Webroot’s big cloud gamble

Anti-malware vendor Webroot has bet the company on cloud.

In October of last year, the company stopped selling packaged software and moved to a software-as-a-service (SaaS) model. CEO Dick Williams says the switch improves the customer service model and takes the burden of managing updates off of the end user.

Will that approach help Webroot grow in the ultra-competitive software security market? As part of our ongoing IDG Enterprise CEO Interview Series, IDGE Chief Content Officer John Gallant spoke with Williams about cybercrime, the company’s move to SaaS, expansion in the enterprise space, and more.

John Gallant: What is the unique positioning of Webroot in the security market? What makes Webroot different? We’re taking all the work and hassle out of security, for individuals, for groups of individuals and larger groups of individuals. If you think about it, the security industry is really a lousy business. It’s a miserable business in a lot of contexts, but mostly from the context of the actual users, the people who are supposed to be benefitting from it. The security industry is a big industry and yet what’s the fastest growing industry in the world?

Dick Williams:

I assume it would be computer crime.

Cybercrime. It’s actually the fastest growing industry in the world, and it’s already larger than the security industry in total. And so there are more bad guys now than ever. There’s more loss. There’s more malicious activity going on. . So you step back from it and you say — hey, wait a second, we’re doing something wrong. The motivation now for a criminal to go online as opposed to stand in front of the bank is pretty significant, because the likelihood that they’re going to be able to achieve their aims with a very low risk is very significant.

That tells me that the security industry is doing something fundamentally wrong.

[Also read Is cloud-based security really cheaper? on CSOonline.com]

It starts with the basic premise that the security industry, particularly the software security industry — that it’s the user’s responsibility to ensure that they’re well protected.

I’m going to give you a firewall that’s going to be very chatty. It’s going to be constantly asking you — should I allow this or shouldn’t I allow this? Most of us haven’t got a clue, you know. I don’t know if I should allow that or not. It’s a name that I don’t understand. I could block them all, I could look it up someplace but I haven’t got time to do that. So most people just click, click, click. You have to keep it updated, and the updates are mammoth.

And yet if you step back from it, the updates aren’t really protecting us because the threats themselves have changed fundamentally. The smart guys understand how we protect. They understand how we do things, they understand that it’s fundamentally dependent upon us detecting a threat, then decoding it and then creating a signature and pushing that signature out. So most of your threats today are polymorphic threats, and they’re very targeted threats. So it’s a much smaller population that each one is targeting and [as soon as] they get through, the threat appears differently. And I’ll guarantee you that nobody in this industry can create a signature and get that signature pushed out to all of their endpoints in less time than that. So why bother? Okay? And then the inevitable happens and you get infected. You contact one of us within the industry, and the response is — well, you must have done something wrong, and for $100, $150, we’ll clean you up. I mean that’s a fundamentally broken model.

With everything prior to October 4th of last year, we were just like everybody else. We did things the same way. We licensed our antivirus engine from Sophos, up through October 3rd we were Sophos’ largest OEM customer. And we said — hey, wait a second. There has to be a better way. We have to take that burden off the user, assume that burden ourselves, and provide a solution that really is all encompassing for the user and doesn’t compromise them, doesn’t hassle them, let’s them… So that’s the basic premise and the fundamental difference in the way that we do things. So today now, we provide a single technological platform and a single solution across individual users, groups of users, to large groups of users. It’s fundamentally a very lightweight client in cloud implementation and doesn’t fundamentally rely upon signatures and certainly not signatures on the endpoint. So it fundamentally is looking for behavior and doing that analysis continually in real time to provide a level of protection that is previously unseen.

So Dick, when you say “looking for behavior” what do you mean?

Looking for the behavior of file activity on your system and asking ourselves — does that behavior reflect good actions? Or does it reflect the actions of malware? So step back a little bit. Prior to October 4th, we were literally like everybody else. We had a very heavyweight desktop solution for consumers and then we had an enterprise series of products for email security, archiving, web filtering and then a business endpoint protection product, but they all were the same fundamental premise as everybody else. We used behavior analysis to a degree, but it was integrated within a signature-based solution.

