Stronger Relationships between Security and Engineering Teams

hello oh there we go hi my name is ostrid Bailey and today I'm going to talk to you about how we build stronger relationships between security and our product teams at Adobe first a little bit about me I'm I've had every title from project manager program manager product owner um and everything in between um but I've been in a cyber security kind of off and on for the last 10 years I also have dabbled in event technology so this is really fun for me to bring my event world and my cyber security worlds back together so today's learning objectives we're going to talk about how we get things positioned more strategically in road maps how we use some Automation and

standardization to make that easier um how we work with management and executive teams to make better decisions and then how to improve the overall relationships between our Security leaders and then our leaders throughout the rest of the organization so first of all what is a security partner so at Adobe we created this role to really indicate that we don't want to you know play whack-a-mole with security anymore and we don't want to say hey we're security we're so important you're going to do what we say we really want to have that friendship and that relationship with our product teams so we chose the name partner to really indicate that we don't want to be the

bully anymore we want to be that partner relationship um so this is kind of the mission statement for the team that I run so the way to look at it is I'm a program manager but we have a whole team of security partners and then I just help with make that process look easier so that we work standard across the organization Adobe as you might imagine has a pretty large security organization so here's three of our pillars we actually have a fourth one which was Tech GRC um but we're the security Partners we basically the goal is that we're that one voice and so instead it still happens unfortunately but instead of security you know reaching out to every

product team so they feel overwhelmed and they're always getting um barraged by different people we try to have like a one-to-one relationship between the security partner and the security Champion which I'll talk about in a second um so what do security Partners do so when you first hear about a security partner you might think oh it's a project manager it's a program manager and that's really doing a disservice to their skill set and this is coming from a program manager so I'm not saying that that's not a valid role I'm I'm betting my career on the fact that that's about valid role but these are um more technical people oftentimes they're an engineer who was

like hey I'd like to get into management and this is our path to that so first we you know we say let's buck up that technical expertise let's give you an opportunity to act more like a manager and then if you like it great like you can move on to maybe managing people who do this and if you don't like it you can go back to being an engineer um this is what I would say is kind of our our flow of what we do so the security partner program meets with the security Champions who I'll talk about in a second in the industry we have security Champions and that has such a wide range

of definitions but for now let's say that a security Champion is somebody who's on the product team who maybe doesn't work in security all the time but they're interested maybe they want a career in security but they're not sure so we have these volunteer or voluntold positions where they step up and say you know I'll help with security but I don't have to be fully in security so there are liaison and the um they meet bi-weekly or monthly or ad hoc depending on how big that team is and we kind of iterate with them with what we call active management so active management the output of this is that we do clear Focus points for

Solutions there's transparency in all levels of management so we really help with reporting and then we integrate security work into road maps um how so how do we provide those Services beyond what we've discussed so far here's our three main we call them our pillars so we've got active management prioritization and communication we spend the majority of our time on the active management generally about 60 percent of our time is focused on really helping our teams actively not just saying here do the work but how do we have those conversations how do we take a teaching mentality as well and then for example like if a say leadership comes out with this big security initiative it's super important

and you have to do it well we don't want to take that top-down approach we really want to look at the backlog of all the security things for that team and say Here's Where the trade-offs are and help have those conversations and then we can go back to our security leadership and say hey this product team they can't do this right now they've got these other priorities you've already asked them to do or we can de-prioritize you know previous work and say actually based on the industry this is the most important work for today

foreign so who do security Partners work with so here's um the key players that we work with and I really want to focus on the left side of the slide so the security partner and the security champion and when I start talking really fast sometimes it's hard to distinguish the two roles but essentially we've got the security partner who I've already talked about a lot and um who's my team and then the security Champion who's out in the in the field or in the product teams um and we do all kinds of things we try to be creative too so the security Champion's kind of that ground level they're often a manager a senior manager

but we work all the way up through the VPS and so sometimes we have conversations about you know why isn't this moving well I don't have enough resources I'm really strapped okay well can we get our rvps together can we get our VP or our even our CSO can we get them to meet with your team and really stress the emphasis how important this work is or what the trade-offs are to the business or even what sales deals are being held up and then we can have those conversations all the way up and down that chain which has been super useful um the other thing that we have really noticed about the security Champions is

