While it often feels like we just got through the last “world’s largest security conference,” here we are again. While the weather is not looking to be the best this year (our rainy season has really lived up to the hype so far), the Adobe security team would again like to welcome all of you descending on our home turf here in San Francisco March 4 – 8, 2019.  

Kicking off RSA Conference, Adobe is a sponsor of the Cloud Security Alliance (CSA) Summit and 10th Anniversary Party happening on the opening day of the conference, March 4th. If you are a CSA member and summit participant, we look forward to seeing you there. I will also be presenting during the Executive Security Action Forum (ESAF) taking place on the same day, March 4th, for those of you that will be attending ESAF. 

If you are attending the full RSA Conference this year, I will be speaking on “Using Automation to Help Achieve Security in a Multicloud Environment” on Tuesday, March 5, at 2:20 p.m. in Moscone West 3006. Adobe has a large and growing footprint in multiple public clouds, as well as a significant private cloud fleet. I will focus this session on what I think are the most critical components needed to develop an increasingly automated multi-cloud operational security stack. You can reserve a seat to my session here and I hope to see you there. 

As always, members of our security teams will be attending the conference to network, learn about the latest trends in the security industry, and share our knowledge. We look forward to seeing you during this exciting week. 

Brad Arkin
Chief Security Officer 

The 7th annual CSO50 Awards recognizes 50 organizations (and the people within them) at the CSO50 conference this week for their security project or initiative that demonstrates outstanding business value and thought leadership. Adobe is recognized for two of its projects at this year’s awards, unique among all of the honorees.

First, Adobe was recognized for its Common Controls Framework (CCF) – a comprehensive set of security activities and compliance controls that enables Adobe’s engineering, product operations, infrastructure and applications teams to achieve improved compliance with security certifications, standards and regulations. Adobe has also released CCF as open source to help the industry with its own compliance efforts.

Second, Adobe was honored for its open source HubbleStack compliance monitoring tools. Organizations have difficulties handling security auditing and compliance that can be scaled across many teams with varying infrastructure. Adobe found ourselves in the same situation and in need of a tool that could provide a window into the complexities of their infrastructure. As a result HubbleStack was developed. Just like the Hubble telescope gives us a window into the complexities of our universe, HubbleStack gives a window into the complexities of your infrastructure. It includes components for information gathering, file integrity monitoring, auditing, and reporting.

We would like to congratulate our compliance and enterprise security teams, respectively, for this honor and their ongoing efforts in helping enable more secure digital experiences for Adobe and our customers.

Brad Arkin
Chief Security Officer (CSO)

Adobe recently sponsored the Women in Cybersecurity (WiCyS) conference in Pittsburgh. This is our fourth year sponsoring this important conference that encourages young women to pursue careers in cybersecurity. We also sent a delegation from our own security team to the conference to network and recruit for currently open positions on our security team. The conference presented a chance for students to understand the application of security in the professional world while professionals had a chance to be exposed to innovative research.

The conference sessions cover a broad spectrum of cybersecurity problems across industries. Sessions also range from introductory sessions around key trends and concepts to deeper dive sessions revealing solutions to key security problems. A key session was from the director of the Cylab Security & Privacy Institute at Carnegie-Mellon, Dr. Lorrie Cranor. Dr. Cranor actually hated computer science initially but became fascinated with security and privacy issues. This session was designed to encourage attendees to pursue cybersecurity careers even if they have no background in technology. There were also companion sessions with discussions among women who have put effort into changing technology workplace cultures to encourage more diversity.

There are also educational classes on oft used tools in the security space such as Splunk. One session attempted to explain common secure application design principles through the lens of the popular “Star Wars” franchise – a big hit with attendees. Some of the more interesting sessions discussed key security problems facing the medical device and autonomous vehicle industries, both very much in the news now. There were also sessions covering cybersecurity issues facing social justice causes, such as human trafficking.

Adobe is proud to continue to support the ongoing efforts of the Women in Cybersecurity (WiCyS) organization and conference in bringing more diversity to the security industry.

