Interview with Debra Martucci of Synopsys, Inc.

Taos: Spam is an issue that's bedeviled many IT organizations. I understand you have a spam solution you are pleased with?

Debra: Yes! We implemented it about two years ago, and we were just in time. A month later and it would have been "I've suffered with this too long. You IT guys are too slow at implementing something and I'm mad at you." I think most IT groups go through this. If you implement too early people don't know what you've done for them. They have no idea that you're quarantining over 240K spam messages a day for them.

We listened to the customers, who happen to be our co-workers and peers, and discovered that there were two problems. One was just the load that people were dealing with. They were starting to come in on Monday morning to an inbox full of e-mail that was nearly all spam. The other problem was the inappropriateness, which was probably more of a of spam problem than the volume people were receiving. One inappropriate email, with explicit content, was causing people to call me. So 4500 people thought that they could call me and say "Hey Debra did you know about this spam problem out there? It is all over the news! What is IT doing about it?"

Implementing a spam solution was probably one of the few IT infrastructure changes we made where we received a phenomenal amount of "thank you" afterwards.

Our solution involved a specialist outsource, and it was one of the strongest wins we've had in quite a few years -- where it was considered a greatly appreciated value that we added to the company.

What is interesting is that as we were talking about setting up the meeting for this interview and when I realized the topic, I thought to myself "wow, is that still a problem [for others]?" This has not been our concern for over two years, which has allowed us to focus on other (much more exciting!) initiatives.

Taos: So before you had this positive experience, you were evaluating different vendors before making your final decision. What were some of the key attributes?

Debra: We looked at various attributes of all of them. As it happens, the eventual winner, Postini, was also a low cost solution even though that was not the major driver at that point. Think about it for a moment. No one really knew how to value the benefit of solving the problem! How many dollars per day would Synopsys be consciously willing to spend to block spam? Because of the quantity and the offensive content of the messages that were insulting to the human mind, we probably could have easily justified a much higher per use of cost. It was that important and it was that hot of an issue.

Postini did a great job. They came in and were open with their architecture so that my security guys could challenge them. "Well what about this? Show me the path. How does it hold? How do you do the filtering?" They were really open to answering all of the questions our team had for them. We also have a messaging team, a networking team, UNIX team in addition to IT Security. Everyone was there, because we wanted everyone to feel comfortable about the solution. All of the questions were asked and we were able to put everyone at ease. Believe me, Synopsys IT is a tough group to get in front of, and you have to prove yourself. You have to defend your thesis to us. And I'm proud of that because it was our reputation that was going to sink or swim with how they executed. So right up front, we beat them up about business continuity. "What happens if your servers crash? What are you going to do?" And every step of the way, because again, they had nailed their core competency down, they made us feel this solution was the right choice.

They also didn't try to take advantage of the world or the state of the market, with pricing that was so low they would go out of business, or so high that they would get undersold later when other companies figured out the technology. We've been a steady customer now for over 2 years.

Quick deployment was the other advantage. This was really key because we got the complete buy-in of basically 4500 people. Postini gives the user responsibility for keeping their own filters tightened up as they see fit, and we got buy-in from our users to take some ownership of responsibility. Now, when they call me to say "It feels like more spam is sneaking in, Debra" there's no accusation - it's more of a partnership of "Maybe I'm doing something wrong here since I'm starting to get a little bit of spam." It's also a good opportunity to take a 'simple user interface' and help the user walk through it. I often find myself saying "It's not that hard guys! I don't care if you're a senior VP, marketing executive, Administrative assistant or R&D Director. I tell them "You know how to use Internet Explorer. You know how to go to this website." I coach them with "Come on. This is not that hard. Take that responsibility." And it's been a very big win. It's both having established a strong partnership with our users and a using the right technology at the right time that has generated such a big success.

Taos: Of the solutions that you examined, were they all on the outsource model?