that they are our friends and they are allies and the more effective that they are the more likely they are to stay and then the more effective they become and so we did a survey uh last year and learned that if somebody is a security Champion for five years they often give us like 16 hours a week or more but the newbies give us you know two to five but as they grow in their understanding they become more effective and they often get more engaged in those conversations which is really rewarding and then sometimes if we're lucky they actually say we love security so much can you get help me get a job over here and then we're happy to

hire them because they bring that product perspective this is another way to look at the swirl that is a large organization and so you see that the security champion and the security partner are kind of like the Hub in the middle of all these Spokes and and another way to think about this is that we don't have the bandwidth to um maintain all the relationships we need in the organization to do security work and so by having the security partner kind of be Central to the security organization and having the security Champion be Central to the product organization as we reorg our teams or as new leaders are hired or as relationships are developed we're able

to just leverage that person so part of being a security Champion is really understanding the org and being in deep with everyone um the other aspect here is truly just to call out the collaboration um between the two this is a really healthy relationship or it can be and then we also try to give back and so we offer training um last quarter I introduced what I call the Rockstar Awards so our top security Champions were honored in a meeting and then um rcso actually emailed them to thank them and their whole management chain up through VP which was really rewarding to see um them get impacted and then their managers emailed us back and said oh my gosh thank you I'm going

to put this as a part of their check-in and I'm this will be a part of their next promotion and so just really trying to um look for the simple ways to thank our Champions and make it a really rewarding program to be a part of um so one of the things that we do we um we also do risk assessments so we have all kinds of inputs of um different you know we've got different tools that tell us where our vulnerabilities are we have different um initiatives that come through and so as you see the the whole point of the security Partners is to help Wade through that soup for our teams and then

do some analysis and keep those conversations going so that we end up with road maps get well plans which I'll talk about later um we help with escalations to leadership and then obviously extensions and approvals so now that I've set the foundation for exactly what we do I'll go through our learning objectives so the first one is how we get position asks position more strategically on road maps so Adobe has probably 200 product teams and services or more I usually just use a general number because it changes all the time but we have 14 security Partners so we can't do a one-to-one um and so this is one of the ways that we look at the teams who need the most

attention would be by visibility and risk so you know our bigger products that it always known for say Photoshop for example like if that got popped it would really impact our reputation versus our internal teams you know their they may or may not be exploitable at least on on the outside and so we don't need to spend as much time with them so we rank them based on this um and then we move them into what we call our our tiers or our support models so full support these are our big beefy applications they need a lot of attention they meet with a security partner every two weeks sometimes more if they're you know trending yellow or

red and then our lower teams like I mentioned who don't need that day-to-day hand-holding we can often manage them with slack or just the occasional email or conversation so then each security partner gets a mix of teams so they get some some big ones or some problem children and then they get like some easier ones so that they they generally have between maybe three and eight teams to manage and then those teams if there are some of our acquisition products for example have tons and tons of teams well they may boil up into um they may have a super Champion or they may have multiple Champions feeding into the same meeting um so this is

How uh this is an example of our roadmap so that bottom box there instead of showing our security room Maps because we all know that would be bad um this is kind of just what they look like so we we work through we bucket the work we do work with other security teams within Adobe so whether it's compliance whether it's something that a red team has found whether it's um like tooling to build out those roadmaps so the prioritization part is a is a collaboration but then we really try not to be ticket pushers so they do come out in jira tickets but we try to be thoughtful and strategic on how we schedule these things out

say we have a team that is you know we've given them a road map but that's a little bit overwhelming they're actually we would categorize them as a at a yellow risk or even red instead of you know saying well just do the road map we do what we call a path to yellow or a path to Green so we put their roadmap aside for a second and we come up with a shorter more strategic road map to really show them how to get back to that risk rating the more positive risk reading whether it's yellow or green and make it bite-sized and then if it if they need it we will meet with their VPS

once a week or more just to make sure that they're getting that emphasis and they're getting those resources so in the past we've been able to help teams you know up their head count if they just were slipping behind um so number two here Automation and standardization this is what we call the reporting funnel because as I mentioned before we make sure to have relationships across the organization so you see the security Champion they get tons of detail they're up at the top but as you go down the organization they might get less detail but they're still getting the same message and we're it's really important to us that they're getting the same message all the way through the