Dhivya Chandramouleeswaran
Security Researcher

Udochi Nwobodo
Technical Program Manager – Security

Lakshmi Sudheer
Security Researcher

Members of the Adobe product security team had the good fortune to attend LocoMocoSec this year in Lihue, Kauai. The perfect weather, beautiful beaches, and relaxed Hawaiian atmosphere helped to attract some top caliber speakers in the product security ecosystem – and the quality of the conference talks did not disappoint. I personally had the opportunity to speak to a great audience at the conference on the topic of “Tips & Tricks for Effective Vulnerability Management.”

Integrating security in a DevOps world was a common theme in a number of excellent talks on day one.  “DevSecOps” is a term coined to capture security’s role in this new operating environment, and speakers from Microsoft and Signal Sciences shared best practices and ruminations on how security can both scale and sprint alongside high-performing engineering teams.

Managing the potential security risk of open source components (at scale) was the topic of several enlightening presentations on day two.  As noted by speakers from Microsoft and BlackBerry, the security team needs to both empower engineering teams to make smart choices regarding the components they are introducing in their solutions, as well as define and enforce policies that govern out-of-date or unsupported external components.  As Michael Scovetta said, “Open source software isn’t like a free Mai Tai; it’s like a free puppy.”

The day three highlight for me was a talk by David Lindner entitled “Have you adapted your appsec?”.  David has decades of experience in product security and shared some of his best practices, including practical advice on how product security can evolve from a release blocker to adding value at every phase of the development lifecycle through tooling, assessments and user stories, among others.

This year’s LocoMocoSec was an excellent product security conference, and a unique opportunity to hear from practitioners with deep expertise in running product security programs at the hottest start-ups like Uber and Slack, as well as established behemoths like Microsoft and Google.  Thanks to the organizers, volunteers and sponsors who made it happen!

Pieter Ockers
Manager, Product Security Incident Response Team (PSIRT)

As part of our ongoing commitment to support the broader security community, Adobe recently hosted a San Francisco-Bay Area OWASP Meetup event on the topic of container security. The event was very popular with both our internal teams as well as security community members at other companies in the area with a “waitlist” of folks wanting to attend as we reached capacity.

Madhu Akula, cloud security researcher, who also runs training sessions at security events and conferences like DEFCON and Blackhat, led this workshop and discussion. He started with the basics of deploying and using Docker containers and Kubernetes for those not as familiar with this environment. He also educated attendees about the architecture and security features available for the environment. Then the latter half focused on more detailed knowledge about how to properly harden the Docker and Kubernetes environments. He provided examples uncovered by researchers of possible vulnerabilities if your environment is not properly hardened.

Adobe plans to host more of these local meetups for the security community to further encourage knowledge sharing between our experts and other industry professionals.

Amrit Pal Singh
Sr. Security Engineer – Adobe Stock

Photos from the event:

As part of its ongoing commitment to encouraging a more diverse cybersecurity workforce, Adobe recently sponsored the inaugural Interrupt19 Security Conference at West Lothian College in Scotland. The college is also the alma mater of our own Den Jones, Director of Enterprise Security. The event gathered students, educators, and representatives from the industry for a daylong event of seminars, hands-on sessions, and networking.

Jackie Galbraith, Principal of West Lothian College, says: “In my job I’m fortunate to be able to attend conferences with leading edge speakers which provoke creative thinking. Typically, though, you only get the chance to attend when you’re already in a job and your boss is happy to pay. I wanted all computing students at the college to have the experience of attending a professional conference with the best speakers, workshop hosts, and exhibitors to encourage them to reach for the sky, to think big and wide, and challenge perceptions. I have no doubt that the conference has inspired them to work hard and connect with industry players.”

Leia Mackay is one of the students studying HNC Cyber Security at West Lothian College that attended the event: “I grew up around computers. My dad was constantly taking them apart and putting them back together, so I naturally took an interest and, as I grew, I learned more and more. I even built my first computer when I was six! The speakers at the event were very good at engaging the crowd and were all very varied in their approach.”

Fellow student Andrew Hack is a 49-year-old mechanical engineer who is changing careers. With a good grounding in computer skills he wanted to move onto degree study and work as a consultant in cybersecurity. Andrew said: “Interrupt19 gave me a great insight into the cybersecurity arena and the shortage of skilled workers there. The workshops had great practical examples of using the skills we will gain on our course in real world work environments. I can’t wait until Interrupt20!”

