What Symantec Got Wrong About Data Protection

by Tim Williams

On June 24, 2005, in the face of analyst skepticism, security giant Symantec’s “wary investors” finally approved it’s merger with storage giant Veritas in an all-stock deal valued at 13.5 billion dollars. Symantec CEO John W. Thompson’s rationale, as reported in the New York Times, was to “create a convenient one-stop shop for customers seeking computer security software, which Symantec sells, and data storage software, which Veritas sells”.

Ten years later, Symantec sold off the Veritas assets it acquired to private investors led by the Carlyle Group for 8 billion, implying that the assets had lost 40% of their value under Symantec’s stewardship.

“Ironically”, according to CRN, “the fact that the legacy Symantec and legacy Veritas business never really did merge appears to be making the process to split the two easier than it might have been.” At the time, the split was justified by Symantec Chief Product Office Matt Cain, who CRN quoted as saying “When we did a strategic analysis of the company, it became obvious quickly that the focus on data management and security were diverging quickly”.

Allow me to translate. At the time of the merger, Symantec saw this:

and after ten years of failing to find the synergy, they gave up. Or maybe they just didn’t try that hard, since the businesses “never really did merge“.

Meanwhile, something important changed in the market over those ten years that apparently went unappreciated at Symantec. The answer lies hidden in the two above referenced news sources. In 2005, the world saw Symantec as a “security” company Veritas as a “data storage” company. But by 2015, while Cain was still characterizing Veritas as a player in data management, analysts more properly described the spinout as “the newest startup in the data protection market”.

Pop quiz:

What’s the difference between security and data protection?

Time’s up. Hand in your answers.

If you answered that data protection means the essential disaster recovery processes that every enterprise relies on, you only get partial credit. Why? Think of the problem from the point of view of the data itself, and what exactly it needs to be protected from:

It’s not just system failures, the traditional province of data protection. It’s also bad actors launching viruses and ransomware attacks on your data…in other words, Symantec’s data protection market. And it’s also bad governance policies for data retention and management, the ones forbidden by regulations like the GDPR (the “General Data Protection Regulation”), a market that was within the reach of the two companies combined assets.

Security is data protection. So is backup. So is archive. So are data profiling, classification, remediation and disposition.

So what did Symantec get wrong about Data Protection? At a point when the IT market was coming to agreement on a comprehensive understanding of data protection, they missed the opportunity to be the one vendor that could supply an implementation of that understanding. They didn’t look at the market from the point of view of the data, the way their customers do.

If you are interested in learning about the connective tissue we provide between these three data protection needs, you can visit our website here, contact us here, or register for a webinar here.