As you've probably noted by now, Symantec just announced that CEO Steve Bennett is out and is being replaced by board member Michael Brown on a temporary basis. The board will now conduct a search for a permanent CEO.
Under Steve Bennett, Symantec announced a new strategy called, "Symantec 4.0," intended to streamline the organization, cut costs, and push organic innovation. A good plan, but my guess is that things weren't moving forward as fast as the board wanted, so it decided to make a change. As an outsider, it did seem like Symantec circled the wagons, focused on internal operations, and kept its eyes off the market. Thus, the company now looking for its fourth CEO in the past five years.
So what should the next CEO of Symantec do? I'm pretty sure that Symantec's board won't be calling me to set up an interview, but if I took over as the next CEO of Symantec, I'd push the company to:
1. Become the leading provider of managed and professional security services. Managed security services are growing twice as fast as product sales while the information security skills shortage gets worse each day. This makes this a no-brainer for Symantec - it already has great services and assets here but needs a few course corrections. First, the company has to become easier to do business with and improve the overall customer experience. Second, the company needs to extend its services more aggressively and supplement managed services with more professional services feet-on-the-street. Finally, Symantec managed services is one of the best-kept secrets in the industry. Symantec needs to put some marketing dough behind this effort to gain visibility and brand recognition.
2. Get active in M&A again. I get the desire for organic growth, but I really don't understand why Symantec did a 180 on acquiring companies. Yes, there were questionable moves, like buying PGP and GuardianEdge at the same time, but Symantec also had some winners such as MessageLabs, Mi5, Verisign, and Vontu. Now that the VC bourgeoisie on Sand Hill Rd. is investing heavily in security startups, Symantec should start cherry picking firms, especially those focused on advanced malware (Bit9, Bromium, Cylance, Invincea) big data security analytics (Click Security, Lancope, LogRhythm, etc.), and cloud security (CloudPassage, HyTrust, SkyHigh Networks, etc.). Symantec could also double down on Identity and Access Management by grabbing Courion.
3. Streamline, streamline, streamline. Symantec has been a company with too many products, too many contract types, too many sales teams, etc. In spite of all of this variety and volume, the company's financial success always rides on the back of less than ten products such as backup, endpoint security software, SSL certificates, and email security. Steve Bennett recognized this issue and deserves credit for starting the winnowing process but the next CEO has to put his or her foot on the gas and make the tough decisions. Should Symantec divest Altiris (I would say yes)? Should it back out of the MDM market (ditto)? Should it create separate LOBs for storage and security (tough one but yes again)? Symantec needs to follow a GE-type product matrix strategy by investing in successful and promising product areas and get out of all others.
4. Build a cybersecurity architecture and ecosystem. IBM, McAfee, and Trend Micro are pushing hard to create an integrated cybersecurity architecture for emerging enterprise security requirements. Symantec gets this strategy but is a bit late to the party. To overcome this deficit, Symantec should embrace open standards, invest in enterprise software expertise and services, and become a partner nexus for leading network security vendors like Cisco, Check Point, Fortinet, Juniper, and Palo Alto Networks. To expedite this process, Symantec should become a vocal champion of open source security projects as well as standards from groups like the FIDO Alliance, Mitre, NIST, and TCG.
5. Make Symantec products and services easier to sell and consume. Once again, Steve Bennett was on the right track so the new CEO should follow his lead. Customers don't have the time to negotiate complex contracts or work with a multitude of sales people. Symantec needs to simplify its sales, go-to-market, and contractual processes, and hire top-tier sales people that can work with CIOs and CISOs rather than network administrators. This strategy should also extend to the channel to enable partner success.
6. Establish Symantec as a center-of-excellence for talented employees. While Symantec recruited a number of new executives under Steve Bennett's tenure, it also experienced a serious brain drain of frustrated engineers and managers. For example, Symantec followed a cookie-cutter (and multi-million dollar) plan from Bain, fired a number of senior engineering talent and replaced them with junior people working overseas. This move may have been financially sound but it alienated the engineering community and gave Symantec a bad reputation amongst leading security software engineers. Symantec must emulate Google and establish itself as a center-of-excellence by hiring, supporting, and resourcing the best and brightest who are passionate about making a difference in cybersecurity and data management R&D.
Okay, I may not be qualified to run a multi-billion dollar company, but I've been working with Symantec for over a decade and believe these recommendations could push the company in the right direction. Symantec is a good company with some strong products and dedicated people. Yes, there are hard decisions and difficult times ahead, but I do believe that under the right stewardship, the company could turn around quickly and prosper.