“I’ve been blessed with great opportunities throughout my career. At Adobe we are passionate about giving back and I saw supporting Interrupt19 as an ideal opportunity. Supporting and inspiring a new generation of security professionals from my hometown felt like a great way to give back” – Den Jones, Director of Enterprise Security.

Adobe was proud to sponsor this event to encourage students to pursue cybersecurity careers. Look for more about our support of this and other activities around the world here on the Security@Adobe blog and Twitter.

When it comes to “Hardening the Human OS” there is no on/off switch and no automation. The human element of security includes intelligence, unpredictability, emotions, and personality. It makes for a challenging and interesting element when attempting to reduce the potential security risks presented by the human nature.

The statistics vary, but it’s apparent that humans can unwittingly be a cause of security issues within organizations. Like any security risk prevention, there is no silver bullet. However, there are multiple tools that can be put in place to help reduce the overall risk. One of those tools is through security awareness.

Common approaches to security awareness are: training, simulated phishing tests, email notices, posters, videos, etc. These approaches can be effective in reducing risk from different angles:

Regarding FUD, awareness of consequences for not employing security best practices is important but it shouldn’t be the motivator. Consumers of awareness content are typically not moved to action through FUD. They are left feeling hopeless.

Facts are important, but they should be presented in an engaging way without losing the consumer to boredom. Clever, witty, and entertaining methods tend to be more memorable.

Mandatory participation has the opposite intended effect of training. While not in all cases, but certainly in many, the learner hurries through mandatory training, with little to no retention and walks away with a chip on their shoulder for the training having wasted their time.

What is more effective is teaching a security best practice framed around the individual and the consequences can be more impactful when relating it to their personal life. For example, teaching users how to avoid falling for a phishing attempt in an employee’s personal life and work life can lead to them to pay closer attention and good habits can naturally trickle into the workplace. Even better, make it personal and fun.

Adobe Security Awareness Videos

Superbowl commercials are typically witty, clever, and fun. While the objective of the commercial is likely to increase sales, the focus is not on selling you the product. Rather to create a moment that is memorable, even shareable, and the association with product should come naturally.

At Adobe, we strive to deploy multiple approaches to security awareness. One way that we will be deploying effective methods mentioned above is through a security awareness video campaign. The videos are intended to leverage the power of humor to help create entertainment and teach security best practices. Ultimately the goal for this video campaign is to create memorable content to help put strong security habits into practice.

Each video will focus on security threats and best practices that Adobe employees and the general community should be aware of in their work and personal lives:

• Passwords
• Phishing
• Ransomware
• Vishing (Social Engineering via Phone)
• Computer Theft
• Data Handling
• Use of Removable Media
• Wireless Internet Use

Adobe is making these security awareness videos available for free through a collaboration with National Cyber Security Alliance (NCSAM). NCSAM aims to make the internet safer and more secure for everyone. Adobe believes in empowering the customer to create. Adobe wants its customers, such as small business and individuals, to be made better aware of how to protect their business so they can focus more on being creative and growing their business.

The first video was released today the National Cyber Security Alliance’s resource website. We plan to release new videos every other month hereafter.

From our security team to you or your team, we wish you the best in helping to enhance the human element and hope these videos will be one additional tool in the security toolbox.

National Cyber Security Alliance blog: https://staysafeonline.org/blog/
National Cyber Security Alliance YouTube channel: https://www.youtube.com/user/StaySafeOnline1/
Videos created by Adobe in partnership with Speechless.

Isaac Painter
Security Business Operations & Content Lead

Adobe continues to invest in unique programs to help ensure that we, as well as the industry, have access to the most diverse, well-trained security talent possible. This is especially true in cybersecurity where we believe diversity is one of the keys to ongoing success in the industry. As part of this investment, Adobe has begun working with The Prelude Institute. Several of our security team members have already served as guest lecturers and mentors to students in the program. Adobe team members also consulted in development of the curriculum for this program. We are excited to expand further upon this relationship to help build out the cybersecurity workforce.

