Positioning Security Asks Strategically in Product Roadmaps
By Astrid Bailey, PMP, Sr. Security Program Manager
In my last two posts, I introduced you to the Adobe Security Partner Program and the Adobe Security Champion Program. As a quick recap, security partners work within the Adobe security organization to grow strong partnerships with our product teams and provide strategic recommendations to improve the team’s overall security posture. Security champions are members of our product development teams helping to ensure our security partners’ recommendations are prioritized and codified in our products.
Now let’s put it together. How do our security partners help enable security champions and get security asks positioned more strategically in product roadmaps?
Determining Engagement Levels
First, we need to determine the level of partner engagement needed for each product team. At Adobe, we’ve developed a rubric to consistently analyze teams across the organization and score teams based on two (2) factors: visibility and risk status.
Visibility. We want to make sure our high visibility products receive plenty of attention and support from our security partners. To demonstrate, Adobe’s flagship products, such as Photoshop or Acrobat Reader, would receive great brand damage and user backlash if compromised. Not only do these products have strong adversary interest, but they are also highly accessible with millions of users globally. In contrast, we also have smaller, low visibility teams that are not known outside of Adobe due to the internal nature of the product or service. Given that they are less likely to be exploited by outside adversaries, security partners can focus less time on those teams.
Risk Status. We regularly review and score our teams based on their risk status. Each month, our security partners review the products in their portfolio to analyze the product team’s current roadmap, any issues, and their level of engagement. Then, they determine a risk rating of low (green), medium (yellow), or high (red). While a team’s visibility is unlikely to change, their risk status is subject to change throughout the year. Therefore, we pay careful attention to this factor, so we know when to adjust our approach.
Another way we manage our teams is by looking for logical groupings. Instead of engaging with each team individually, we group them logically by reporting structure, leadership, or function, and then hold a meeting — led by one or multiple security champions — that covers all the teams in the group.
Assigning Security Partners to Product Portfolios
After determining each product’s visibility and risk ratings, as well as their logical groupings, we then weigh these factors against each other to assign an engagement model. As seen in the table below, we offer two (2) main engagement models: full support and limited support.
The assigned tiers within the two support models determine how often we expect security partners and champions to meet with these groups. For example, Tier 1 teams are high visibility and higher risk. We typically assign security partners a portfolio of products that include a mix of tiers.
Setting Boundaries for Effective Prioritization
Across the tech industry, many security teams admittedly have the reputation of being “ticket pushers”– just shoving security asks onto product teams. We’ve worked hard at Adobe to overcome this perception and are continually improving our asks to be increasingly strategic and impactful. The last thing we want to do is tell teams to “go do tickets” — which we all know, is akin to playing “whack a mole.”
To that end, Adobe security partners are empowered to say “no” to tickets that don’t make sense for their team. The security partner serves as a gatekeeper between the product team and the rest of the security organization. When priorities inevitably shift, the security partner educates security leadership on what kind of impact it would have on the product teams. Because we advocate for them just as much as we advocate for security, product teams view us as their true partners who both respect and value their perspectives.
Positioning Security Asks into Roadmaps and Action Plans
Having earned the trust of our product teams, security partners can influence their backlogs and manage security roadmaps for their tier 1 and tier 2 products. One way our security partners build roadmaps is by bucketing the work into common issue sets. They review the tickets, identify key themes, and determine root causes for each set. Once a root cause is identified, the security partner adds the security ask to the product’s roadmap. The remediation of these issues can mean applying a patch, building a new feature, or even migrating to a different tool. Security partners then work with the security champion to identify and track a committed a timeline for implementation.
Beyond product roadmaps, sometimes a team will need a more short-term, focused action plan to move the needle with more achievable focus points. We call these plans “path to yellow” and “path to green,” and they occur when a team has a change in risk status. If a team currently has a medium risk rating of yellow, then we will create a “path to green.” If a team has a high-risk rating of red, we will create both a “path to yellow” followed by a “path to green” action plan to lower risk. By chunking out the work through paths, our security partners can keep product teams motivated and moving through the work.
Wrap-Up
Using strategic frameworks and models has allowed our security partners to effectively position our security asks to strategically maximize impact for product teams at Adobe. More importantly, we could not have made the Adobe Security Partner Program successful without the continued efforts to build trust and deep partnerships with our product teams. In my next and last blog of this series, I’ll talk about how you can improve all levels of communication to help ensure executive teams make better security decisions.
