Adobe evolves its risk management strategy with homegrown framework

Digital business has transformed virtually everything for enterprises — and it has brought with it cybersecurity challenges perhaps unimaginable just a few years ago.

“The Internet has become a much more integrated place — software products no longer operate autonomously but integrate with each other to solve problems in a holistic way,” says Maarten Van Horenbeeck, CSO

at software company Adobe. “That’s the case for all technology companies. It applies to the products we use at Adobe, and the products we build for customers.”

Such integrations create fantastic opportunities for innovation, but they can also introduce new and sometimes unexpected risks, Van Horenbeeck says. “We have long focused on establishing strong foundations in our cybersecurity program, and these fundamentals still matter in this new world.”

To meet these new challenges and risks, Adobe has focused on establishing a culture of collaboration, hiring talented and diverse cybersecurity professionals, and it has been thoughtful about which technologies it buys or builds.

“But this new world also requires us to think innovatively about risk and be responsive when we see it change,” Van Horenbeeck says.

Adobe’s Technology Governance, Risk, and Compliance (GRC) team of experts has been a key player in ensuring the organization better understands cybersecurity standards and how to achieve certifications.

“More and more, this team is focused on automating security controls and ensuring continuous compliance, as manual work is costly and less reliable,” Van Horenbeeck says.

To that end, the TechGRC team has developed a Common Controls Framework (CCF) that focuses on establishing a risk and controls matrix across the organization. The team has also complemented CCF with a new Security Risk Management Framework (SRMF) to further streamline assessments of relevant standards and regulations to better understand the threat landscape to reduce risks.

For its work on SRMF, Adobe has earned a 2024 CSO Award, which honors security projects that demonstrate outstanding thought leadership and business value.

Security risk management framework

Adobe’s SRMF evolved from learnings on how to scale and operate its CCF across the company, says Rahat Sethi, director of TechGRC at Adobe.

“We identified opportunities for growth and improvement within this space to further leverage data” such as threat intelligence, incident response, product and software security testing, and audit and assessment results, Sethi says.

This helps drive and support risk-based security business decisions and prioritization. “Realizing this, we went to the drawing board to develop a methodology that encourages rapid identification and measurement of security risks and implementation of mitigating controls in the ever-changing security threat landscape,” Sethi says.

One of the primary objectives of SRMF was to establish an agile framework that unifies different aspects of security into a centralized risk register, to deliver meaningful, consistent results to risk owners and decision-makers.

“It was important to us to design methodology that allows for ‘apple-to-apple’ comparisons of security risks,” Sethi says. “Armed with results from the SRMF, our security leadership can make more informed decisions about how to effectively prioritize and adjust controls to drive risk mitigation efforts.”

Making the SRMF operational included forming committees dedicated to discovering and analyzing risks. This includes a Risk Management Team responsible for the overall execution of the program; and an Operating Committee, which performs risk triage, including the review of security threats and analyzing risks to determine their likelihood and impact, as well as their inherent and residual risk to Adobe.

In addition, Adobe created a Steering Committee, led by Van Horenbeeck, responsible for the oversight and governance of a centralized security risk program and integrating selected results of the program into planning and budgeting cycles.

“Key to the framework is the Risk Management Team, that analyzes new incoming risks, and engages across our business to collect data, understand its implications, and identify pathways to mitigate that security risk across our business,” Sethi says.

Ongoing investment

Adobe continuously invests in new cybersecurity practices across its products, services, operations, and enterprise, Van Horenbeeck says.

A recent highlight includes CCF Version 5.0 to address the evolving landscape of regulatory and security framework requirements. The latest version of the framework was crafted with a focus on customer needs and expectations by considering some of the latest security best practices and frameworks.

In addition to typical security testing of its products, Adobe’s application security strategy focuses on “shifting left” to implement security checks earlier in the development lifecycle, Van Horenbeeck says, enabling teams to proactively address vulnerabilities.

At the same time Adobe advances its cybersecurity efforts, the company is addressing challenges such as trying to balance the need to protect information while making sure it is also available to those who need to act on it, Van Horenbeeck says.

“Balancing this is a continuous conversation between security leaders and their teams,” he says. “I’m a strong believer that educating and enabling security staff to make sound decisions on data is important.”

Collaborative, multidisciplinary effort

Another challenge is making sure everyone is on the same page with cybersecurity.

“We’re a global team, with security team members in Romania, India, and the United States, as well as some of our smaller offices, and getting people to collaborate seamlessly across time zones on similar projects can be hard,” Van Horenbeeck says. “We’re not perfect, but we try to address it by encouraging collaborative behaviors, giving individuals within a region autonomy to solve specific problems,” and ensuring there’s opportunity for people to connect in person.

“It is great that we’re a multidisciplinary team,” Van Horenbeeck says. “We have program managers, security engineers, compliance analysts, researchers, and individuals whose expertise is to communicate. In addition to that, we work very closely with our legal partners. [When] you bring all those skills together, you’re going to build better solutions than when you build them in siloes.”

Adobe has created a “trust organization” that unites legal, security, and policy groups.

“This organization is charged with driving a unified strategy that leverages technology, law, and policy to strengthen Adobe’s products, services, and reputation as a company that employees and customers around the world can trust,” Van Horenbeeck says. “With its leadership, we have a platform across the business that obtains the buy-in we need to make enhancements such as the risk management framework.”

The latest iteration of Adobe’s approach to risk management is still young, Van Horenbeeck says, “but we’ve started to see its impacts in making our annual security planning process significantly easier, [having] more mature conversations about cybersecurity risk, and making sure we have a good understanding of new challenges to tackle.”