The Prelude Institute is a unique six-month, full-time, immersive educational program for non-traditional students. Many of the students come from underprivileged areas of the country as well as diverse life paths. Most students in the program have no prior college education. Some also have non-traditional degrees and are attempting to leverage those skills in solving security problems. Currently the program is available in Seattle, WA, and Manchester, NH, with additional sites coming online next year. The program also has a unique tuition structure where half the payment is contingent upon placement by the program into a cybersecurity or technology role. Recent graduates of the program now have roles as incident response analysts, security engineers, and IT security roles across a variety of industries, including MSSPs, IOT security, and biotech.

“Our mission is to raise the economic floor of non-traditional learners and workers, giving people immediately marketable security skills, and working actively to place them into new careers. We see our company as a membership, not a school. We want to have a relationship that spans the student’s entire career path and provide them with support every step of the way.” – Ted Ipsen, VP of Curriculum & Instructor

Testimonials from recent program graduates:

“For me Prelude was exactly what I was looking for. I wanted to make a career change. The thought that I could enter the security workforce without a Bachelor’s degree is what tipped the scales for me in favor of trying this program instead of an online degree program. Seven months after starting the program I have a job offer from a great company that is really impressed with what I learned. The expectations I set up in my mind before signing up have exceeded the best-case scenario I imagined. Very happy to be a part of the first cohort and hope others find value and take full advantage of the opportunity that this program provides.” – Kyle.

“My experience was nothing short of eye-opening. This program gave me an in-depth view of how information traverses the internet and how organizations secure their systems from potential threats. There is a reason the program is equivalent to a fulltime job; you’re living and breathing cyber security for six months of immersive training to become an effective analyst for entry-level roles. Students build a “security mindset” to think like an attacker, hone that perspective for blue-team roles, and use it to solve real world problems in the classroom.” – Forrest.

Adobe is proud to work with unique programs like The Prelude Institute that are working to ensure we and the broader security community have the best, most diverse talent available for security roles. Look for more about our support of this and other activities around the world here on the Security@Adobe blog and Twitter.

As users of technology we need to take responsibility in helping secure our personal data, because if we don’t those assets could be accessed without our knowledge/permission and even worse our identity could be stolen. On a personal level, I have a family member whose data was leaked through an unknown source and used to extort and threaten them. They were forced to purchase new phones, new phone plans, delete social media accounts, and change email addresses in order to help stop the threats.

The use of data helps make our lives more convenient and streamlined which likely means the proliferation of online data and devices are here to stay. There is one best practice that each of us can apply that will help personal data stay more secure – only share on a need-to-know basis.

Through our ongoing partnership with the National Cyber Security Alliance and staysafeonline.org, you can learn more about how to protect your data and identity in our latest security awareness video: Episode 2 – Data Handling.

Episode 3 of our “Security Awareness” video program in partnership with the National Cyber Security Alliance and Speechless Inc. is now available.

Having something stolen from you tends to leave an indelible feeling of violation and injustice. If what is stolen is an electronic device (e.g. laptop, phone, flashdrive), not only is the property gone but so is your data. Stolen data can be a more damaging long term than the loss of the physical device itself. The data could be personal or company data. If device is able to be used by the thief, there are many ways the device can become of value. Watch this latest video to learn more about how you can better protect yourself from being a victim of device theft.

Isaac Painter
Security Business Operations & Content Lead

(this Q&A originally appeared on the HackerOne blog)

Adobe first launched our Vulnerability Disclosure Program with HackerOne in 2015. Since then, the team has continued to expand its program to improve security across our products. 

Adobe’s Senior Security Program Manager Pieter Ockers sat down for a Q&A session with the HackerOne team to discuss how our program has evolved over the last five years and the role that hacker-powered security, both bug bounties and response programs, plays into our overall security strategy. 

Q. How do ethical hackers fit into Adobe’s comprehensive security strategy? 

A: Adobe’s primary security priority is to help keep our customer’s data and experiences safe. We do this by building security into our product development and operational processes at the onset, and automating as many processes as possible. One of the main goals for the security team is to make secure development and operations as easy as possible for product teams and the company. Through our vulnerability disclosure program, primarily hosted on HackerOne, and regular penetration tests, the ethical hacker community helps augment our security team by enabling us to open up our products and services for review by a diverse population of security experts with many different perspectives and backgrounds. We think this added level of expertise and perspective helps us make our products better and safer for our users. 