organization previously we you know we'd have great conversations at the executive team level and we have great conversations at the security champion level and then that middle layer was like I don't know what the hell you're talking about and so we really um have introduced and are working to refine all levels of dashboarding and Reporting so that everybody gets that same message one of the ways that we do that is we we have dashboards but we email them out once a month to our teams and we give them a week and then we send their VP report so we send them here's what you look like now work with us let's improve this before we send out the VP report and that's

been really helpful in building our relationship in that trust because we're not telling on them we'd rather that they were doing well but you know if you don't do what we're asking then we are going to continue to have that conversation this is an example of what our dashboards look like at least a mock-up version and it and this is what's emailed out as a report um so then you see here that's a typo so you can ignore the learning objective one we're not back there um but we we show the risk status we do the dashboards we have actionable plans and focus points we have other little automations to help put that like slack notifications or

emails when critical loans are opened that kind of thing so moving on to learning objective three this is how we help executive teams make better decisions so as I just discussed getting leadership buy-in is super important and another way we do this is through our VP meetings we're kind of revising what this looks like Adobe got a new CSO four or five months ago and so we're building this out again but we're having VP meetings and then what we've learned with VPS is dashboards are great and they're helpful we have one dashboard for example we send out that compares them against their peers so which VPS really don't like to see that they're not doing as well as their peers

that's been very effective but one of the other ways that we do it is through stories for example one of the teams that's kind of my sister team is our sales engagement so they answer all those questionnaires for customers and when we're having issues with certain VPS or we're just meeting with them in general and maybe they're not doing their pen test findings or they're not remediating the best thing to come to them is say like oh well you know if you would do these we could unlock like 10 million dollars or 100 million dollars or you know you're really holding us up because they really hate being the Cog that's holding up Revenue and then we've also earned a lot of

respect from our security partner program and so unlike more of a hierarchical situation like our security Partners come to those meetings and they're able to talk to the VPS directly which has been a really great relationship building and speaks to the fact that we are learning how to communicate with VPS and the way that they most appreciate um

so over and over we found that they get excited about metrics that impact customers and we educate them on how that security hygiene um so instead of just like here's what the product impact is really shifting that conversation to customer impact whether it's Investments needed um or metrics and then Adobe security actually now rolls into what we call the trust organization and so we are actually paired up with legal and so we are also reframing those conversations to be more about how do we instill trust in our customers so yes security is what we can get behind especially being in security but you know you go to a product team and they're like okay that's great but I have all these other

features that are going to make me money and so how do we bring that back together and say no we're not just asking you to do security things because we're passionate we're asking you to do security things because we want to be a trusted organization and we want to continue to grow the faith that our customers put in US um so I hope you've enjoyed this brief overview of our program so far but for our final objective I'm going to talk about how to improve overall relationships between our Security leaders and our product team leaders so we're constantly iterating this program um it were especially as we've gone through a couple of reorgs at Adobe and

it always brings room for new opportunity as new leaders come to the fold with different opinions and so will we all we get a lot of questions like are you still going to be a security partner program are you still going to provide that same level of service and the answer is yes but it's also no because we don't want to stay here we want to continue to grow we want to make it a more efficient better program for everyone so what are the things that's really important to me in particular in my role is that I am really working on how do we add those feedback models how do we do better surveys I have to take some classes on you know

data analysis like how do we get those good insights and how do we make sure that you know I'm very proud of our program but I need that product perspective as well like I want them to come to us and tell us if it is or isn't working because I'm just you know I'm not close enough to their day-to-day and so we're doing surveys amongst our leaders we're doing surveys amongst the internal teams that we work with we're doing surveys amongst even just our team like what's it like to be on this team because we really want that feedback and then over time I'm tracking those results too so we can have a great satisfaction score

and so lastly I want to talk about two major efforts that we're undertaking this year to make the product teams lives easier the first is a bi-weekly initiatives meeting so as I said before we've got like four pillars of Security leaders all trying to funnel into our program sometimes around our program we're trying to get them through our program but that means that initiatives are changing a lot more frequently and so I lead a bi-weekly meeting where I bring together our two directors and two VPS so basically our csos directs and we go through you know what work they're asking of the product teams what's come through what resources it would need and then hopefully

