Symantec headquarters in Mountain View, California
|Traded as||NASDAQ: SYMC
S&P 500 Component
|Founded||March 1, 1982
Sunnyvale, California, U.S.
|Headquarters||Mountain View, California, U.S.|
|Revenue||US$ 4.019 billion (2017)|
|US$ -100 million (2017)|
|US$ -106 million (2017)|
|Total assets||US$ 18.174 billion (2017)|
|Total equity||US$ 3.487 billion (2017)|
Number of employees
|Divisions||List of divisions|
Symantec Corporation // (commonly known as Symantec) is an American software company headquartered in Mountain View, California, United States. The company provides cybersecurity software and services. Symantec is a Fortune 500 company and a member of the S&P 500 stock-market index. The company also has development centers in Pune, Chennai and Bengaluru (India).
On October 9, 2014, Symantec declared it would split into two independent publicly traded companies by the end of 2015. One company would focus on security, the other on information management. On January 29, 2016, Symantec sold its information-management subsidiary, named Veritas Technologies (which Symantec had acquired in 2004) to The Carlyle Group.
Founded in 1982 by Gary Hendrix with a National Science Foundation grant, Symantec was originally focused on artificial intelligence-related projects, including a database program. Hendrix hired several Stanford University natural language processing researchers as the company's first employees, among them Barry Greenstein (professional poker player and developer of the word processor component within Q&A). Hendrix also hired Jerry Kaplan (entrepreneur and author) as a consultant to build the in-RAM database for Q&A.
In 1984, it became clear that the advanced natural language and database system that Symantec had developed could not be ported from DEC minicomputers to the PC. This left Symantec without a product, but with expertise in natural language database query systems and technology. As a result, later in 1984 Symantec was acquired by another, smaller software startup company, C&E Software, founded by Denis Coleman and Gordon Eubanks and headed by Eubanks. C&E Software developed a combined file management and word processing program called Q&A for "question and answer."
The merged company retained the name Symantec. Eubanks became its chairman, Vern Raburn, the former President of the original Symantec, remained as President of the combined company. The new Symantec combined the file management and word processing functionality that C&E had planned, and added an advanced Natural Language query system (designed by Gary Hendrix and engineered by Dan Gordon) that set new standards for ease of database query and report generation. The natural language system was named "The Intelligent Assistant". Turner chose the name of Q&A for Symantec's flagship product, in large part because the name lent itself to use in a short, easily merchandised logo. Brett Walter designed the user interface of Q&A (Brett Walter, Director of Product Management). Q&A was released in November 1985.
During 1986, Vern Raburn and Gordon Eubanks swapped roles, and Eubanks became CEO and president of Symantec, while Raburn became its chairman. Subsequent to this change, Raburn had little involvement with Symantec, and in a few years time, Eubanks added the Chairmanship to his other roles. After a slow start for sales of Q&A in the fall of 1985 and spring of 1986, Turner signed up a new advertising agency called Elliott/Dickens, embarked on an aggressive new advertising campaign, and came up with the "Six Pack Program" in which all Symantec employees, regardless of role, went on the road, training and selling dealer sales staff nationwide in the United States. Turner named it Six Pack because employees were to work six days a week, see six dealerships per day, train six sales representatives per store and stay with friends free or at Motel 6. Simultaneously, a promotion was run jointly with SofSell (which was Symantec's exclusive wholesale distributor in the United States for the first year that Q&A was on the market). This promotion was very successful in encouraging dealers to try Q&A.
During this time, Symantec was advised by Jim Lally and John Doerr — both were board members of Symantec at that stage — (Kleiner Perkins Caufield & Byers) that if Symantec would cut its expenses and grow revenues enough to achieve cash flow break-even, then KPCB would back the company in raising more venture capital. To accomplish this, the management team worked out a salary reduction schedule where the chairman and the CEO would take zero pay, all vice presidents would take a 50% pay cut, and all other employees' pay was cut by 15%. Two employees were laid off. Eubanks also negotiated a sizable rent reduction on the office space the company had leased in the days of the original Symantec. These expense reductions, combined with strong international sales of Q&A, enabled the company to attain break-even.