Q. Can you share a little bit about why you chose HackerOne? 

A: Our initial motivation to use HackerOne’s platform was driven by the desire to migrate away from the previous vulnerability submission workflow. At the time, we were using a legacy web form to receive vulnerability submissions. This technology lacked many of the features that the HackerOne platform offered. We found HackerOne’s platform was best optimized for engagement with security researchers, and it was an easy decision to adopt their platform to execute on this program.

Once on the platform, we were able to scale our Product Security Incident Response Team (PSIRT) by using HackerOne’s triage services to better manage the increasing volume of bug submissions. Over time, we have also implemented incremental improvements through leveraging HackerOne’s API, integrating the platform into Adobe’s workflows. This allowed us to scale our vulnerability disclosure program along with the growth of Adobe.

Q. Adobe leverages hacker-powered security and the hacker community in a few different ways to satisfy various security needs. How has Adobe scaled and evolved programs over the years?

A: Adobe interfaces with the security community through a spectrum of engagement models, including (but not limited to):

• Vulnerability Disclosure Program 
• Crowdsourced Pentests
• Magento Bug Bounty Program

Code reviews and pentests

Before Adobe introduces a major upgrade or new product, feature or online service offering, a code review and pentest is often performed by an external vendor. These traditional third-party reviews provide an additional layer of assurance to complement our internal security assessments and static code analysis that are part of our Secure Product Lifecycle (SPLC).

Vulnerability Disclosure Program

PSIRT is responsible for Adobe’s vulnerability disclosure program, and typically responds first to the security community’s submissions of vulnerabilities related to Adobe products, online services or web properties. Adobe launched its vulnerability disclosure program on HackerOne in August 2015. The HackerOne platform leveraged by Adobe offers researchers the opportunity to build a reputation and learn from others in the community, all while allowing Adobe to streamline workflows and scale resources establishing a single intake channel for vulnerabilities. 

Crowdsourced pentests 

To benefit from a larger pool of security researchers, Adobe also uses crowdsourced pentests in tightly scoped, time-bound engagements involving an elite pool of pentesters targeting a single service offering or web application. This approach has helped supplement the traditional pentests against our online services by increasing code coverage and testing techniques.

Magento Bug Bounty Program

Adobe acquired Magento in 2018, and migrated its bug bounty program to HackerOne in early 2019. Our primary goal for this bounty program is to incentivize researchers to find and report bugs that represent systemic risks with the platform, and this program has successfully captured the expertise of the Magento community to help us harden the Magento platform. 

Q. Measuring the success of hacker-powered security can be tough as you’re often trying to measure what doesn’t happen. How do you measure return on investment of your security initiatives? 

A. Our customers expect to have a secure experience when using Adobe products and services, and investing in our security initiatives allows us to better serve our customers. For PSIRT initiatives we make every effort to keep our products safe and our customers happy. We strive to provide transparency and quick, helpful responses to external researchers, while keeping a pulse on media and social sentiment.

Q. What advice or lessons learned would you share for companies looking to consolidate vendors and scale their programs? 

A. The key to a successful experience with the security research community is to start a vulnerability disclosure program with limited scope. Researchers expect, as they should, that vendors answer questions and react to submissions promptly. Launching a program before you have the capacity to handle the submissions could result in a poor experience for external researchers. 

Once you have developed and tested your playbooks with a limited vulnerability disclosure program, you can expand incrementally to bigger and broader scoped programs seamlessly.  

Q. Looking forward to the next five years, how do you see hacker-powered security and the industry more broadly evolving?

A. I believe this rapid shift to working remotely will open up more opportunities for remote, crowdsourced workers to play an even bigger role in contributing to the development of secure software.

I am optimistic that as the hacker and research community continues to grow in size and skill, they will surface complex vulnerabilities faster than any automated tool could (as well as continuing to proactively offer advice to developers and companies).  

To learn more about all of our incident response efforts here at Adobe, please visit the Adobe Trust Center.

“Vishing” is defined as the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to trick individuals to reveal personal information, such as bank details and credit card numbers.

Who are these scammers? Typically they are individuals looking for a pay-day or full-fledged hacking companies who even have an HR department. They are looking for just enough information to be able to impersonate you and potentially carry out illegal activities – including compromising and then using your personal accounts, such as a Google account. 