prioritize those and ideally maintain consistency on priority so they're not changing all the time unless it's really important and making those leaders um work it out amongst their peers what exactly their priorities are at the company and the second one which I'm most excited about is what we call our um our cab or customer Advisory Board not to be confused with a change Advisory Board I spent a very long time in a meeting with somebody until right at the end they go well you are the change Advisory board right like I am not I've been telling you forever I am not your channel but the customer Advisory board so we have our Champions then they do give us feedback

but we reached out to some of our best and brightest Champions or in different areas of the organization said would you be a part about what of our customer Advisory board we're going through a lot of changes in organization and we could go all the way up through your layers of management all the way down but that'll just waste everybody's time would you be willing to meet with our Security leaders every other month for an hour and a half and the promise to you is that the things that you bring up the issues that you bring up we will work to resolve and so what we've done is I've LED I think four or five of them at first it was

just my team picking the brains of our security Champions what once our our two VPS and our two directors got a got wind of what was going on they actually asked to be invited as well so we're we're iterating on this I don't think it's quite perfect I need to add a few more people going forward but I'm really excited about our cab program because it is breaking down those silos which as you can imagine are quite common in a big company like Adobe um so in conclusion I wanted to thank you for spending time with me today um and I've enjoyed pulling together Lessons Learned From leading our security partner program to wrap up we talked about what exactly

a security partner is where we fit in the organization what we do on a daily basis and who we work with I went into further examples and details to illustrate our learning objectives for learning objective one how to get security asks positioned more strategically on product roadmaps I talked about how we measured visibility and the risk of product team to determine how to best support that team as well as our best practices about around creating quarterly roadmaps including paths to yellow and paths to Green for learning objective 2 how to make use to Automation and standardization I emphasize the importance of consistent Communications including our reporting funnel dashboard mock-up and some of the ways we've

addressed the gaps in our technical constraints for learning objective three how to ensure that management and executive teams make better security decisions I talked about how the success we found with our VP meeting so far and how we're trying to communicate that right story to Executives and help illustrate the impact of completing this work with our customer relationships and finally I talked about how to improve relationships at the highest levels of our organization and how we in the future of our security partner program does anyone have any questions

okay um I'm just curious how you identify um security Champions within your organization and how you keep them engaged in these conversations so I know you mentioned a little bit about that but sure specifically around how you identify those in these different teams so I would say um we know who the leaders are in the product organization so we often go to them and say hey we need a security Champion is there anyone who's interested and ideally someone is interested in the role sometimes somebody gets volunteered but we look first for that interest level and then the ways that we keep them involved to be honest in covid we kind of had we stalled out on some of like the Live

Events and things that we did so I'm working on bringing that back so I'm doing like a program wide meeting once so we've got about 240 Champions so I'm doing a program-wide meeting once a quarter where we call out the rock stars and we give them Awards and a lot of recognition in front of their peers well we do training events um we in the past every other year they did a security Champion Summit so I'm going to try to bring that back at least hybrid and then I just sent them all a big thank you gift so a jacket that says security Champions on it and I'm looking for ways to try to make it go both ways and then

we've also made it clear to our champions when you come comes time for your annual review like let us know and we'd be happy to write your manager a love note that you can include in your review to hopefully get promoted things like that thank you I had the same question but I'll follow it up um how do you describe the role of your security Champions like when you are introducing then offering that or describing as an option how are you describing and then follow up when you identify the rock stars what do you mean by rockstars sure um so we described the role as like are you interested in security when we start there generally we're looking for

somebody who's involved in Sprint planning so that they can help pull in different security asks but we also ask you know are you interested in leadership because this is a good leadership opportunity because you won't just be on your team you'll be reaching out to everyone else and then for the Rockstar Awards because there's 240 Champions and I have six 15 security Partners I really couldn't who don't because they work one-to-one I couldn't have a vote on who you know who's the greatest of all time so I just told each security partner hey I know you work really hard with these teams pick out somebody you work hard with and like and get send me some

bullets on why they're amazing and every single one of them said I can't choose they're all great and I said great we'll do it every quarter but this quarter who's your favorite

all right um one last plug for the day I'll be out of here we're doing a student networking room and room 229 upstairs starting at 11. and many of you probably met me in check-in and I gave you a blue wristband because you're willing to talk to students this is just another Avenue where you can come and chat with students we've also got Post-its so that you can put on the wall and answer questions if you don't want to talk but you just want to answer questions we can do that as well and thank you so much for your time [Applause]