Debra: Well no, we also looked at in-house solutions. We hadn't really outsourced anything related to our email infrastructure before, and I'm sure we're no different than most IT groups on the challenges of deciding whether or not to outsource services and/or support. The first thing we recognized was that this was not only NOT our core competency, but that we had no interest in learning how to keep up with the latest 'spammer' techniques, keep track of the 'dirty words' to filter out and basically 'deal with this'.

When we asked ourselves the real question of "what are we trying to accomplish? What's our objective?" it became clear that Postini was the right solution for us.

Taos: What percentage of your mail is spam? Eighty?

Debra: Eighty percent is about right. We're looking at the spam quarantine, and the metrics show about 8 Million messages of spam being 'blocked' per month!

The other benefit is reducing network traffic. By outsourcing we keep all that traffic off our network. What we experienced was both a performance improvement on our LAN, as well as a productivity improvement of our employee base, who no longer had to deal with reviewing the large number of emails, deleting what was spam, getting frustrated and as I said earlier, often calling 'Debra' directly to provide feedback!

Taos: And as far as false positives or negatives, is it still working really well for you?

Debra: It's been working well just for the fact we don't see many, I would say I get one or two every six months. And I could add that the few we do get complaints, the filter doesn't seem tight enough. What I have found personally is that I can bring employees to the website and say "gee you haven't set your parameters very high. You got pretty lenient here on marketing opportunities." And sometimes I choose to say "You're awful lenient on sexually explicit stuff. Is this conscious or not?" Now often they forget that when we rolled this out we gave them the opportunity set their own parameters.

And that's when I started tracking what I call "Fan mail."

Taos: Is there such a thing in IT?

Debra: We never thought so! Like I say, that's why I mention the thank you letters. What we were receiving was pretty unheard of in our department.

Taos: What does your provider do with the mail? Do they just throw it away or do they hang onto it?

Debra: They archive for two weeks, and you have the opportunity to look at it if desired. I have a little trigger on my calendar, that says "Debra check Postini and make sure everything is cool". I have never found a business related email that had been blocked incorrectly, and aside from a few newsletters being blocked (never the Taos newsletters!) I have seen no issues.

It's an outsource model, but with this came an easy to use, end user interface. The employees can visit the webpage (most I find have it tagged as a favorite!), log in under their name, and see if something was incorrectly blocked. You can identify a specific IP address and identify what you want to receive. This clearly makes employees feel comfortable that they're in control.

Taos: So could we touch on the cost a little bit?

Debra: Certainly; Postini costs run about twenty three dollars per year, or six cents a day per user. People that delete 30 - 50 spam email a day before they can view their own mail definitely think it's worth six cents per day. The power of that statement to the execs versus the time wasted deleting spam from your inbox is easy to justify.

Taos: And it's cheaper than you could have done internally?

Debra: Not only is it cheaper, I appreciate the fact that my security team, who are technologists with a huge workload, don't have to worry about the most recent way spammers are getting around things. What dirty words do they have to filter out? I've always felt that unpleasant tasks like this are high on the list to outsource; and I am convinced this is the right method to use.

Taos: So what ongoing time is still required as far as managing the relationship with Postini?

Debra: We continue to manage the relationship to understand their approach for new features and how they will handle new threats. Of course we also work with them to understand enhancements to the services that don't impact our cost.

We've worked to establish a good relationship with them because they have to know what changes we make in personnel on a daily basis. The technology allows extraction of SAP HR data for day-to-day attrition and hiring. This is a very well oiled, automated, fairly seamless approach that puts us at ease and works well for us as an enterprise.

Taos: What about emailed Viruses, Spyware, Trojans, etc?

Debra: This is far from purely a spam filtering solution. It's another level of antivirus filtering. We have three distinct layers that result in minimal impact from viruses. The only time we are hit, is when people bring a problem in on their laptop, and I have very little patience with this!

Taos: So that's always after the fact unfortunately!

Debra: Postini uses MacAfee as their antivirus, we use Trend Micro at the gateways, and Symantec on mail servers and desktops/laptops, so we have three layers of anti-virus scanning. When a problem does arise, we then grade the vendor on how fast they put out the signature updates and address problems when they are slow responding.

