Symantec's current deal with Mozilla/ Google implies that they need a third party to actually do most of the technical work while they build new capabilities not tainted by previous problems. So that means Symantec executives having discussions with other CAs that could easily _look_ like they're thinking of selling the business even if they aren't, they'd be talking about sales volumes, sharing financial data, which operational people could be transferred and who needs to stay where they are... all stuff that _looks_ like a sale but would be necessary for Symantec to obey the plan they've shown Google.
Also sale of the CA business with the current shadow over it would be problematic, the major trust stores have reacted to the StartCom/ WoSign fiasco by instituting more rules about transfer, which came up for Google recently because they bought a CA. If an existing CA buys the Symantec (Verisign/ Thawte/ GlobalSign branding) business, they also buy Symantec's problems with the trust stores. If a _new_ CA buys the business there will be arguments from a lot of quarters that they're unqualified and forget Symantec's problems the whole thing needs to go away immediately. It's like buying a burning tyre fire, where's the upside ?
I see it as buying the customer stock with the opportunity of a "fresh start". Rebrand, ensure the that the new organization follows compliance.
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs Malicious software, commonly referred to as “malware”—including viruses, worms, and Trojans—enters the network during many business approved activities including employee e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats. Additional anti-malware solutions may be considered as a supplement to the anti-virus software; however, such additional solutions do not replace the need for anti-virus software to be in place.
5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).
5.1.1 Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.
5.1.2 For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.
5.2 Ensure that all anti-virus mechanisms are maintained as follows: Are kept current, Perform periodic scans Generate audit logs which are retained per PCI DSS Requirement 10.7.
5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period. Note: Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not active.
5.4 Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties.
They have consumer and corporate anti-virus, Endpoint Protection, and they now own Blue Coat and Lifelock.
That's from a economics point of view.
From a more cynical point of view: shareholder capitalism is mostly a lie. Principal agent problems are real, and most companies are run for the benefit of management. And since managers are more important and can justify higher pay with an empire below them, the divestment will rarely happen. Especially if like for Yahoo (and perhaps Symantec) it would reveal in stark and undeniable terms that that very management of the parent company actually _subtracts_ value.
Some people did ingenious studies in this area: they checked how share prices reacted to unanticipated CEO deaths, like accidents. If management really served at the whim of shareholders, you'd expect that they'd have the best person they can afford. In practice, the share price goes up on CEO death as often as down. That means shareholders are often happier with the average expected next candidate for CEO than the one they currently have---but since they can't get rid of the incumbent that preference is only revealed on accidents.
(I couldn't find the studies quickly, but I found a quora discussion that might lead you there https://www.quora.com/Why-do-companies-stock-prices-rise-aft...)
EDIT: I have no idea if LE's impact is of a "rising tide raises all boats" kind or a purely disruptive kind.
Symantec's problems are that they fucked up too much and have slipped past the "too big to fail" boundary.
It's just that those solutions require actual work and capable customer support, and I don't think that's a business Symantec wants to be in.
Still I would hope that their certificate business is taken over by someone serious about SSL/TLS/certificates. I would have for Let's Encrypt to become a monopoly.