The significantly increased traction for Q&A from this re-launch grew Symantec's revenues substantially, along with early success for Q&A in international markets (uniquely a German version was shipped three weeks after the United States version, and it was the first software in the world that supported German Natural Language) following Turner's having placed emphasis on establishing international sales distribution and multiple language versions of Q&A from initial shipment.
In 1985, Rod Turner negotiated the publishing agreement with David Whitney for Symantec's second product, which Turner named NoteIt (an annotation utility for Lotus 1-2-3). It was evident to Turner that NoteIt would confuse the dealer channel if it was launched under the Symantec name, because Symantec had built up interest by that stage in Q&A (but not yet shipped it), and because the low price for the utility would not be initially attractive to the dealer channel until demand had been built up. Turner felt that the product should be marketed under a unique brand name.
Turner and Gordon E. Eubanks, Jr., then chairman of Symantec Corporation, agreed to form a new division of Symantec, and Eubanks delegated the choice of name to Turner. Turner chose the name Turner Hall Publishing, to be a new division of Symantec devoted to publishing third-party software and hardware. The objective of the division was to diversify revenues and accelerate the growth of Symantec. Turner chose the name Turner Hall Publishing, using his last name and that of Dottie Hall (Director of Marketing Communications) in order to convey the sense of a stable, long established, company. Turner Hall Publishing's first offering was Note-It, a notation utility add-in for Lotus 1-2-3, which was developed by David Whitney, and licensed to Symantec. Its second product was the Turner Hall Card, which was a 256k RAM, half slot memory card, initially made to inexpensively increase the available memory for Symantec's flagship product, Q&A. The Turner Hall division also marketed the card as a standalone product. Turner Hall's third product, also a 1-2-3 add-in was SQZ! a Lotus 1-2-3 spreadsheet compression utility developed by Chris Graham Synex Systems. In the summer of 1986 Eubanks and Turner recruited Tom Byers from Digital Research, to expand the Turner Hall Publishing product family and lead the Turner Hall effort.
By the winter of 1986–87, the Turner Hall Publishing division had achieved success with NoteIt, the Turner Hall Card and SQZ!. The popularity of these products, while contributing a relatively small portion of revenues to Symantec, conveyed the impression that Symantec was already a diversified company, and indeed, many industry participants were under the impression that Symantec had acquired Turner Hall Publishing. In 1987, Byers recruited Ted Schlein into the Turner Hall Product Group to assist in building the product family and in marketing.
Revenues from Q&A, and from Symantec's early launch into the international marketplace, combined with Turner Hall Publishing, generated the market presence and scale that enabled Symantec to make its first merger/acquisition, in February 1987, that of Breakthrough Software, maker of the TimeLine project management software for DOS. Because this was the first time that Symantec had acquired a business that had revenues, inventory and customers, Eubanks chose to change nothing at BreakThrough Software for six months, and the actual merger logistics started in the summer of 1987, with Turner being appointed by Eubanks as general manager of the TimeLine business unit, Turner was made responsible for the successful integration of the company into Symantec and ongoing growth of the business, with P&L. There was a heavy emphasis placed on making the minimum disruption by Eubanks and Turner.
Soon after the acquisition of TimeLine/Breakthrough Software, Eubanks reorganized Symantec, structuring the company around product-centric groups, each having its own development, quality assurance, technical support and product marketing functions, and a General Manager with profit and loss responsibility. Sales, finance and operations were centralized functions that were shared. This structure lent itself well to Symantec's further growth through mergers and acquisitions. Eubanks made Turner general manager of the new TimeLine Product Group, and simultaneously of the Q&A Product Group, and made Tom Byers general manager of the Turner Hall Product Group. Turner continued to build and lead the company's international business and marketing for the whole company.