We've been relatively protected from incidents. For example, not to pick any vendor in particular, but at least once, Postini had signatures built very, quickly and we continued address another vendor and say, "come on, give us your updated solution here!" even though we were quite protected, certainly from any external e-mail coming in. We were able to leverage this in a more competitive spirit that says, someone else has already been able to finish this and protect us against that virus and you haven't.

Just a quick glance from the virus logs in the last seven days I noticed almost twenty thousand viruses were quarantined at the gateway. At one point before we had this implemented I had my boss call me into his office to tell me that Yahoo was reporting a virus that was hitting the internet and my team didn't know about it; we were behind the ball.

Taos: It's a tough problem and it looks like you guys have found a very simple solution.

Debra: I think it's another example where it's important to remember we're buying a core competency to solve a problem. If you forget that and start to think that the solution should be broader you might inadvertently end up making the situation complicated again. Then you're not being fair to yourself on "What am I paying for here?" Like I said, we're able to clearly say, "For six cents a day I control the spam that's coming into the company." We also get a couple of softer benefits, like a little bit of anti virus protection and network improvements; which are great wins. But I would be nervous if I heard that Postini was trying to become everything to everybody because I'd say "Whoa! There goes their core competency."

Part of the problem is thinking your corporate e-mail is so important to your business that you don't trust a company to have it on their server and filter it for you. That's keeping you from a great solution! I think it's important to look at the inherent problems where you fail to see different choices and stay focused on the solution you're looking for, and be willing to partner. This is not a decision a CIO makes alone. You have to partner with all the key players, sit in a room and try to poke holes in the solution. Any vendor that can stand up and defend their product, and win the thesis, can win the business. This is the kind of strategy I would recommend to other CIO's.

Taos: Debra, why aren't more of your enterprise peers doing this? What keeps them from it?

Debra: Tell you the honest truth I don't know. When I've talked to the different forums, I find that spam has, in some ways, gone out of favor as a hot subject. I'm actually very pleased that you're bringing it back up. I think a lot of CIO's are going to realize they don't have an enterprise, scaleable solution in place and hopefully they will re-evaluate what they've been doing and try to look for alternate solutions.

I think sometimes they don't know what they are missing. Some companies hear in the news that at least eighty percent of the e-mail they're getting is spam. An IT organization might think "Well I'm blocking at least half of that so I must be doing well."

We've had to evaluate the results of our implementation by thinking that the best you could ever ask for is almost no spam in your inbox. The frightening thing about spam is one extremely offensive message can ruin a person's day. What's important for us is we have guaranteed proof that we're doing a great job since no spam is getting though. I think companies that may have tried a combination of a little outsourcing and a little in-sourcing may be buying other tools. I think companies that have made that choice to buy various tools and manage spam in-house might want to re-evaluate. You don't need it in-house.

Taos: Thank you Debra. It's always great talking with you.

Debra Martucci is the Vice President of Information Technology (IT) at Synopsys, located in Mountain View, California. Debra has been with Synopsys over 12 years and has contributed to the success of many mergers and acquisitions in her role both as VP of IT as well responsibilities in managing the Release Engineering functions and driving the Porting and Licensing teams. Her IT group's mission is to lead all issues related to change and growth for both the Corporate Infrastructure and Engineering Development Environment. This provides a strategic advantage for Synopsys, delivering a world-class, productive and effective environment with respect to base infrastructure, tooling, processes and metrics. Prior to her time at Synopsys, Debra worked in areas of Software Simulation which included positions within NASA in the Space Shuttle Training Division as well as managing teams responsible for developing code with Object oriented design methodologies for very large scale real-time , embedded microprocessor and data base generation systems for advanced aircraft radar simulation.

She earned her Bachelors of Science degree in Physics from North Adams State College (Massachusetts) and completed a Masters in Physics from the University of Houston (Texas), publishing her thesis titled 'The optical degradation of Solar Absorbing Black Chrome thin films'. She is originally from Boston Massachusetts and now lives in San Mateo, California where in her spare time, she teaches Aerobics and enjoys her family time with her husband and two dogs!