And very dependent upon heavyweight clients on the desktop. The typical client on the desktop today is 400 to 500 megabytes. That’s why your PC is so slow to start up, every time it does a scan you get bogged down and you can’t get the activity you want, and you’re very dependent upon constantly pushing those signatures out to the endpoint. Symantec and others take great pride on the number of signatures they create every year, which they should take pride in, but you bear the burden of that.

Right.

What we do today is our client literally is 640 kilobytes. Yet it’s a very smart client, it downloads and installs in four seconds, does a complete in depth scan of your system, a total system scan in two minutes or less. In that period of time, it classifies every file on the system. What it does is it creates a hash of every file, sends that to the cloud, looks and determines — is it known good, known bad or unknown? If it’s known good, lets it go, lets it run. But it looks at that specific hash on a continuing basis, so if that file changes we know we have to look at it again. If it’s known bad, we eradicate it and we let you know that. If it’s unknown, we create a sandbox in your system and let it run in that sandbox. And then we observe the behaviors of that and do a hash of those behaviors, send that to the cloud — known good, known bad, unknown again. And it’s behaviors fundamentally that we’re looking for and that we’re protecting against. If it’s unknown still, it could be a program that you created yourself. We’ll let it continue to run in that sandbox, but we continually log all activity that that file does, whether it’s registered changes or anything else, so that if you or we determine at a future point in time that it’s bad, we just roll it back, rather than requiring a complete system reimagining.

It’s amazing to me, having come to the industry seven or eight years ago, that companies today literally budget for reimaging systems.

You stand back from that and say — wait a second, something isn’t working here. Because that shouldn’t have to be the default. That ought to be a rarity rather than a common everyday occurrence. And yet you take a look at enterprises and the cost of security and the cost of managing and maintaining that security, it is extraordinarily high today. Consumers are increasingly giving up on it and they don’t see any great differentiation amongst the various providers because everybody is getting infected. And so increasingly they are going to the best default free solution, which is Microsoft. Okay? Enterprises have no choice. Enterprises have to protect themselves because the cost of an intrusion is so great and the liability of an intrusion is so great. And there’s no CIO or CISO in the world that is willing to go to a CEO and explain how much money he saved by going with freeware now that he’s been compromised. And I read an article yesterday that in effect said — CEOs are not really that aware of the threat in security, and it’s not top on their list, which is surprising in some ways, but when you think about all the things that a CEO has to deal with and you think of all the things that a CIO has to deal with, it’s one of many. So increasingly, it’s being treated as a cost. You ought to be able to take that cost away.

Where do you stand in migrating customers? How many of them are using this new approach and how many are still on packaged software side of things?

October 4th when we launched our Webroot SecureAnywhere consumer product offering, we made a 100% shift from the packaged software to the new online SaaS-based security solution.

So you brought packaged consumer customers over to that solution?

Yes. So we immediately quit selling the packaged product solution. In our 2011, what we called Version 7 of the product, we discontinued as of that day. We quit selling it, and the only thing we sell are Webroot SecureAnywhere consumer products, which is 100 percent cloud, 100 percent Saas solution, for individuals and groups. For existing customers, about three-quarters of them are migrated over. If a customer calls with a problem associated with a pre-existing or a legacy product, rather than fixing that, we merely migrate them.

Makes sense.

I know that’s not typical, but from our perspective that made the most sense, because we frankly had to stand up and admit to the industry that what we and everybody else were doing wasn’t working anymore. Once you come to that conclusion, I think you’re forced to immediately migrate everybody to the new. Okay? And so we’ve been doing that just as rapidly as we can contact those customers and get those customers to make the migration. At the end of the day, I can’t just turn the bits on them, but now that they’re in a cloud they’re updated every second, every hour of every day. And they don’t have to worry about it. And there’s no longer any signature files to push down or anything else.

We discontinued our email security line of products at the end of last year. And we did that simply because that whole landscape is changing dramatically. Increasingly email security is being provided by the email security providers, so that industry is rapidly commoditizing and consolidating, as it should. And we felt that the real value add that we could provide is much greater in terms of total endpoint and web protection as opposed to email security protection. So we discontinued that and we’ve been assisting those customers and those partners over to whatever solutions they want within the industry.

