Clive Finlay – Field Chief Technology Officer, Solution Engineering and Residents – Leader for EMEA Broadcom

With a market cap of 1.3 TN USD as of July 2025, Broadcom is a giant in the tech community. Within its 26 divisions, the Enterprise Security Group division which comprises the Symantec and Carbon Black portfolios, is a name that is known globally in the cyber security space. Their business approach around the world is one of a Catalyst Partner Initiative, where they identify companies that can manage implementation, advice, sales and post-sales support in a geographically defined region. We spoke to Clive Finlay a Field Chief Technology Officer with a CTO role for EMEA, centrally involved in Enterprise security for Broadcom and responsible for Symantec and Carbon Black, about how Broadcom and Arrow are working together for the Luxembourg market.

Why are Broadcom and Arrow business partners?
What does that really mean?

Historically, Symantec had direct business relationships with the largest thousand companies globally and our product evolution was driven by the needs and feedback of those top tier organizations. The vast range of differing needs among both small and large actors in the competitive Cybersecurity market was a challenge for our business model as we were only really geared up to address some of the larger organizations. So, last year we developed the catalyst partner model. We aggregated our business through eight key partners globally that each have defined geographies and Arrow is a Catalyst Partner for the European region.

As our sole European region Catalyst Partner, Arrow may sell and renew Symantec and Carbon Black technology to the European market. Arrow drive our go-to-market strategy for the rest of the market in Europe. Weare behind them with incredible R&D and innovation to service their clients.

Is your vision to merge Carbon Black and Symantec into one product?

Carbon Black came into the Broadcom portfolio because of our acquisition of VMWare. To be frank we discussed within the company, whether we should spin out Carbon Black because of its overlap with our existing Symantec brand, but as we examined it more deeply, we realized that it made a lot more sense to bring Carbon Black and Symantec together within the Enterprise Security Group. Symantec had a 40-year history of market leading, antivirus and anti-malware by means of machine learning and all sorts of behavioural techniques to prevent attacks and to identify the latest ransomware attacks. Whereas Carbon Black was one of the vendors that defined Endpoint detection and response (EDR) and which is about detecting the low and slow quiet threats from adversaries on the network.

We are taking the best parts of both technologies and integrating popular capabilities across the cybersecurity portfolio. You will see very soon within Carbon Black some of the prevention engines providing high level threat  intelligence that Symantec has from its global intelligence network and conversely, we’re getting some quite interesting visualization and detection and response techniques that Carbon Black uses inserted into the Symantec Endpoint product.

We are not going to force users to change from what they currently have, from the Carbon Black world to Symantec or vice versa, but the enhancements will naturally mean that customers will be increasingly enabled with the best capabilities across the portfolio.

Recently in the media there has been some talk of the private cloud becoming the preferred solution for the financial industry because of the challenge of data labelling and security, do you agree?

GDPR has been shaping data privacy in Europe for years, but the more recent Digital Operational Resilience Act (DORA) is now  driving a fresh wave of change—especially for financial institutions. DORA puts a strong focus on third-party risk and data privacy, prompting many companies to reassess their cloud strategies.

While many organizations initially embraced a cloud-first, SaaSheavy approach, they’re now facing challenges. SaaS simplifies infrastructure but often comes with high costs and less control over data residency. As a result, we’re seeing a growing shift back to private cloud environments, which offer better control, improved cost efficiency, and greater regulatory alignment.

Symantec has supported both cloud and on-prem deployments for years, making it easier to adapt to this shift. With DORA now requiring detailed compliance assessments of cloud vendors, only the biggest providers, such as Broadcom, are well-positioned to meet the full set of requirements. For others, hosting sensitive data in a private cloud within national borders is becoming the safer choice.

There’s also a political dimension to this trend. Uncertainty in the U.S.—from trade tariffs to changing administrations—has made many European organizations cautious about relying on U.S.-based cloud services. Sovereignty and control are now critical factors in tech strategy.

In short, the combination of regulatory pressure, cost awareness, and geopolitical risk is leading to a rebalancing. Organisations aren’t abandoning the cloud, but they are taking a more measured, compliance-driven approach—often with a renewed focus on privacy, resilience, and data residency.

Some companies prefer not to adopt the latest tech, opting to stick with legacy models (just because it works). What’s your advice to companies dealing with change?

In recent years, cyber threats have become easier to scale, putting all types of organizations—large and small—at risk. The black-market economy around zero-day exploits and botnets is booming, making it critical for businesses to stay up to date with software patching. While patching across large environments is challenging, virtual patching offers a helpful solution to close vulnerability windows.
Though some organizations are cautious about adopting new cybersecurity technologies due to percei ved risk, mature vendors often acquire or integrate successful innovations into their platforms. Symantec and Carbon Black have followed this path, ensuring their clients—especially in financial services— benefit from cutting-edge protection.

Falling behind on technology is now a real threat. Even traditionally less-targeted sectors like retail are experiencing major breaches (e.g. Marks & Spencer, Harrods). Legacy protections like basic signature updates and URL filtering are no longer enough; investing in modern endpoint, network, and data security is essential for resilience.

Have you seen some interesting business cases for Gen-AI implementation? The financial industry is concerned about GDPR and misuse of client data. Do you see Gen-AI as a nice-to-have or as an essential tool for efficiency and profitability?

Every board is demanding that businesses utilize AI in some way, shape, or form to stay ahead of the competition. Typically, what you see is that the cybersecurity group is then faced with the problem of how to secure it and make sure it’s deployed with minimal risk within the enterprise. Content generation and customer communication are ripe for Gen-AI but are also centre stage for the associated risk of data loss. You mentioned GDPR and data privacy — because unless an enterprise controls which sanctioned Gen-AI tools are used, employees could quite easily upload sensitive customer information like a name, address, or financial details to the cloud.

The truth is, IT teams have one of three approaches: blocking, engaging, or regretting.

Blocking Gen-AI completely eliminates all benefits, but a sanctioned approach with some data loss prevention tools in place can help evaluate what is being shared. Don’t be a regretting-it organisation with no security controls — your data strategy will become like the Wild West, and the associated risks of data loss are much greater.

Typically, we help banks in a number of ways — usually those that are in that middle spot of engaging. For example by using shadow IT reporting or monitoring the network. We enable companies to see how data is being used across the organisation, to create a profile on those tools they sanction, and to put controls around specific content that is considered intellectual property or personal information.

Tagging and restricting data. Microsoft Copilot is probably the most widely deployed Gen-AI tool in Europe, but unless all your data is tagged correctly and data sources within your organisation are restricted, Microsoft may consume all these files within Copilot.

Classification of content that has been created by Copilot — who is managing and controlling this? How does your organisation approach this, so that it is classified accordingly?

In general, security teams are running behind Gen-AI adoption — and this, combined with GDPR and data resiliency requirements, means there is a big risk for almost all organisations. Symantec content-aware data discovery and classification capabilities are used by many of the largest financial organisations to protect against this risk during Copilot implementation.