Think you can spot a vishing scam? Scammers get better every day and have more resources than ever before. Be vigilant, cautious, and skeptical. Even security professionals can fall for a scam if care isn’t taken. Learn more about vishing and watch as Sid – the ever-vigilant cybersecurity professional – let’s recognition go to his head and gets scammed. This is part of our ongoing security awareness video series in partnership with StaySafeOnline.org.

As always, be extra careful with any requests that do not come from sources you trust. That extra care is one of your best defenses against security issues. You can learn more about this and other security best practices at StaySafeOnline.org.

Isaac Painter
Security Business Operations & Content Lead

The goal of our recent Adobe-wide Digital Experience Security Summit was to bring together the security community and technology experts to share their expertise on underlying fundamentals, architecture, and best practices related to security across our application development platforms and infrastructure.

The summit presentations focused on key initiatives such as cloud security controls enforcement, usage of our compliance monitoring and enforcement tools such as Hubble and MAVLink, container platform security, and automation of our Common Controls Framework. 

We also invited several industry speakers including Vivek Ramachandran, the founder of Pentester Academy, and Dr Allan Friedman, Director of Cybersecurity Initiatives at the U.S. Department of Commerce. Mr. Ramachandran provided his perspective on how to go about building a secure infrastructure for all types of applications. Dr. Friedman spoke about the goals of the United States Secure Bill of Materials (SBOM) initiative and how transparency can serve as a catalyst to quality by helping customers better understand and verify what they are receiving from their vendors.

Prior to the virtual summit we launched a Capture-the-Flag (CTF) competition and meme/poster-making challenges for all participating employees. The CTF competition had five different challenges with increasing levels of difficulty. The meme/poster-making contest was designed to generate ideas on how to best communicate security best practices across teams. With over 150 teams registering for these competitions, we saw a tough battle down to the wire. The top five CTF and top three meme/poster teams received awards during the summit.

Of course, we had to make time for some team building and fun throughout the summit. We held several live events such as a Go-Fetch game  – a virtual treasure hunt that attendees could participate in from home. This was highly popular among summit participants. We also held guided meditation sessions – something we have all been relying more upon as we cope with all of the pandemic-induced changes to our work and lives.

Overall, it was a great event with fun-filled days of learning, sharing ideas and building community. 

You can read about our companion event to the Digital Experience Security Summit, our Security Champions Summit from earlier this year, on our blog. You can also learn more about our ongoing efforts to build upon our stronger security culture throughout Adobe in our white paper.

Devesh Bhatt
Manager, DX Security

Engage early, engage often.

Continuously delivering products with enhanced security capabilities in a cross-functional, multi-platform environment is no easy task; It takes a lot of commitment to collaborate and communicate on the part of every individual involved throughout the development process, especially when working with globally dispersed teams. 

To overcome these challenges, Adobe leverages five principles of collaboration to help our security and compliance teams collaborate more effectively and efficiently with our product development and operations teams. By adhering to these collaboration principles, we can improve efficiencies throughout our products and services while keeping our internal stakeholders happy.

These best practices, which we like to call the “five lean principles of collaboration,” are based on the overarching philosophy of “engaging early and engaging often,” and provide the foundation for all interactions between our product/engineering teams and the security organization.

Willingness

As with most relationships or engagements, the first step to effective collaboration is for both parties to come together to solve the problem at hand — and each party taking co-ownership. The challenges to ensuring this commitment can be steep: increasingly complex projects, frequent roadmap adjustments (due to changing customer needs or business requirements) and people moving to other roles within the organization.

To make it easier for our product teams to build security and compliance into their solutions, we pull together the compliance, security and review requirements for each specific product into a unified tracking system. At the beginning of each quarter, we meet to review them and set objectives; We also have regular check-ins to determine progress against these agreements. At the end of the quarter, we evaluate what we’ve accomplished, what needs to carry over and what can be deprioritized. In this way, we can easily accommodate shifts in the product roadmap and reset goals. This longer-term strategic approach also helps define roles and allocate time and resources accordingly.

Respect

It’s no secret that designing and delivering complex, powerful business solutions is impossible to do in a vacuum. Creating strong, cross-functional partnerships that are required to bring those products to market involves recognizing and respecting different work styles, resource constraints and time. With this understanding, it becomes easier to gain buy-in and influence change, which is critical in a business environment with ever-shifting priorities and roadmaps. 