More IDGE Interview series

• Oracle’s Hurd brims with confidence about SaaS, social and cloud (networkworld.com)
• SAP co-CEO Bill McDermott explains its five-market focus (computerworld.com)
• Chevron’s CIO talks transformation and why IT leaders should smile

And then in February, we introduced the Webroot SecureAnywhere business endpoint product, which is a superset of the consumer product. And so it adds all of the administrative functionality and so forth that you would require from an enterprise class solution. So what we have now today, for the first time in the industry, is a common technology platform in a common product solution all the way from individuals to groups of individuals to large groups of individuals. Very much like Salesforce did when they came to market. If you remember Salesforce, they came to market focusing on relatively small workgroups or small companies, but the way that they had architected their solution was that there was no right-hand endpoint to it. So on that same common platform and solution, they could handle any size customer. That’s exactly the way we’ve architected our solution. So come February 13th, when we released our business endpoint protection solution, for all intents and purposes, the consumer product came free. Because it is a complete subset of the business solution.

Now, I am fully aware that everybody tried that in the past — Symantec, a lot of good people tried that in the past and failed. Nothing against them, it’s a different point in time today. The threats are different, the malcreants are different, the technology is a whole lot more advanced today and you’ve got the cloud. For a true cloud implementation, what everybody else is talking about in terms of cloud, whether it’s Symantec or anybody else, I call cloudwashing. Because it’s not a true cloud implementation, you know, it’s using the cloud as a storage or distribution mechanism, as opposed to the real intelligence. Our solution today is a data driven, database driven solution, and ultimately it’s that data that becomes the most valuable commodity.

For an enterprise, if someone — say a senior IT executive is unhappy with their current security solution, why is this the right approach for them to take right now?

Several reasons. Number one, it provides you a higher level of protection.

Higher meaning what?

A better level of efficacy in terms of detecting and blocking particularly new forms of malware. So that’s number one. Most enterprises though will make the decision based upon total cost of ownership. You guys understand that one really well, because of the CIO and things of that nature, is that the total cost of ownership for any security solution is far beyond whatever that licensing fee is. Because you’ve got administrative costs, you’ve got dedicated service associated with it, you’ve got the constant problem of updates to the software, but then also to the signature files as well. I tell people that Symantec, in fact, is our best advertiser, a) because they’re so big, you know. But every time they push a major signature or a client update, enterprises go crazy. Increasingly, enterprises won’t even update until they’ve thoroughly tested it. The week before we introduced our business endpoint product to the market place, Symantec pushed a 137-megabyte endpoint update to every endpoint. Two weeks later we got our first 12,000-[seat] license, which is above the targeted market that we’re going after today. And we got it simply because that 137 megabyte was 1.6 terabytes to that enterprise. Melted down the network. Ten percent of those endpoints didn’t take. Think of the cost they had to do to go back in and re-engineer that ten percent of endpoints and reimaging many of those systems.

With Webroot that just doesn’t happen anymore. All of that is gone away, because it’s all in the cloud. Now, as well, you can administer our entire system from any endpoint across your entire enterprise. So the administrator can be anywhere coming from any device and administer all of that through a common portal down to the individual endpoint or groups of endpoints and across the entire enterprise, determine which of those they want to allow in the network, which of those they want to remove from the network. They can determine what applications of software is allowed on each individual endpoint. They can increase or decrease the security setting of any individual endpoint. They can see the current status of infections across their entire network and know exactly who’s infected, who has been infected, not just for your standard PCs but for your mobile devices as well. So that’s a significant cost reduction. You don’t have a dedicated server anymore to do that kind of thing. Service-as-a-support we do now through the product.

Let me back up. When I joined Webroot a little over 2-1/2 years ago, we weren’t a technological innovator and we didn’t have the best reputation for service-as-a-support in the industry. I’ve always felt that if you’re in the technology industry that’s highly competitive, you have to be the technological innovator and you have to provide the best service-as-a-support, period. Or else sooner or later you’ll get overrun or you’ll deserve what you get. And so the first outside hire I brought onboard was Kent Sieckman who had created the best service-as-a-support operation in Web application management in the industry at Wily for me. And I gave him the charge, said — make this the best customer service-as-a-support, bar none, in the industry. He did that at great cost. When we introduced our 2011 consumer product offerings, we couldn’t add tech support reps fast enough to handle the workload. Even though it was the highest quality release we had ever done in the company’s history.

