, which was a mobile application management solution. 
NitroDesk, a nine-person shop with application container technology for Android devices, was acquired May 2014. 
Then came the divestiture of Veritas under new CEO Michael Brown. Splitting off Veritas in 2015 was the first acknowledgement that Symantec was suffering and was in need of restructuring. The following year Symantec acquired Blue Coat, the manufacturer of secure web gateway appliances, for $4.65 billion. It was almost a reverse merger as the CEO of Blue Coat, Greg Clark, became the CEO of the merged companies.
Blue Coat had had its own troubles over the years. It was initially launched as Cacheflow in 1996. In early 2002 Cacheflow’s CEO Brian Nesmith took the company public. Its stock jumped almost five fold on opening day.  Nesmith then pivoted the company into secure gateway appliances and renamed it Blue Coat.
Blue Coat quickly became the largest vendor of content URL filtering appliances. Every large organization needed a way to block employee access to inappropriate or time wasting websites. Adding a category for malicious websites made these devices security products and gave rise to the category of secure web gateways. Blue Coat had a problem though. A gateway appliance that sits in the data center is very expensive. It has to handle tens of thousands of simultaneous sessions.
In the early 2000s large distributed enterprises like retail stores, distribution centers, car dealerships, and restaurants were moving to local internet breakouts. Instead of back-hauling all the traffic from the remote location to HQ over very expensive MPLS circuits, each location would go direct to the internet over low-cost broadband. To provide security they needed to replicate the stack of security gear found at HQ, but without the million dollar price tag associated with data center grade equipment.
This gave rise to the inexpensive, all-in-one security appliance industry led by Watchguard, Sonicwall, and Fortinet. They each added content URL filtering as a subscription service to these devices. At price points of $1,000 or less, Blue Coat could not compete.
Blue Coat stopped growing, and in February, 2012, was taken private by Thoma Bravo for $1.3 billion. Considering the $4.65 billion Symantec paid for Blue Coat, this was a good outcome for Thoma Bravo. But not so good for Symantec.
Shortly after Greg Clark took the reins in November 2016, Symantec acquired consumer credit protection company LifeLock for $2.3 billion. Combined with the Norton consumer AV business this represented $2.2 billion in annual revenue for the consumer division. 
But growth was lackluster under Greg Clark and he stepped down in May, 2019. The announcement caused a 15% tumble in Symantec’s stock price. 
The newly appointed interim CEO, Richard Hill, soon announced a sale of the company to Broadcom, but it fell apart in July. It was later restructured and on November 4, 2019, Symantec’s enterprise security business was acquired by Broadcom, while its consumer business remained a public company called NortonLifeLock.  This spells the end of Symantec as a security behemoth. It is likely that it will not play the same role in the industry as it has in the past.
There are 255 endpoint security vendors listed in the directory portion of Security Yearbook 2020. They run the gamut from anti-virus, to encryption, to the control of physical devices and their ports.
Now that Symantec has effectively left the field which vendors are stepping in to fill its role? Cisco and Palo Alto Networks are the remaining large acquirers. But it appears that we are entering a new era of Private Equity taking on the role of fueling growth by acquiring promising technology companies. The trouble with Private Equity is that they lack strategy. Much like Broadcom, which is in essence a PE play, they look to financial gimmicks to turn a quick return on investment.
The cybersecurity industry is not prone to cash-cows that can be bled of profits to pay down debt financing. Cybersecurity is driven by innovation, channel development, and customer growth. Private Equity has yet to demonstrate it knows how to do any of those things.
Current Symantec enterprise customers should be looking at replacing the multiple Symantec products in their portfolios. Look for cloud delivered solutions that can accelerate your efforts to transform your security architectures while saving money.
Symantec is bleeding people, down 2.311 since September 2019. Startups should be targeting the Symantec install base which is already being abandoned, while hiring the Symantec sales teams and partners which have been cast adrift.
1. “Symantec Corporation,” Advameg Inc, accessed November 27, 2019, https://www.referenceforbusiness.com/history2/11/Symantec-Corporation.html.