Entering a working, collaborative partnership with the understanding and acceptance of other individuals’ work styles can influence how you communicate and interact with them, eventually strengthens the quality of the ongoing collaboration. For example, knowing that a product manager does not like to be micromanaged might lead you to approach them more directly and with more detail up-front. Alternatively, if a security champion needs more time to digest information before providing an answer, knowing that you need to be more patient with them can help build a stronger working relationship. Adapting work styles, a willingness to negotiate and establish a meeting cadence that respects every team member’s time together pave the way for more opportunity to drive change and maintain accountability.

Trust

With the unwavering goal of delivering a secure product to our customers, fostering mutual trust between the product/engineering teams and the security organization is essential. Even more importantly, the solid bridge within Adobe among different groups helps engender the trust of our customers and other stakeholders that we work hard to make our products as secure as possible.

Creating this level of trust requires clear, defined expectations up-front and an ongoing commitment to remain flexible and always keep an open line of communication. With our security, product and operational teams spread across the world, strict processes and clear ownership are critical. Within Adobe, product and security teams work together to identify issues, assess risks and determine the best course of action. Trust at the infection point between teams – the product manager and the security champion – can positively impact varying levels of an organization.

In the long term, collaboration strengthens the bond of trust and keeps the teams tightly aligned, which is especially important when working with products that have different release schedules. Recognizing which processes are scalable at this cadence and which are not is critical to building and maintaining trust between organizations. More importantly, understanding that security is not a one-time event, but a continuous process can make it easier to maintain a dependable security product lifecycle. These ongoing conversations between our product, security and compliance teams help Adobe prioritize projects and maintain the trust of our customers.

Empowerment

Probably more important than any other principle is keeping your eye on execution success. We empower our teams to gain others’ commitment by providing concise recommendations based on relevant data and actionable next steps. For example, just keeping pace with automation, especially in security, requires us to be very thoughtful and data driven to maintain a prioritized dashboard. Dashboards have proven to be extremely important in addressing this challenge, because the more digestible the information is, the easier it is to recognize items that need attention and keep pace with automation tooling.

Another challenge we face is overcoming ambiguity. Because we plan at least a quarter or two ahead, each stakeholder must have a crystal-clear understanding of what’s required in order for them to be successful. Roadmaps are a great solution to this challenge because having a view of the entire landscape – not just of your particular area of expertise and accountability – empowers everyone with more information to better understand potential risks, make informed decisions and identify solid, achievable commitments. 

Utilizing frameworks has also helped improve planning because they guide as well as facilitate and scale processes. The best example of a successful framework within Adobe is the Common Controls Framework (CCF), which is the foundational framework and backbone to our company-wide security compliance strategy. Within our Cloud Platform Engineering group, the Compliance, Legal, and Security framework (CLSA) provides structure to support the organization with greater efficiency and improve release readiness. Using the CLSA, product teams can more easily incorporate compliance and security requirements into the planning and development cycles. 

Communication

It’s almost trite to say “communication is key” at this point, but I can’t emphasize the importance of effective communication enough. That’s not to say there aren’t significant challenges to overcome in order to become a well-oiled collaborative team. For example, our networks can include many layers of stakeholders with whom we need to communicate; Managing all the layers can be challenging at times. Simply throwing an issue over the wall is not a good solution. Rather, presenting a clear message to a wide audience can give stakeholders greater clarity so they can take appropriate action. For example, if there’s a change, what’s the change? What’s the impact? Where can they find more information to help inform their decision or action? With a well-crafted message that highlights the key points and makes any requests clear and actionable, communication effectiveness improves at all levels.  

Cross-team collaboration has recently benefitted from a plethora of new tools to improve communication. From wikis and Jira to Slack and a range videoconferencing tools, there are more ways than ever before to improve communication and ensure project success. Using each of these for specific purposes and setting ground rules for the frequency of updates is important to avoid ongoing back and forth. And finally, we strive to make the most out of the feedback we receive from customers, internal teams and partners. Freely sharing this feedback with all team members is essential to continuously improving how we work and ultimately the enhanced security of our products.

Sandhya Narayan
Principal Program Manager, Adobe Security Team