At the TimeLine Product Group, Turner drove strong marketing, promotion and sales programs in order to accelerate momentum. By 1989 this merger was very successful—product group morale was high, TimeLine development continued apace, and the increased sales and marketing efforts applied built the TimeLine into the clear market lead in PC project management software on DOS. Both the Q&A and TimeLine product groups were healthily profitable. The profit stream and merger success set the stage for subsequent merger and acquisition activity by the company, and indeed funded the losses of some of the product groups that were subsequently acquired. In 1989, Eubanks hired John Laing as VP worldwide sales, and Turner transferred the international division to Laing. Eubanks also recruited Bob Dykes to be Executive Vice President for Operations and Finance, in anticipation of the upcoming IPO. In July 1989 Symantec had its IPO.
In May 1990, Symantec announced its intent to merge with and acquire Peter Norton Computing, a developer of various utilities for DOS. Turner was appointed as product group manager for the Norton business, and made responsible for the merger, with P&L responsibility. Ted Schlein was made product group manager for the Q&A business.
The Peter Norton group merger logistical effort began immediately while the companies sought approval for the merger, and in August 1990, Symantec concluded the purchase—by this time the combination of the companies was already complete. Symantec's consumer antivirus and data management utilities are still marketed under the Norton name. At the time of the merger, Symantec had built upon its Turner Hall Publishing presence in the utility market, by introducing Symantec Antivirus for the Macintosh (SAM), and Symantec Utilities for the Macintosh (SUM). These two products were already market leaders on the Mac, and this success made the Norton merger more strategic. Symantec had already begun development of a DOS-based antivirus program one year before the merger with Norton. The management team had decided to enter the antivirus market in part because it was felt that the antivirus market entailed a great deal of ongoing work to stay ahead of new viruses. The team felt that Microsoft would be unlikely to find this effort attractive, which would lengthen the viability of the market for Symantec. Turner decided to use the Norton name for obvious reasons, on what became the Norton Antivirus, which Turner and the Norton team launched in 1991. At the time of the merger, Norton revenues were approximately 20 to 25% of the combined entity. By 1993, while being led by Turner, Norton product group revenues had grown to be approximately 82% of Symantec's total.
At one time Symantec was also known for its development tools, particularly the THINK Pascal, THINK C, Symantec C++, Enterprise Developer and Visual Cafe packages that were popular on the Macintosh and IBM PC compatible platforms. These product lines resulted from acquisitions made by the company in the late 1980s and early 1990s. These businesses and the Living Videotext acquisition were consistently unprofitable for Symantec, and these losses diverted expenditures away from both the Q&A for Windows and the TimeLine for Windows development efforts during the critical period from 1988 through 1992. Symantec exited this business in the late-1990s as competitors such as Metrowerks, Microsoft and Borland gained significant market share.
From 1999 to April 2009 Symantec was led by CEO John W. Thompson, a former VP at IBM. At the time, Thompson was the only African-American leading a major US technology company. He was succeeded in April 2009 by the company's long-time Symantec executive Enrique Salem. Under Salem, Symantec completed the acquisition of Verisign's Certificate Authority business, dramatically increasing their share of that market.
Salem was abruptly fired in 2012 for disappointing earnings performance and replaced by Steve Bennett, a former CEO of Intuit and GE executive. In January 2013, Bennett announced a major corporate reorganization, with a goal of reducing costs and improving Symantec's product line. He said that sales and marketing "had been high costs but did not provide quality outcomes". He concluded that "Our system is just broken".
Robert Enderle of CIO.com reviewed the reorganization and noted that Bennett was following the General Electric model of being product-focused instead of customer-focused. He concluded "Eliminating middle management removes a large number of highly paid employees. This will tactically improve Symantec's bottom line but reduce skills needed to ensure high-quality products in the long term."