Right.

We added I think 55 contractors on top of ramping up our actual tech support people and still we couldn’t keep up with the demand. Our average wait time was 2 to 2-1/2 hours. That’s frustrating, both to us and to the consumer. When we introduced Webroot SecurityAnywhere consumer product offering, we in fact have taken our call load down dramatically. The reason for that is twofold. Number one, it is a fundamentally superior product, totally different solution, but we also do our service-as-a-support through the product. So if you think you have a problem, whatever it may be, you don’t have to pick up the phone and try to call us, try to get through our lines. You don’t have to send us an email and hope we’ll respond. Instead you send us a message through the product.

As soon as you have sent it, we capture the complete status of your endpoint, the version and release level of every piece of software on it and take a complete log, send that log to the cloud. Any one of our threat researchers or tech support reps around the world then can immediately get on that and work to analyze, diagnose and solve it for you. Most cases they have all the information they need in order to diagnose it and solve it and they merely send you a note saying it’s done. Now when they fix that, whatever it is, whether it’s a virus or whether it’s the product just isn’t working like it ought to be working, it’s fixed not just for you, it’s instantaneously fixed for every other endpoint in the marketplace. So that has fundamentally changed the customer experience.

What percentage of the business today is consumer versus enterprise?

Consumer today is still about 75 percent of the business, 70-75 percent of the business. Enterprise is 15-20 percent and strategic alliances is 10-15 percent.

And how is that mix shifting?

It’s rapidly moving to enterprise and strategic alliances.

And what are strategic alliances in this respect?

Partnerships with major other security vendors in the industry. So what we do is we license, fundamentally our malware information, to other suppliers in the industry. People like Palo Alto Networks, F5, Microsoft, where we’ve crafted a strategic relationship with them. And my commitment to them is everything I license to them is strategic to us, not just because they are, but because it’s fundamental to what we’re doing.

So when I talked to you earlier about the single technology platform and single product solution across the whole, it’s true for consumers, enterprises and strategic alliances, and so one is a derivative of the other.

Does this change the game for you, moving to the cloud? Does it change the competitive set that you’re up against?

You bet.

And is part of the strategy to make a bigger play in enterprise?

Absolutely.

Okay. So how does the competitive set change? Who do you think you’ll be competing with now versus the standard landscape of security companies that folks know?

It’s still Symantec and McAfee predominately. On the enterprise, it’s less Kaspersky than it is in the consumer marketplace. It’s still Trend, but you don’t see the AVGs and all of those guys in the enterprise.

I want to discuss a couple of big things that are on the minds of our readers and things that we hear about all the time. You talked about your evolution to the cloud, they’re making the move to the cloud, how do you help enterprises deal with all of the additional security challenges that come with using all kinds of infrastructure platform or software-as-a-service providers?

Well, what we try to do is we try to keep the solution very focused and as simplified as possible to take that work from them. So our focus for the enterprise is very explicitly focused on business endpoint protection and Web filtering. They get benefits beyond that, but we’re not trying to take over their total infrastructure management or their storage management or any of that kind of thing, in that we are very much a pure play security company and keep that focus very, very narrow.

One of the things that comes up in that context is identity management. Is that a target area for you?

Absolutely.

What’s your strategy there?

Well, we focus on you, the individual user, whether you’re a consumer or whether you’re a user within an enterprise as opposed to device protection per se. We began that shift with our consumer products in the 7.0 2011 product offering, focusing on your complete support. So identity management is a big part of our investment today, and full anti-phishing support and further automation of that and things of that nature as well.

Let’s talk about mobile and the whole bring-your-own device and consumerization of IT, which is a huge trend that our audiences are dealing with. Why are you guys uniquely positioned to help people deal with that challenge?

