Interview: Patricia Sueltz, CEO of SurfControl

I am surprised just how petite Patricia Sueltz is. I had in my mind's eye some kind of Hollywood power CEO, fast-talking and thoroughly impatient.

You know, tapping my voice recorder, laughing at my questions, possibly taking messages from flunkeys and tending to at least two BlackBerrys.

After all, these chief executives, they're busy people, and Sueltz is only in London for a flying visit.

Instead, the BlackBerrys are left alone and no flunkeys are to be seen.

The conversation is polite and Sueltz, who took over the top role at Californian-based SurfControl in July 2005, is giving me her fullest attention.

Since getting her first job putting in cables for the old Pacific Bell telephone company, Sueltz has followed a steady path to the top via multiple roles at IBM, Sun Microsystems and, most recently, with customer relationship management software specialist Salesforce.com.

She claims to still have her "climbers" and, at 53, Sueltz, who is half Japanese, looks fit enough to still use them. She boasts she could still row 5,000 metres - although perhaps, she admits, a little slower than she used to.

She left Salesforce.com after only a year, pocketing severance pay of US$650,000. So after the same period with SurfControl how are things shaping up?

"It's the most fun I've ever had," she says, although she is quick to admit that she has been known to say that about many of the positions she has held. Her career has seen her work with some of the great innovators and change agents in IT: Marc Benioff, Scott McNealy, Ed Zander, Mike Lawrie and, of course, Lou Gerstner at IBM.

Sueltz took up her current role at a time when there was some criticism of SurfControl. "There still is," she says, bluntly. "We've been involved in a turn around. We needed to refocus and revitalise the company. There had been two years of flat or declining billings."

She was not taking any chances, either. Her recruiter was forced to sweat several months for his commission as Sueltz made sure she was, in her words, joining a "Bentley company". "Although I found good products and great people, I thought we needed to do some work in terms of operational excellence and scaling the company infrastructure and leadership, to give direction," she recalls.

Sueltz is keen to insist that nothing should be taken away from her predecessor, Steve Purdham, the co-founder who turned SurfControl into a US$100 million company and remains as non-executive director.

"I don't know many people who could have done that," she says, "but what I do know is how to scale it. We've spent the last year going through a very tumultuous time. We need to rebalance the types of skills we have. Customers have told us that we were a great company with great products; we were nice but we were confused, someone said, 'SurfControl is a soft company in a hard world.'"

But being harder means making tough decisions, especially in an industry that is getting more competitive and starting to swim in bigger pools.

SurfControl had to restructure and that meant job cuts.

"Yes it's rough and I don't take any great pleasure out of losing some 25% of the team. These aren't bad people, hey're just at a different point. But then you refresh," she says. According to Sueltz, the problem was that SurfControl had been under performing and its message to CIOs and info security professionals had been lost. That is now changing, she claims, and brand recognition is improving.

"The most amazing thing is how good the products were and are. I also learned what a fabulously resilient team we have, to go through all the change and still grow and move the company from a negative four per cent billings to a positive five per cent," she enthuses.

"I'm not doing back flips over single digit growth, but the fact that wecan move almost ten points in a very quick time during six months of complete change is really something that buoys one's spirits and says,'what a fabulous place to work'."

That restructuring is now largely completed, and the business is confidently predicting double-digit growth for 2007.

It's not the first time Sueltz has been at the heart of change. Early on in her career she worked closely with Lou Gerstner as IBM performed probably the biggest transformation in IT history. She still remembers that period of tumult, when no one really knew what the outcome would be. "Lou laid off 210,000 people. Now, that was awful. I was sitting in the eye of the hurricane, but my friends were being whipped around. There was so much going on. I think he had to trust himself and learn everyday, but he stood tall."

She says she has learned a lot from all the people she's worked with.

Patricia Sueltz, CEO of SurfControl

At Sun the power of innovation, at Salesforce.com brilliant marketing.

"Marc Benioff took a concept that most people didn't get and built acompany around it. That's fabulous," she said.

"But the most important thing to have is a vision. It's not enough to just say, 'here's my vision'. You've got to drive it by talking to customers and partners, finding out about things that are happening, and then knowing where you are and sorting out where you'd like to go."

And what not to do? For Sueltz, not having a vision at all is worse than having one and failing to achieve it.

What then, after a year in the infosec business, is her vision here?

What does she see as she steers SurfControl forward? For one, she has noticed a degree of ignorance at the top.

"Two years ago, you could pick up the general press and read, 'the security thing is fixed.' I can't tell you how many top executives I've met who say, 'well, I have a firewall', not realising the insidious nature of threat management, as well as security at large. A lot of folks thought we'd cured it. Things are changing, and the market is changing to reflect better awareness and avoid over simplification.

On the other hand, Sueltz acknowledges that there is a growing body of CIOs and CEOs who both need and want to understand security. "They have to be in control of their information. Wherever it is, whether it's inbound, outbound, within the enterprise. They want the levers to manage those points of vulnerability and ways to monitor what's happening," she says.

She is dismissive of those who rely overly on the physical or the appliance.

She recalls an episode at a large insurance company in New York. "It had taken us a long time to get in because of physical security after 9/11. But at the end of the day, as we left, the security guys said, 'don'tworry, we never check anyone on the way out.' That's exactly the problem: do you know what's leaving with your information? It hadn't occurred to them. Everything was set up to stop things from coming in."

The mention of 9/11 opens up a new avenue in our discussion: cyber terrorism.

This is an area that some info security specialists simply dismiss as low priority, even scare mongering, but not Sueltz.

"It used to be mischievous to try and show the Department of Defense you could get in and funny up their website," she says, the joke's over now.