In March 2014, Symantec fired Steve Bennett from his CEO position and named Michael Brown as interim president and chief executive. Including the interim CEO, Symantec has had 3 CEOs in less than two years. On September 25, 2014 Symantec announced the appointment of Michael A. Brown as its President and Chief Executive Officer. Brown had served as the company's interim President and Chief Executive Officer since March 20, 2014. Mr. Brown has served as a member of the Company's Board of Directors since July 2005 following the acquisition of VERITAS Software Corporation. Mr. Brown had served on the VERITAS board of directors since 2003.
In July 2016, Symantec introduced a solution to help carmarkers protect connected vehicles against zero-day attacks. The Symantec Anomaly Detection for Automotive is an IoT solution for manufacturers and uses machine learning to provide in-vehicle security analytics. Greg Clark assumed the position of CEO in August 2016.
In August 2017, Symantec announced that it had agreed to sell its business unit that verifies the identity of websites to Thoma Bravo. With this acquisition, Thoma Bravo plans to merge the Symantec business unit with its own web certification company, DigiCert.
On January 4, 2018, Symantec and BT announced their partnership that provides new endpoint security protection.
On October 9, 2014, Symantec declared that the company would separate into two independent publicly traded companies by the end of 2015. Symantec will continue to focus on security, while a new company will be established focusing on information management. Symantec confirmed on January 28, 2015 that the information management business would be called Veritas Technologies Corporation, marking a return of the Veritas name. In August 2015, Symantec agreed to sell Veritas to a private equity group led by The Carlyle Group for $8 billion. The sale was completed by February 2016 that turned Veritas into a privately owned company.
As of 2015, Symantec's Norton product line includes Norton Security, Norton Small Business, Norton Family, Norton Mobile Security, Norton Online Backup, Norton360, Norton Utilities and Norton Computer Tune Up.
In 2012, PCTools iAntiVirus was rebranded as a Norton product under the name iAntivirus, and released to the Mac App Store. Also in 2012, the Norton Partner Portal was relaunched to support sales to consumers throughout the EMEA technologies.
In 1993, Symantec acquired ACT! from Contact Software International. Symantec sold ACT! to SalesLogix in 1999. At the time it was the world's most popular CRM application for Windows and Macintosh.
On December 16, 2004, Veritas Software and Symantec announced their plans for a merger. With Veritas valued at $13.5 billion, it was the largest software industry merger to date. Symantec's shareholders voted to approve the merger on June 24, 2005; the deal closed successfully on July 2, 2005. July 5, 2005, was the first day of business for the U.S. offices of the new, combined software company. As a result of this merger, Symantec includes storage- and availability-related products in its portfolio, namely Veritas File System (VxFS), Veritas Volume Manager (VxVM), Veritas Volume Replicator (VVR), Veritas Cluster Server (VCS), NetBackup (NBU), Backup Exec (BE) and Enterprise Vault (EV).
On August 16, 2005, Symantec acquired Sygate, a security software firm based in Fremont, California, with about 200 staff. As of November 30, 2005, all Sygate personal firewall products were discontinued.
On January 29, 2007, Symantec announced plans to acquire Altiris, and on April 6, 2007, the acquisition was completed. Altiris specializes in service-oriented management software that allows organizations to manage IT assets. It also provides software for web services, security and systems management products. Established in 1998, Altiris is headquartered in Lindon, Utah.
On November 5, 2007, Symantec announced its acquisition of Vontu, the leader in Data Loss Prevention (DLP) solutions, for $350 million.
On January 17, 2008, Symantec announced that it was spinning off its Application Performance Management (APM) business and the i3 product line to Vector Capital. Precise Software Solutions took over development, product management, marketing and sales for the APM business, launching as an independent company on September 17, 2008.
On August 18, 2008, Symantec announced the signing of an agreement to acquire PC Tools. Under the agreement, PC Tools would maintain separate operations. The financial terms of the acquisition were not disclosed. In May 2013, Symantec announced they were discontinuing the PC Tools line of internet security software.
In December 2013, Symantec announced they were discontinuing and retiring the entire PC Tools brand and offering a non expiring license to PC Tools Performance Toolkit, PC Tools Registry Mechanic, PC Tools File Recover and PC Tools Privacy Guardian users with an active subscription as of December 4, 2013.
