Gardner: Windows as it was designed was not secure. Windows itself, and then Windows NT, had a bunch of holes. And now Windows 2000 will introduce new holes, but they are taking steps to improve the level of security. There are just as many security issues actually on Unix and different platforms; I think the focus that Microsoft has in the market really magnifies any security problems. It's always, 'let's talk about Outlook problems.' There are just as many problems with Send Mail on Unix, but nobody talks about those.
InfoWorld: How much of your existence as a company might be owed to Microsoft's inherent weaknesses in these areas?
Gardner: Generally speaking, the vendors of the operating systems and the databases themselves never have the maniacal focus that an ISV will have on really coming up with the tools that make those products much more productive. You might over time have five or 10 percent of the features or your products eclipsed by improvements in an operating system. But generally, the engineers at those companies are working on the fundamental engine, and the ISVs are hiring the best talent they can find and applying them to these kinds of things. It's very rare that you're going to actually compete with the native vendor.
InfoWorld: Is your company going to do anything for Linux?
Gardner: We have our core security product, our BV control product, coming out later this year for both Unix and Linux. That's our very first internal security product for Unix. We have an external security, a hacker's shield product, that basically scans all your servers for hundreds of known vulnerabilities and alerts you to seal those off.
InfoWorld: Do you think most customers have a proactive approach to security?
Gardner: I think we're still in its infancy there. A snake rears its head, and someone finds out, and then they add some security to that particular environment or that application or that function. But some companies are starting to get it. They're thinking about chief risk officers that are sort of independent, to take out the conflicts of interest that you can have in an IT situation where a manager is paid to get an application up or converted by a certain day. If a security guy works under the director in IT, they're probably going to take a security risk, bury it, and hope to get it fixed later.
InfoWorld: Why is security such a difficult task, and will it ever get simpler?