"There are certainly instances of cyber terrorism that we don't even know about. We don't know what it means to have gone through a cyber terrorist attack. It could be very disruptive to the world's economy. I'm not trying to pick up on an emotional chord, but there are probably cyber terrorist cells inside companies, I don't mean some disgruntled employees ..."

Meanwhile, the economy and the business of information security carries on. Part of that has been SurfControl's acquisition of BlackSpider. This is the first tangible sign of an aggressive growth policy and the company's first land grab in the consolidating world of IT security. For Sueltz it was all about filling some gaps in SurfContol's offering.

"What we didn't have was the variable approach to security that our customers are now asking for. They want multiple ways to check different types of incursions and escapes, and better information management," she explains.

We set the strategy in February, we looked at organic growth, in organic growth and partnerships. We checked out gaps and relationships relative to serving our shareholders better.

"We had announced that we were going to do it around two years earlier, but failed to deliver on the promise as fully as we might have. So(buying) BlackSpider made sense. We looked at all the managed security services providers, the on-demand security service providers, and I'm convinced we picked the best one, with real class-A talent and great artificial intelligence technology."

The acquisition is still quite new, but will the BlackSpider brand still be around in 12 months' time? Sueltz's answer contains mixed messages.

"I suspect we'll come down to some simpler forms," she suggests. "We've got registered rights to MailControl and WebDefence.

I kind of like it and it makes good sense to me. Right now I don't mind calling it BlackSpider. People know it, it's got great name recognition."

Given what's happened so far, it's clear that SurfControl is not going to stand still under Sueltz. It's not about to be left behind in the coming rush to grab bigger pieces of the infosec pie. The hard bit's been done, the stage is set for growth.

"You see EMC making some moves, you see us making some moves, you see Secure Computing doing the same. Now, there clearly is some consolidating happening, but there are real opportunities," says Sueltz. "In 2003, there were a lot of folks saying the sky's falling in. But(according to SurfControls' studies), if you added up the different rounds of funding, new companies started, those that got to initial public offering, firms that went out of business, we saw something like a net gain of nine companies in both 2003 and 2004." The trend accelerated in 2005, she adds, when there were 70 more computer companies by the end of the year.

So, despite the pressure to merge and grab market share, the market will always go through its natural cycle. As the large space gets eaten up, along come new players and innovators at the bottom.

Sueltz agrees, "innovation doesn't just come out of nothing. Napster came about because of peer-to-peer, and from that followed threats to peer-to-peer, and so people keep innovating. What you get is a flurry, you generally see some type of aggregation, and then you'll see desegregation again as there's some new innovation and someone takes off."

All this means, you can't rest. Being bigger means you have to work harder.

In a previous interview Sueltz was quoted as saying she agreed with Intel chairman Andy Grove when he said that only the paranoid survive.

"You cannot rest on your laurels, true," she concedes. "But nor do I live in fear of the future, oh my God, this is going to happen, can't do this, can't do that. But history has shown, it's not just the big guys that squash the little guys. There are a lot of things coming through that eat from underneath. It's important to realise that you never win.

Businesses come and go, and the ones that can last several generations and continue to grow are actually quite unusual.

"So it's really about building that longevity, the people who do that tend to be always looking for that constructive criticism, standing back, looking at it and saying, okay what do people really think? So I like to push in everything because I think those who are paranoid to a healthy extent survive," Sueltz continues.

So has she, in a healthy way, become more paranoid in the information security business? Does she think it's even more competitive and can she survive? Her answer shows someone who thinks beyond industry niches.

"I believe it is, but I've found that it's been exhilarating. Everysolution brings me problems, or new challenges, and I just think that's part of life," she muses.

"And so you have to be at the ready. Any time I've seen a company or department think they've got it, you know what? They haven't got it. The world changes, and quickly. It can be a generational change, it can be a knowledge-based, it can be a technology change, but look how fast it is changing."

When she was 47, Sueltz's father died of cancer, an event that made her realise that, despite a career built on making things happen, there are some aspects that we simply cannot control. "We forget that we're not invincible and how we are powerless on some of the stuff. Things happen," she says.

It's no surprise that she cites her father as a great influence and mentor.

"Do the best you can, admit when you're wrong [and] don't lie," is how she describes his advice. But when pressed on those CEOs she has most admired, she plumps for a surprising choice. The list of names from Sun,IBM and Cisco is mentioned, but at the top of the list is the Victorian British philanthropist and confectionery magnate, Joseph Rowntree.

"Rowntree thought about building communities for his workers at a time when most people did not consider care of their employees. I think that took a lot of courage. I like to see people who've taken that type of interest in the community and their employees get something better," she says.

It's noticeable that none of her heroes are women. Probably the most famous female CEO in IT history is Carly Fiorina, who after a glorious start proceeded to fall out with Wall Street in a big way. Sueltz mentions the former HP chief executive (who now sits on the board of CyberTrust) in passing, but for her, gender plays only a small part in decision-making.

"Being a CEO is a hard job, no matter who you are. Does gender make a difference? I think along the way there probably have been some differences. I've been very fortunate in getting some terrific mentors, men and women, who have made a tremendous difference for me," she says.

It's quite possible that Sueltz is on her way to becoming the second famous female CEO in IT history with SurfControl. For her, the task in hand is really quite straightforward. Give shareholders value, build agreat place for employees to work and put out products that keep customers safe, in that order.

"When we do that, how much better can it be? You give return to those who've invested and we have fun while we're innovating," she says.

Almost as easy as laying telephone cables, really.

ceointerviewofsecuritysurfcontrol