On April 18, 2008, Symantec completed the acquisition of AppStream, Inc. (“AppStream”), a nonpublic Palo Alto, California-based provider of endpoint virtualization software. AppStream was acquired to complement Symantec's endpoint management and virtualization portfolio and strategy.
On October 9, 2008, Symantec announced its intent to acquire Gloucester-based MessageLabs (spun off from Star Internet in 2007) to boost its Software-as-a-Service (SaaS) business. Symantec purchased the online messaging and Web security provider for about $695 million in cash. The acquisition closed on November 17, 2008.
On April 29, 2010, Symantec announced its intent to acquire PGP and Guardian Edge. The acquisitions closed on June 4, 2010, and provided access to established encryption, key management and technologies to Symantec's customers.
On May 19, 2010, Symantec signed a definitive agreement to acquire Verisign’s authentication business unit, which included the Secure Sockets Layer (SSL) Certificate, Public Key Infrastructure (PKI), Verisign Trust and Verisign Identity Protection (VIP) authentication services. The acquisition closed on August 9, 2010. In August 2012, Symantec completed its rebranding of the Verisign SSL Certificate Service by renaming the Verisign Trust Seal the Norton Secured Seal.
Acquired in October 10, 2010, RuleSpace is a web categorisation product first developed in 1996. The categorisation is, automated using what Symantec refers to as the Automated Categorization System (ACS). It is used as the base for content filtering by many UK ISP.
On May 19, 2011, Symantec announced the acquisition of Clearwell Systems for approximately $390 million.
On January 17, 2012, Symantec announced the acquisition of cloud email-archiving company LiveOffice. The acquisition price was $115 million. Last year,[ambiguous] Symantec joined the cloud storage and backup sector with its Enterprise Vault.cloud and Cloud Storage for Enterprise Vault solutions, in addition to a cloud messaging solution, Symantec Instant Messaging Security cloud (IMS.cloud). Symantec stated that the acquisition would add to its information governance products, allowing customers to store information on-premises, in Symantec's data centers, or both.
On March 2, 2012, Symantec completed the acquisition of Odyssey Software. Odyssey Software's main product was Athena, which was device management software that extended Microsoft System Center solutions, adding the ability to manage, support and control mobile and embedded devices, such as smartphones and ruggedized handhelds.
Symantec completed its acquisition of Nukona, a provider of mobile application management (MAM), on April 2, 2012. The acquisition agreement between Symantec and Nukona was announced on March 20, 2012.
On May 2014 Symantec acquired NitroDesk, provider of TouchDown, the market-leading third-party EAS mobile application.
The arrival of the year 2010 triggered a bug in Symantec Endpoint. Symantec reported that malware and intrusion protection updates with "a date greater than December 31, 2009 11:59pm [were] considered to be 'out of date.'" The company created and distributed a workaround for the issue.
In March 2010, it was reported that Symantec AntiVirus and Symantec Client Security were prone to a vulnerability that might allow an attacker to bypass on-demand virus scanning, and permit malicious files to escape detection.
In January 2011, multiple vulnerabilities in Symantec products that could be exploited by a denial-of-service attack, and thereby compromise a system, were reported. The products involved were Symantec AntiVirus Corporate Edition Server and Symantec System Center.
The November 12, 2012 Vulnerability Bulletin of the United States Computer Emergency Readiness Team (US-CERT) reported the following vulnerability for older versions of Symantec's Antivirus system: "The decomposer engine in Symantec Endpoint Protection (SEP) 11.0, Symantec Endpoint Protection Small Business Edition 12.0, Symantec AntiVirus Corporate Edition (SAVCE) 10.x, and Symantec Scan Engine (SSE) before 5.2.8 does not properly perform bounds checks of the contents of CAB archives, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted file."
The problem relates to older versions of the systems and a patch is available. US-CERT rated the seriousness of this vulnerability as a 9.7 on a 10-point scale. The "decomposer engine" is a component of the scanning system that opens containers, such as compressed files, so that the scanner can evaluate the files within.
