Large IT companies spend the bulk of their R&D budgets on enhancing existing product groups – understandably. After all, it’s always risky venturing into unchartered territory. Fact is, it’s even riskier not to. There’s the very real danger that while an IT behemoth is busy perfecting current technology, someone else comes along and creates the next major thing that displaces it. Symantec Corp. has a game plan to avoid this danger. It involves funneling a portion of its R&D budget each year into technology innovation. The organization where these innovative technologies are conceived, created and tested is Symantec Research Labs (SRL). Very different from Symantec’s product development organization, SRL is a crucible for the proverbial “next thing.” Lately work being done at these labs has become so vital to the company that it has placed SRL under the direct control and management of its chief technology officer and senior vice-president, Ajei Gopal. In this exclusive interview with Joaquim P. Menezes, IT World Canada’s online editor, Gopal tells the inside story about SRL, and some of the “hot” new technologies being developed there. He also discusses Symantec’s mobile device security strategy.

Can you describe some innovative technologies under development at Symantec Research Labs?

Some we don’t talk about. It’s like film…you don’t want to expose it too soon. But let me give you a broad sense of the kinds of projects we work on. First, we try to take on some projects that are near term, but potentially lower risk.” For instance, we worked on “signature size” in the anti-virus (AV) product. When we talk “signatures”, it’s a lot of information being sent out. How do you compress that? We came out with a very interesting way of reducing signature size. There’s an example of something that emerged from the research labs. It was then transitioned over to the product organization.

Other things are longer term and more speculative. The further out you go, the more “blue sky” you can get. You give the team the opportunity to fail. You set stretch goals for them. If they are successful, great. If they don’t make it initially that’s okay too. In case of the [data security appliance], we identified data extrusion or leakage as an area of threat. The team then worked, came up with the ideas and concepts. Then they built and patented this great technology, which is running in production within a number of customer environments – and will soon be transformed into a product. That’s an example of how, after identifying a specific area a couple of years ago, were able create something that is now a relatively mature technology.

You said SRL teams are given the opportunity to fail sometimes. What’s the actual success to failure ratio at the labs?

I haven’t really measured that ratio. However, even though some projects may have not achieved their original goal…what they were meant to achieve, we are usually able to transform the technology, and use it in a different way, or think of another way to make it successful. But we try to be very careful about how we manage research activities in the portfolio.

How is SRL structured?

Within SRL we have four groups or activities. The first is core research. These are short- or long-term research projects that are more fundamental in scope. The second group/activity is advanced concepts. This Advanced Concepts team operates much like a start up. Its job is not just to come up with a technology, but to then take that extra step, and actually validate that technology, ensuring it works in customer situations. They go through a beta process with customers. Once they reach a certain critical mass, the projects get transitioned over to the development organizations. During my keynote I demonstrated the new database technology (the Symantec Data Security Appliance) developed by Advanced Concepts. I would wager that it’s substantially more robust than what a startup could create, for example. We also have a Government Research team that works with other companies and industry consortia on government contracts. And we have a group that works with universities on research.

Is the Data Security Appliance currently used by customers in production?

Yes, the [pre-release version] is currently running on the production networks of some customers.

Customers in which sectors?

In the financial and manufacturing sectors, and we have one university customer. There’s actually another important customer…ourselves. Anything we do of this nature gets applied on our own networks. We call it the “eat your own cooking program.” Once the technology was ready, we worked with the sales team to identify a handful of key customers willing to participate in much more of an experimental model. As this is not yet a current product, support is not provided through the standard Symantec support organization. If you have a problem, you call up the team that’s actually building it. Some companies participating are very large. We’re talking a big bank and a manufacturing company. They put [the technology] into a non-production network first to get a sense of how it works. Once they were satisfied, they moved it into their production network. Since this was not altering the data flow or anything else, but was just sitting there as a passive device, it was very easy to do that. [From a risk perspective] this is no different than working with a startup company. In fact when you work with a startup, the risks you take on are substantially higher.

When will the appliance be actually launched?

It’s in pretty good shape, so you should hear an announcement sometime soon.

In your keynote you said mobility is a growing area of interest for Symantec. What’s Symantec’s strategy for providing security and protection to mobile devices?

We think this strategy should be multi-pronged – and should touch the device itself, the network, and the enterprise. In addition, to security it should cover data backup as well. Let’s talk about security. Firstly, there should be security for products running on the mobile device. That can be AV software, for instance. Secondly, there needs to be protection in the carrier’s network – in the “cloud” – to filter out malware before it hits the device. The third element has to do with enterprise customers, and we believe there’s an opportunity around technologies such as network efficient control protocols. For example, we acquired Sygate, a company that allows you to do endpoint compliance. Through endpoint compliance technology companies can validate mobile devices — ensuring these devices are consistent with their policies before allowing them on to the network.

Likewise, on the data backup side, you must ensure any critical information on the mobile device is backed up, and then taken off the device as it is subject to loss. The device is treated as a data cache, instead of as a final repository. And if it is a final repository, you must make sure you do back ups and have an archive that stores the information.

Is Symantec working with carriers to provide security on mobile networks?

Yes we are working with carriers. And when you think about some of our offerings – such as our anti-spam or our e-mail scanning products, we are installed on carriers and service providers all over. We deal with a tremendous volume of e-mail.