{"id":156,"date":"2024-09-06T10:01:00","date_gmt":"2024-09-06T10:01:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=156"},"modified":"2024-09-06T10:01:00","modified_gmt":"2024-09-06T10:01:00","slug":"adobe-evolves-its-risk-management-strategy-with-homegrown-framework","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=156","title":{"rendered":"Adobe evolves its risk management strategy with homegrown framework"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Digital business has transformed virtually everything for enterprises \u2014 and it has brought with it cybersecurity challenges perhaps unimaginable just a few years ago.<\/p>\n

\u201cThe Internet has become a much more integrated place \u2014 software products no longer operate autonomously but integrate with each other to solve problems in a holistic way,\u201d says Maarten Van Horenbeeck, CSO<\/p>\n

at software company Adobe. \u201cThat\u2019s the case for all technology companies. It applies to the products we use at Adobe, and the products we build for customers.\u201d<\/p>\n

Such integrations create fantastic opportunities for innovation, but they can also introduce new and sometimes unexpected risks, Van Horenbeeck says. \u201cWe have long focused on establishing strong foundations in our cybersecurity program, and these fundamentals still matter in this new world.\u201d<\/p>\n

To meet these new challenges and risks, Adobe has focused on establishing a culture of collaboration, hiring talented and diverse cybersecurity professionals, and it has been thoughtful about which technologies it buys or builds.<\/p>\n

\u201cBut this new world also requires us to think innovatively about risk and be responsive when we see it change,\u201d Van Horenbeeck says.<\/p>\n

Adobe\u2019s Technology Governance, Risk, and Compliance (GRC) team of experts has been a key player in ensuring the organization better understands cybersecurity standards and how to achieve certifications.<\/p>\n

\u201cMore and more, this team is focused on automating security controls and ensuring continuous compliance, as manual work is costly and less reliable,\u201d Van Horenbeeck says.<\/p>\n

To that end, the TechGRC team has developed a Common Controls Framework (CCF) that focuses on establishing a risk and controls matrix across the organization. The team has also complemented CCF with a new Security Risk Management Framework (SRMF) to further streamline assessments of relevant standards and regulations to better understand the threat landscape to reduce risks.<\/p>\n

For its work on SRMF, Adobe has earned a\u00a02024 CSO Award<\/a>, which honors security projects that\u00a0demonstrate outstanding thought leadership and business value<\/a>.<\/p>\n

Security risk management framework<\/h2>\n

Adobe\u2019s SRMF evolved from learnings on how to scale and operate its CCF across the company, says Rahat Sethi, director of TechGRC at Adobe.<\/p>\n

\u201cWe identified opportunities for growth and improvement within this space to further leverage data\u201d such as threat intelligence, incident response, product and software security testing, and audit and assessment results, Sethi says.<\/p>\n

This helps drive and support risk-based security business decisions and prioritization. \u201cRealizing this, we went to the drawing board to develop a methodology that encourages rapid identification and measurement of security risks and implementation of mitigating controls in the ever-changing security threat landscape,\u201d Sethi says.<\/p>\n

One of the primary objectives of SRMF was to establish an agile framework that unifies different aspects of security into a centralized risk register, to deliver meaningful, consistent results to risk owners and decision-makers.<\/p>\n

\u201cIt was important to us to design methodology that allows for \u2018apple-to-apple\u2019 comparisons of security risks,\u201d Sethi says. \u201cArmed with results from the SRMF, our security leadership can make more informed decisions about how to effectively prioritize and adjust controls to drive risk mitigation efforts.\u201d<\/p>\n

Making the SRMF operational included forming committees dedicated to discovering and analyzing risks. This includes a Risk Management Team responsible for the overall execution of the program; and an Operating Committee, which performs risk triage, including the review of security threats and analyzing risks to determine their likelihood and impact, as well as their inherent and residual risk to Adobe.<\/p>\n

In addition, Adobe created a Steering Committee, led by Van Horenbeeck, responsible for the oversight and governance of a centralized security risk program and integrating selected results of the program into planning and budgeting cycles.<\/p>\n

\u201cKey to the framework is the Risk Management Team, that analyzes new incoming risks, and engages across our business to collect data, understand its implications, and identify pathways to mitigate that security risk across our business,\u201d Sethi says.<\/p>\n

Ongoing investment<\/h2>\n

Adobe continuously invests in new cybersecurity practices across its products, services, operations, and enterprise, Van Horenbeeck says.<\/p>\n

A recent highlight includes CCF Version 5.0 to address the evolving landscape of regulatory and security framework requirements. The latest version of the framework was crafted with a focus on customer needs and expectations by considering some of the latest security best practices and frameworks.<\/p>\n

In addition to typical security testing of its products, Adobe\u2019s application security strategy focuses on \u201cshifting left<\/a>\u201d to implement security checks earlier in the development lifecycle, Van Horenbeeck says, enabling teams to proactively address vulnerabilities.<\/p>\n

At the same time Adobe advances its cybersecurity efforts, the company is addressing challenges such as trying to balance the need to protect information while making sure it is also available to those who need to act on it, Van Horenbeeck says.<\/p>\n

\u201cBalancing this is a continuous conversation between security leaders and their teams,\u201d he says. \u201cI\u2019m a strong believer that educating and enabling security staff to make sound decisions on data is important.\u201d<\/p>\n

Collaborative, multidisciplinary effort<\/h2>\n

Another challenge is making sure everyone is on the same page with cybersecurity.<\/p>\n

\u201cWe\u2019re a global team, with security team members in Romania, India, and the United States, as well as some of our smaller offices, and getting people to collaborate seamlessly across time zones on similar projects can be hard,\u201d Van Horenbeeck says. \u201cWe\u2019re not perfect, but we try to address it by encouraging collaborative behaviors, giving individuals within a region autonomy to solve specific problems,\u201d and ensuring there\u2019s opportunity for people to connect in person.<\/p>\n

\u201cIt is great that we\u2019re a multidisciplinary team,\u201d Van Horenbeeck says. \u201cWe have program managers, security engineers, compliance analysts, researchers, and individuals whose expertise is to communicate. In addition to that, we work very closely with our legal partners. [When] you bring all those skills together, you\u2019re going to build better solutions than when you build them in siloes.\u201d<\/p>\n

Adobe has created a \u201ctrust organization\u201d that unites legal, security, and policy groups.<\/p>\n

\u201cThis organization is charged with driving a unified strategy that leverages technology, law, and policy to strengthen Adobe\u2019s products, services, and reputation as a company that employees and customers around the world can trust,\u201d Van Horenbeeck says. \u201cWith its leadership, we have a platform across the business that obtains the buy-in we need to make enhancements such as the risk management framework.\u201d<\/p>\n

The latest iteration of Adobe\u2019s approach to risk management is still young, Van Horenbeeck says, \u201cbut we\u2019ve started to see its impacts in making our annual security planning process significantly easier, [having] more mature conversations about cybersecurity risk, and making sure we have a good understanding of new challenges to tackle.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Digital business has transformed virtually everything for enterprises \u2014 and it has brought with it cybersecurity challenges perhaps unimaginable just a few years ago. \u201cThe Internet has become a much more integrated place \u2014 software products no longer operate autonomously but integrate with each other to solve problems in a holistic way,\u201d says Maarten Van […]<\/p>\n","protected":false},"author":0,"featured_media":157,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-156","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/156"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=156"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/156\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/157"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=156"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=156"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=156"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}