2. “Symantec Acquires L3,” Norton LifeLock Inc, accessed February 14, 2019, https://www.symantec.com/about/newsroom/pressreleases/2000/symantec_0214_01
3. Chad Bray, “Carlyle Group and Other Investors to Acquire Vertias Technologies for $8 Billion,” New York Times, August 12, 2015, https://www.nytimes.com /2015/08/12/business/dealbook/carlyle-group-veritas-technologies symantec-deal.html
4. Paul Roberts, “Symantec Acquires Endpoint-Security Company Sygate,” eWeek, August 16, 2005, https://www.eweek.com/security/symantec-acquires-endpoint-security-company-sygate
5. Jim Finkle, “Symantec to Acquire Altris in $830 Mln Deal,” Reuters, January 29, 2007, https://www.reuters.com/article/us-symantec-altiris idUSN2947872520070129
6. “Symantec to Acquire Vontu,” CIO, November 6, 2007, https://www.cio.com.au/article/195068/symantec_acquire_vontu/
7. Amanda Conroy, “Symantec Buys PC Tools,” PCWorld, August 23, 2008, https://www.pcworld.com/article/150227/acquisition.html
8. David Marshall, “Symantec Finally Acquires AppStream,” InfoWorld, April 9, 2008, https://www.infoworld.com/article/2637561/symantec-finally-acquires-appstream-to-complete-the-virtualization-package.html
9. “Symantec Completes Acquisition of MessageLabs,” Dark Reading, November 17, 2008, https://www.darkreading.com/cloud/symantec-completes-acquisition-of-messagelabs/d/d-id/1129860
10. Anuradha Shukla, “Symantec to Acquire PGP and GuardianEdge,” Network World, May 12, 2010, https://www.networkworld.com/article/2209366/symantec-to-acquire-pgp-and-guardianedge.html
11. DealBook, “Symantec Acquires VeriSign for $1.82 Billion,” New York Times, August 10, 2019, https://dealbook.nytimes.com/2010/08/10/symantec-acquires-verisign-for-1-28billion/
12. Zeus Kerravala, “DigiCert’s Acquisition of Symantec’s Security Business,” CSO, November 7, 2017, https://www.csoonline.com/article/3236188/digicert-s-acquisition-of-symantec-s-security-business-is-good-news-for-customers.html
13. Mike Rogoway, “Symantec Buys RuleSpace,” Oregonian, July 10, 2019, https://www.oregonlive.com/siliconforest/2010/10/symantec_buys_rulespace.html
14. Forrester Research, “Symantec to Acquire Clearwell Systems,” CSO, May 20, 2011, https://www.csoonline.com/article/2136098/symantec-to-acquire-clearwell-systems-to-bolster-ediscovery.html
15. Jeremy Kirk, “Symantec Acquires LiveOffice,” CIO, January 16, 2012, https://www.cio.com/article/2400460/symantec-acquires-liveoffice-cloud-based-archiving-company.html
16. “Symantec Completes Acquisition of Nukona,” Dark Reading, April 16, 2012, https://www.darkreading.com/mobile/symantec-completes-acquisition-of-nukona/d/d-id/1137495
17. Jeremy Kirk, “Symantec Acquires NitroDesk,” PCWorld, May 28, 2014, https://www.pcworld.com/article/2248060/symantec-acquires-nitrodesk-for-email-security-on-android.html
18. Dawn Kawamoto, “CacheFlow Jumps Fivefold Following IPO,” cnet, January 2, 2002, https://www.cnet.com/news/cacheflow-jumps-fivefold-following-ipo/
19. “Symantec to Acquire Lifelock for $2.3 Billion,” Norton LifeLock Inc, November 20, 2016, https://www.nortonlifelock.com/about/newsroom/press-releases/2016/symantec_1120_01
20. Jordan Novet, “Symantec CEO Greg Clark Steps Down,” CNBC, May 9, 2019, https://www.cnbc.com/2019/05/09/symantec-ceo-greg-clark-steps-down-stock-drops-.html
21. Jane Edwards, “Broadcom Closes $10.7B buy of Symantec’s Enterprise,” GovConWire, November 5, 2019, https://www.govconwire.com/2019/11/broadcom-closes-107b-buy-of-symantecs-enterprise-security-assets-rick-hill-hock-tan-quoted/