Mobile is a huge challenge. We’re uniquely positioned because of our focus on the individual, realizing that the individual today accesses the Internet via a variety of devices, and we embrace the bring-your-own device. I mean you can’t fight it. The technologies are good enough now and the users are sophisticated enough now that they find a way to hack in regardless of what the CIO policies may be and so you better find ways to support it. So today we provide support for iPhone and Android, and we’ll be providing support for Windows phones in the future as well. But that, from an enterprise point of view, will be integrated with our business product offering this summer, so that you can manage all of those devices, along with everything else from a single portal within the cloud. And then do that consistently across the whole, applying the same kinds of processes and procedures that I talked about earlier.

In an article late last year, I saw a comment made by a guy named Chris DiBona at Google — that companies (and I think he specifically mentioned Webroot and others) selling antivirus and malware protection for mobile devices are charlatans and scammers.

What did he mean by that?

What he meant was that it’s too immature a market and that these products don’t work for these mobile devices yet.

I think that in general, if his accusation… He could make that accusation across antivirus and anti-malware in general and be accurate in the context that we talked about earlier. And that the solutions that the industry has been providing fundamentally no longer address the type of threats that are out there today. So in that context, I think it’s right. In a context specifically on mobile, I think that’s overblown by quite a bit. There are a lot of good mobile antivirus, anti-malware solutions out there, and a lot of different providers that are providing those. The thing that is lacking more than anything is a full integration. Mobile is a rapidly evolving marketplace, it’s a rapidly evolving attack vector, for all sorts of scams and will be increasingly so in the future. And Google of course will be one of those perpetrators out there that’s trying to spam your phone with advertisements and everything else. And so the mobile user and the enterprise in particular needs better protection against that. There are a lot of guys trying to do that. There isn’t anybody that has a complete integrated solution yet and I think that’s essential.

I’ve seen another quote to the effect of “Win the sophisticated consumer and businesses will follow.” What does that mean?

If you think of our target markets, our target markets today are what we call influential enthusiasts on the consumer side, the people you just mentioned, and then what we call cloud committed enterprises. So they’re small and medium enterprises that have experience with the cloud already, so they’re using Salesforce, they’re using Workday, they’re using SuccessFactors, they’re using somebody. And so it’s not a big shift for them. There’s incredible crossover between those influential enthusiasts and those cloud committed enterprises. They’re [heavily] populated back and forth. And that’s really what we’re talking about there, is that increasingly for small and medium enterprise, and even in some cases enterprises, their first test will be with your consumer product. In our particular case, that’s a reasonable test because it’s a subset of the business product. If he was trying to do that with Symantec or McAfee or anybody else, that’s no test at all because they’re a totally different product, totally different architecture. And so our press has been to look at them as a totality and make certain that we’re talking to that complete audience.

Let’s talk about two different things. One is the industry landscape and the other is the threat landscape. On the industry landscape first, with security being a crowded market, with customers going through tremendous change in their IT organization, the way they deliver IT within their organizations with cloud and mobile, all that, and with technology going through a lot of change, how do you expect the security industry to change over the next few years? Do you expect a lot of consolidation? Is this going to weed out a number of players? What will it look like?

That’s a very good question. I think that in terms of the consumer marketplace, we’re beginning to see a commoditization of consumer security software. If you take a look at the consumer marketplace, in particular the retail consumer marketplace, the overall sales for the category are down 25-35 percent year on year. And that’s true whether you look at individual companies or whether you look at Best Buy or anybody else. And when you go out to the major providers, whether it’s Best Buy or you name it, you’ll find that the shelf space is rapidly shrinking. Part of that is more buys going online, but a big part of that is I’d call commoditization. Since Black Friday of last year, we’ve seen a level of discounting within the security software marketplace on a continuous basis that is unprecedented. And that’s, of course, in direct reaction to those lower sales. A part of that, of course, is the increase of tablets and smart phones and people looking at those differently than they look at their PCs.

And not necessarily seeing the need for at least the same level of security protection, if not greater, on those devices. One of my good friends was a key architect for me in one of my previous companies, and he’s founder and CEO of a very significant cloud company. He has a new Android phone over dinner three months ago, and I asked him if he was protected. He had no clue. So that’s a part of it, because the industry has been very dependent upon new PC sales for increased sales overall. That tells me fundamentally the industry is not an innovator. Okay? It hasn’t been focused on unique value add to the end user or to the corporation. Because if it was an innovator, then the industry would be able to grow regardless.

