Hmm. Whilst sale of this business is certainly a possibility, one thing to keep in mind is that the anonymous sources could have been confused by activity that isn't actually a sale at all.
Symantec's current deal with Mozilla/ Google implies that they need a third party to actually do most of the technical work while they build new capabilities not tainted by previous problems. So that means Symantec executives having discussions with other CAs that could easily _look_ like they're thinking of selling the business even if they aren't, they'd be talking about sales volumes, sharing financial data, which operational people could be transferred and who needs to stay where they are... all stuff that _looks_ like a sale but would be necessary for Symantec to obey the plan they've shown Google.
Also sale of the CA business with the current shadow over it would be problematic, the major trust stores have reacted to the StartCom/ WoSign fiasco by instituting more rules about transfer, which came up for Google recently because they bought a CA. If an existing CA buys the Symantec (Verisign/ Thawte/ GlobalSign branding) business, they also buy Symantec's problems with the trust stores. If a _new_ CA buys the business there will be arguments from a lot of quarters that they're unqualified and forget Symantec's problems the whole thing needs to go away immediately. It's like buying a burning tyre fire, where's the upside ?
I'm inclined to agree just from my own reading of this. I just don't see how sale could do anything but harm trust in the brands further, which makes sale only appealing to those who either don't care about trust, or have enough trust on their side to think they can rebuild it. Both of those groups are not going to want to pay much. Why sell a division of your company for peanuts?
Being one of the least trusted, yet large CAs currently in existence this may not be a bad move for the company. However I do wonder what that leaves the company as far as popular assets go, their ‘enterprise’ antivirus offering was once the best-in-class but since the demise of AV and the companies general reputation declining year on year (citation definitely needed and obviously my opinion through observation) it still makes me wonder how long the company will last. Oh and of course I should remind people that Symantec owns Blue Coat...
Most companies still purchase antivirus packages at bulk. I have a customer server where an installed AV slows down the SQL Server from time to time (especially when SQL server allocates more disk space) so much that the system becomes unusable. They still think it makes sense to install AV even to database servers. I think AV software is installed just to be scapegoats if there's a successful attack.
They may be required to follow some standard, or certification that states that anti-virus software and firewalls be present on all systems. Those "standards" are normally written by lawyers or accountants who know next to nothing about IT.
Yes, like PCI-DSS requirement 5. (required if you handle credit card numbers).
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
Malicious software, commonly referred to as “malware”—including viruses, worms, and Trojans—enters the network during many business approved
activities including employee e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of
system vulnerabilities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and
evolving malicious software threats. Additional anti-malware solutions may be considered as a supplement to the anti-virus software; however,
such additional solutions do not replace the need for anti-virus software to be in place.
5.1 Deploy anti-virus software on all
systems commonly affected by malicious
software (particularly personal computers
and servers).
5.1.1 Ensure that anti-virus programs
are capable of detecting, removing,
and protecting against all known types
of malicious software.
5.1.2 For systems considered to be not
commonly affected by malicious
software, perform periodic evaluations
to identify and evaluate evolving
malware threats in order to confirm
whether such systems continue to not
require anti-virus software.
5.2 Ensure that all anti-virus mechanisms
are maintained as follows:
Are kept current,
Perform periodic scans
Generate audit logs which are
retained per PCI DSS Requirement
10.7.
5.3 Ensure that anti-virus mechanisms
are actively running and cannot be
disabled or altered by users, unless
specifically authorized by management
on a case-by-case basis for a limited
time period.
Note: Anti-virus solutions may be
temporarily disabled only if there is
legitimate technical need, as authorized
by management on a case-by-case
basis. If anti-virus protection needs to be
disabled for a specific purpose, it must
be formally authorized. Additional
security measures may also need to be
implemented for the period of time during
which anti-virus protection is not active.
5.4 Ensure that security policies and
operational procedures for protecting
systems against malware are
documented, in use, and known to all
affected parties.
Of course, even with nothing useful left in the rump company, the sale might still be good from a shareholders point of view. Similar logic as for Yahoo's holding of Alibaba a while ago, when rump-Yahoo added negative value by most calculations.
Very good point, in your eyes does that suggest inevitable liquidation / similar or something more like running the company at a loss as a write off and on the chance something might come from it as a spin off?
Thanks to limited liability, it is very hard for companies to ever run the risk of negative value. Equity can be seen as a call option on liquidation value (plus dividends). So both options might be viable for rump Symantec: sale of assets / liquidation, or keep running it and hope for the best.
That's from a economics point of view.
From a more cynical point of view: shareholder capitalism is mostly a lie. Principal agent problems are real, and most companies are run for the benefit of management. And since managers are more important and can justify higher pay with an empire below them, the divestment will rarely happen. Especially if like for Yahoo (and perhaps Symantec) it would reveal in stark and undeniable terms that that very management of the parent company actually _subtracts_ value.
Some people did ingenious studies in this area: they checked how share prices reacted to unanticipated CEO deaths, like accidents. If management really served at the whim of shareholders, you'd expect that they'd have the best person they can afford. In practice, the share price goes up on CEO death as often as down. That means shareholders are often happier with the average expected next candidate for CEO than the one they currently have---but since they can't get rid of the incumbent that preference is only revealed on accidents.
I'm assuming that Symantec makes money off of selling SSL certs which, again I'm assuming, they will make less of as Let's Encrypt begins to gain "conquest" domains over "greenfield" domains (those that did not and would not have held a cert without ACME and without being free). Of course, that assumes that a substantial number of paid-for SSL users switch to Let's Encrypt. Unless I'm misunderstanding, this may solve two problems for Symantec.
EDIT: I have no idea if LE's impact is of a "rising tide raises all boats" kind or a purely disruptive kind.
It's just that those solutions require actual work and capable customer support, and I don't think that's a business Symantec wants to be in.
Still I would hope that their certificate business is taken over by someone serious about SSL/TLS/certificates. I would have for Let's Encrypt to become a monopoly.
Their biggest problems seemed to just stem from their arbitrary choice to use subdomains instead of subdirectories. If they just put everything on the same domain (/sites/stackoverflow, /sites/superuser, etc.) then they would literally just need 1 certificate for everything, no third-level-wildcard nonsense. Not sure what this decision to have a gazillion different domains has gained them honestly. Reddit clearly manages to work that way.
Of course they do. I've feeling they get corrupted and stepped on a path of quick making money with assigning covert certificates for various agencies/companies whose main initiative was to spy on users. In their case recovering trust is almost impossible.
Symantec's current deal with Mozilla/ Google implies that they need a third party to actually do most of the technical work while they build new capabilities not tainted by previous problems. So that means Symantec executives having discussions with other CAs that could easily _look_ like they're thinking of selling the business even if they aren't, they'd be talking about sales volumes, sharing financial data, which operational people could be transferred and who needs to stay where they are... all stuff that _looks_ like a sale but would be necessary for Symantec to obey the plan they've shown Google.
Also sale of the CA business with the current shadow over it would be problematic, the major trust stores have reacted to the StartCom/ WoSign fiasco by instituting more rules about transfer, which came up for Google recently because they bought a CA. If an existing CA buys the Symantec (Verisign/ Thawte/ GlobalSign branding) business, they also buy Symantec's problems with the trust stores. If a _new_ CA buys the business there will be arguments from a lot of quarters that they're unqualified and forget Symantec's problems the whole thing needs to go away immediately. It's like buying a burning tyre fire, where's the upside ?