Curiosity kills the cybercriminals

newsmaker Every business Steve Chang started, he hated. But things took a different turn the third time around.

Co-founder and chairman of Trend Micro, Chang's first two startups--offering mini-UPS (uninterruptible power supply) for computers and Chinese database--failed. Undaunted, he established Trend Micro with his wife Jenny Chang and her sister Eva Chen in Silicon Valley in 1988, unleashing what was to become a giant of an Internet security player. The company's net income clocked in at US$213.6 million last year, with net sales totaling US$1.1 billion.

Growing up in a small city in southern Taiwan, the youngest in a family of two daughters and a son was a "pinboy" in his parents' bowling alley, which at that time required manual hands to lay the bowling pins. His entrepreneurial streak, Chang admitted, was born not only out of family influence but also from the desire to prove himself to his father.

Chang helmed Trend Micro as CEO until end-2004, then passed the baton to Chen, who had been the CTO for many years.

In town recently to accept the Lifetime Achievement Award at CNBC's 2009 Asia Business Leader Awards, the 55-year-old shared with ZDNet Asia in a wide-ranging interview his thoughts on IT security innovation, his one regret in his career at Trend Micro, and why the Taiwanese player had its head in the clouds as early as the 1990s.

Q: In persuading your sister-in-law Eva to succeed you as CEO, you mentioned that innovation ought to be the core competency of the company. What would you say are key ingredients to sustaining a culture of innovation in IT security?
Chang: The definition of innovation is solving the problem by using new ways. First of all, you need curiosity and intelligence to define the problem, and then you need courage in a fearless environment to try to derive a new way. It's become Trend Micro's culture. We happen to be in this software business, which requires a lot of innovation, and we happen to make a living by defeating hackers who are extremely innovative.

Eva and I have these characteristics. When the founder has certain characteristics, eventually they get into a part of the corporate culture. Because of this corporate culture, we attract those people who have this kind of core competency to join Trend Micro.

Given the fast pace of malware development, would you say that innovation is no longer an option?
It's the only way, right? Innovation has always been important because the technology has changed, the platform has changed and the way the user is being attacked has changed. With all these changes, it's inevitable that the nature of our business has changed. The Internet, e-mail and cloud computing accelerate the need for innovation. If innovation is not part of your DNA and your product, it's very difficult to fake. You are not really solving customers' problems.

Where do you draw inspiration to innovate?
Once innovation becomes part of the corporate and individual DNA, it becomes intuitive. If you really analyze it, you will see that it comes from observing how IT managers in the enterprise handle their internal network security problems.

What is their No. 1 concern? They worry about where these viruses and malware come from, and who in the organization is allowing such things to come into the company network. This is probably one key advantage that Trend Micro has over other companies, which are very technology-focused. We understand how IT managers think, feel and are concerned about.

What is still lacking in IT security innovation today? What areas within IT security can be improved in terms of innovation?
So many things! In IT security, we still have so many things that cannot be predicted. After the IT manager buys all kinds of products from the vendor, they still find their most valuable data is leaking out. If you cannot solve the customer's concern, then you still have a lot of room for innovation.

Hackers are no longer like before, where they just code malware for fun to satisfy their ego or to show off to their friends. Nowadays, they use botnets, spyware, and all kinds of malware technology to try to make as much money as possible. Last year, their revenues were about US$10 billion--much higher than the collective revenues of the antivirus industry! They have become organized criminals. We have to defeat them by coming up with much better, faster and easier ways for users to defend themselves.

Your career in Trend Micro spans over 20 years. If there's one thing you could go back and do differently, what would it be?
One thing I would want to correct is that I was too focused on enterprise software, and therefore, we missed the big opportunity back in the mid 1990s and beginning of 2000s, when the consumers started to become aware and wanted to spend money to buy antivirus software. So, our consumer sector has been behind as we've been very focused on the enterprise market.

For the last nine years, there has been a lot of money spent by individuals. And, end-users spend on the product based on the brand rather than the technology. Due to my background and focus on technology, and my engineers' personality, I missed out on this marketing opportunity. If I were to do it again, I would focus on this.

In 1999, you said in an interview that Trend Micro is the "e-doctor". How has the role of the company changed since?
It's still the same. E-doctor refers to a service. Put in the context of a cloud computing world, it means software-as-a-service (SaaS). Instead of selling the product, we host the service that customers pay for rather than have them buy a product.

It has taken longer to take off compared to what I thought because IT managers' are still thinking in terms of software, yearly maintenance costs and special support costs. The budget is still developed this way, and we tried to say forget it, you pay what you use, like electricity. It was a little bit early--10 years too early, I think. Now, everyone talks about Salesforce.com and SaaS.

But, that path gave us a lot of experience on how to run a services business. Today, our Worry-Free service for small businesses is doing very well. E-doctor transformed into a lot of services that we now have. Now, these services are our major source of income.

Do you see that eventually there'll be no security products, just services?
Yes, eventually, but I don't know how long it will take to reach there.

For Trend Micro, the mix is now 30 percent services, 70 percent products. Definitely, this ratio will change over the years. Cloud computing will accelerate this trend. Eventually people don't really buy a product where you have to install a server, update virus patterns and the virus scans might cause your system to hang--that scenario is not sustainable. Service in the cloud, I think, is definitely the way to go.

Trend Micro announced malware analysis in the cloud, offering the dual approach of tapping as well as securing the cloud. How well has that strategy worked for you?
This strategy had been cooking for almost four years. At that time, Eva had been thinking of a way to solve the ultimate fundamental antivirus problem: products that are not able to adequately protect customers because new viruses develop all the time and hackers use mixed attacks.

The scan update may look fine but every year there are more than 5 million viruses, so the challenge lies in detecting new malware. So Eva came up with the idea of offering a service based on technology like Hadoop, which can parallel-compute huge amounts of unstructured data. We try to fight the hackers and viruses in the cloud, rather than trying to remove it in the customer environment.

What do you see for Internet security in 2010?
Global 2000 companies will start to realize that one way or the other, they have to try to virtualize their servers to become more efficient. And they will then start to worry about how to protect their virtual environment as they don't know where exactly their applications are running on. Virtualization security is probably going to be the No. 1 concern.

The other concern is preventing mixed attacks in the cloud rather than handling them within the network perimeter.

So in 2010, there is going to be a huge growth I think. After so many years, I think this is going to be the best year we will see.