Number two, their reaction then is price reduction. That’s a race to the bottom. When the reaction really ought to be is — hey, wait a second, what’s the problem? And the problem is we’re all living through the worst recession any of us have ever experienced, number one. So we’re making tradeoffs. Number two, there’s no differentiation. Everybody’s getting infected. When everybody’s getting infected and there’s no differentiation, why should I be paying for this from Symantec or McAfee or Kaspersky or anybody else when I’ve got a free solution, but not just a free solution, a free solution from a very credible manufacturer with Microsoft? And it’s a very credible solution. Microsoft is doing a very good job and they’re very focused on making that problem go away. And so I think the major beneficiary has been Microsoft. The second major beneficiary has been Webroot. Because it is dramatically differentiated, a better solution and consequently since October 4th, our net promoter scores have gone from about 35 percent to 58 percent, the highest in the industry today. McAfee is in the single digits, Symantec is below 50 percent — 45, 48 percent, in that range, and everybody else is below that.

So there’s a differentiation there. Number two, in terms of NPD data, we’ve gone from about 9.5 percent to about 18 percent of the market.

NPD data?

Retail, across all the retailers in the marketplace. In terms of the Best Buy S2 program, we’ve gone from about 14 percent to about 26 percent of that program. We’re taking share. So there is some differentiation that’s going on. That’s going to take us a while. So I think there is commoditization of the consumer marketplace. And that will have to evolve to a consolidation within that sector, I think. Because I still don’t see a lot of innovation going on.

On the enterprise side, I think the enterprises will be looking for more complete solutions that address not just security, but do that in an affordable way for the enterprise. That take more of that burden and management from them and eliminate that. That plays to our strengths. It also plays to the strengths of integrated solution providers like Palo Alto Networks and Fortinet and people of that nature. And, of course, that’s one of the reasons that we worked so hard to partner with those guys.

What about the threat landscape—what should people be worried more about today? What are the things they’re not thinking about that are on the horizon that should concern them?

Phishing, all the smart phone and mobile devices, and social networks.

The cybercrime marketplace has attracted a lot of really smart people. And they’re constantly innovating. They’re innovating at a rate much more rapidly than the security industry is innovating. And consequently, the bright miscreants increasingly mine the totality of what’s out there—the passwords that are stolen from this company today, combined with information from social networks and information from other places. So I think people really need to be increasingly concerned about the totality of the way that they’re interacting with the rest of the world and how, in fact, smart people are putting all of that information together. Google’s putting it all together, Facebook’s putting it all together, the criminals are putting it all together.

Talk about your acquisition strategy. You’ve made a number of acquisitions, including Prevx, which has really driven your cloud strategy. What’s the strategy when it comes to acquiring versus building?

There’s nothing on the horizon that I see right now that I think that we need to acquire, or that I would necessarily want to acquire. Where we were when I joined the company, a little over two and a half years ago, was we owned little of our own core IP and hadn’t been a significant technological innovator for a long time. Now I’ve already said that the industry hasn’t been a technological innovator, so I think the company probably looked at it and said — well, why is it important? I think it’s very important. So we went from owning none of our core IP to today owning all of our core IP. And by the end of the year, we’ll only be shipping our own IP. There were two critical acquisitions that we did there that we felt that we would be best off acquiring rather than trying to build ourselves. The first was Bright Cloud, which was URL reputation and classification. We were licensing that at the time from Secure Computing, which was a reasonable solution, the data had been acquired by McAfee. And that was one of those areas that I felt was core that we needed to own ourselves so that we could dramatically extend it in the future. We added then, since that acquisition, real-time IP reputation and classification and now we’re building a complete automated anti-phishing solution as well. Fabulous team, fabulous technology. That brought with it the key strategic alliances that we’re focused on today, and it was that acquisition that focused me on… Previously the company had done what I would call opportunistic OEM deals, revenue-driven kinds of deals, and we were rapidly getting ourselves out of those. And originally I intended frankly to shut down the OEM business that Bright Cloud was doing. But when I called on those customers, I was blown away by how well they rated both the technology and the team and how important they felt that was to them, even though they could build it themselves. I mean Palo Alto Networks, Nir Zuk, he can build anything he wants to build, a very bright guy and would like to build it all. And yet he saw a benefit from acquiring it from Bright Cloud. As I looked at that, it’s a better test as to how good our technologies really are. The marketplace is a good test, but it’s not a complete test, whereas providing that to strategic alliance partners who could either create it themselves or buy it from anybody, is a real test.