In January 2012, James Gross filed a lawsuit against Symantec for distributing fake scareware scanners that purportedly alerted users of issues with their computers. Gross claimed that after the scan, only some of the errors and problems were corrected, and he was prompted by the scanner to purchase a Symantec app to remove the rest. Gross claimed that he bought the app, but it did not speed up his computer or remove the detected viruses. He hired a digital forensics expert to back up this claim. Symantec denied the allegations and said that it would contest the case. Symantec settled a $11 million fund (up to $9 to more than 1 million eligible customers representing the overpaid amount for the app) and the case was dismissed in court.
On January 17, 2012, Symantec disclosed that its network had been hacked. A hacker known as "Yama Tough" had obtained the source code for some Symantec software by hacking an Indian government server. Yama Tough released parts of the code, and threatened to release more. According to Chris Paden, a Symantec spokesman, the source code that was taken was for Enterprise products that were between five and six years old.
On September 25, 2012, an affiliate of the hacker group Anonymous published source code from Norton Utilities. Symantec confirmed that it was part of the code that had been stolen earlier, and that the leak included code for 2006 versions of Norton Utilities, pcAnywhere and Norton Antivirus.
In February 2012, it was reported that Verisign's network and data had been hacked repeatedly in 2010, but that the breaches had not been disclosed publicly until they were noted in an SEC filing in October 2011. Verisign did not provide information about whether the breach included its certificate authority business, which was acquired by Symantec in late 2010. Oliver Lavery, Director of Security and Research for nCircle, asked rhetorically, "Can we trust any site using Verisign SSL certificates? Without more clarity, the logical answer is no."
On February 17, 2012, details of an exploit of pcAnywhere were posted. The exploit would allow attackers to crash pcAnywhere on computers running Windows. Symantec released a hotfix for the issue twelve days later.
According to Mandiant, Symantec security products used by The New York Times detected only one of 45 pieces of malware that were installed by Chinese hackers on the newspaper's network during a three-month period in late 2012. Symantec responded:
"Advanced attacks like the ones the New York Times described in the following article, <http://nyti.ms/TZtr5z>, underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions. The advanced capabilities in our [E]ndpoint offerings, including our unique reputation-based technology and behavior-based blocking, specifically target sophisticated attacks. Turning on only the signature-based anti-virus components of [E]ndpoint solutions alone [is] not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough".
In February 2015, Symantec was found guilty of two counts of patent infringement in a suit by Intellectual Ventures Inc and ordered to pay $17 million in compensation and damages, In September 2016, this decision was reversed on appeal by the Federal Circuit.
On September 18, 2015, Google notified Symantec that the latter issued 23 test certificates for five organizations, including Google and Opera, without the domain owners' knowledge. Symantec performed another audit and announced that an additional 164 test certificates were mis-issued for 76 domains and 2,458 test certificates were mis-issued for domains that had never been registered. Google requested that Symantec update the public incident report with proven analysis explaining the details on each of the failures.
The company was asked to report all the certificates issued to the Certificate Transparency log henceforth. Symantec has since reported implementing Certificate Transparency for all its SSL Certificates. Above all, Google has insisted that Symantec execute a security audit by a third party and to maintain tamper-proof security audit logs.
On March 24, 2017, Google stated that it had lost confidence in Symantec, after the latest incident of improper certificate issuance. Google says millions of existing Symantec certificates will become untrusted in Google Chrome over the next 12 months. According to Google, Symantec partners issued at least 30,000 certificates of questionable validity over several years, but Symantec disputes that number. Google said Symantec failed to comply with industry standards and could not provide audits showing the necessary documentation.
Google’s Ryan Sleevi said that Symantec partnered with other CAs (CrossCert (Korea Electronic Certificate Authority), Certisign Certificatadora Digital, Certsuperior S. de R. L. de C.V., and Certisur S.A.) who did not follow proper verification procedures leading to the misissuance of certificates.