Right.

So I concluded that that ought to be a strategic business for us and so that was critical there. Prevx, you know, Mel Morris, a great team, great technology. From the time I joined, I felt that we needed to rearchitect ourselves to a client cloud implementation. And I frankly didn’t believe that my existing teams, as good as they were — I had two, consumer and enterprise, and my existing CTOs, as good as they were, could ever make that leap. Because it is a fundamental leap, not just to that but from signature based to behavior based — a huge leap. And at the end of the day, they didn’t believe at that time that any of those solutions could work. So we looked at every one, and concluded that Prevx was by far the farthest along and the best team by far. It wasn’t a complete solution. They were marketing it as an additional layer of security. And they had some unique advantages because it could run underneath any other security solution and not conflict with that security solution, one of the few in the marketplace that can do that. That we’ve retained, because that’s fundamental in the enterprise marketplace. The enterprises always want a trial. They don’t have to eradicate their existing solution before they trial this. It’s particularly important when you go to Windows 8. Because Windows 8, the security is always there. So you have to find a way to cooperate with that and we fundamentally cooperate with that and hence we’re already certified. So those were benefits. But it was essential that we integrate that with everything else we’re doing and dramatically extended it and the team has delivered amazingly well. We have not lost a single person there.

A couple more quick questions. So you’ve led a number of companies over the years and sold a number of companies to other firms. Is that a likely outcome for Webroot?

I don’t know. I’ve taken some public too. And I think this is one that has great legs to it. I’ve never looked at an opportunity and said — well, this is one I’m going to build up to sell. There were a couple of companies in there that I went out deliberately to sell because of the points in time that we were. The rest of them, it wasn’t that intention at all. My belief is always to build something that really matters that has huge value to your end users, to the marketplace you’re trying to address, that is scalable and is enduring. Good things will happen when you do that.

What’s ahead? What should we expect, say over the next 12 months from the company?

You can expect us to fully flush out our business solution, to extend that, to make that a more complete solution and hence more attractive to enterprises, larger enterprises as well.

Complete there meaning what kinds of things?

Such things as authentication and integrating into their identity management and authentication solutions and providing more complete manageability across the whole. Here, I already told you in the next couple of months we’ll be introducing — we’ll be totally integrating our mobile solutions with our business endpoint solution. You can expect to see us take our Web filtering solution and directly integrate that into our endpoint solution using the same client, things of that nature.

Great. And then the question that we always wrap up with is, so you’re in that elevator, the classic elevator, and you’ve got a CIO in there and you have one or two sentences. Tell them what they need to know about Webroot.

Webroot provides the security that you need at a cost and approach that you can absolutely manage and deal with. The best provider, but also the best partner that you could possibly have. And it takes that security problem from you and puts it on our shoulders.

One of the points that you had made about maximizing the investment, particularly in old technology, and that may be a point to emphasize.

That’s a very key one. You know, our Webroot SecureAnywhere, both consumer and business endpoint, is the lightest, fastest, least disruptive solution in the marketplace. And consequently, we have quite a number of customers that have come back to us now and said — hey, wait a second, yes we bought it for all the reasons you told us, but what we didn’t realize is we can reclaim a lot of those older PCs that we couldn’t use anymore. Because the security solution was too intrusive and too resource intensive to allow us to run on those machines anymore. And so I mean they’re reclaiming PCs that they had intended to go to the junk pile. Because, again, our solution is intended to take the issues away, just eliminate those issues and be the least intrusive in the lightest way possible. And so if you do an actual test, you’ll find that not just the install and boot times are dramatically faster, but the overall resources that we take are minimal, and a fraction of those of any other solution. So there’s definitely that play as well.