Five Lean Principles of Collaboration for Enhanced Product Security

CommunityMajor InitiativesSecure Product Lifecycle (SPLC)

Engage early, engage often.

Continuously delivering products with enhanced security capabilities in a cross-functional, multi-platform environment is no easy task; It takes a lot of commitment to collaborate and communicate on the part of every individual involved throughout the development process, especially when working with globally dispersed teams. 

To overcome these challenges, Adobe leverages five principles of collaboration to help our security and compliance teams collaborate more effectively and efficiently with our product development and operations teams. By adhering to these collaboration principles, we can improve efficiencies throughout our products and services while keeping our internal stakeholders happy.

These best practices, which we like to call the “five lean principles of collaboration,” are based on the overarching philosophy of “engaging early and engaging often,” and provide the foundation for all interactions between our product/engineering teams and the security organization.

Willingness

As with most relationships or engagements, the first step to effective collaboration is for both parties to come together to solve the problem at hand — and each party taking co-ownership. The challenges to ensuring this commitment can be steep: increasingly complex projects, frequent roadmap adjustments (due to changing customer needs or business requirements) and people moving to other roles within the organization.

To make it easier for our product teams to build security and compliance into their solutions, we pull together the compliance, security and review requirements for each specific product into a unified tracking system. At the beginning of each quarter, we meet to review them and set objectives; We also have regular check-ins to determine progress against these agreements. At the end of the quarter, we evaluate what we’ve accomplished, what needs to carry over and what can be deprioritized. In this way, we can easily accommodate shifts in the product roadmap and reset goals. This longer-term strategic approach also helps define roles and allocate time and resources accordingly.

Respect

It’s no secret that designing and delivering complex, powerful business solutions is impossible to do in a vacuum. Creating strong, cross-functional partnerships that are required to bring those products to market involves recognizing and respecting different work styles, resource constraints and time. With this understanding, it becomes easier to gain buy-in and influence change, which is critical in a business environment with ever-shifting priorities and roadmaps. 

Entering a working, collaborative partnership with the understanding and acceptance of other individuals’ work styles can influence how you communicate and interact with them, eventually strengthens the quality of the ongoing collaboration. For example, knowing that a product manager does not like to be micromanaged might lead you to approach them more directly and with more detail up-front. Alternatively, if a security champion needs more time to digest information before providing an answer, knowing that you need to be more patient with them can help build a stronger working relationship. Adapting work styles, a willingness to negotiate and establish a meeting cadence that respects every team member’s time together pave the way for more opportunity to drive change and maintain accountability.

Trust

With the unwavering goal of delivering a secure product to our customers, fostering mutual trust between the product/engineering teams and the security organization is essential. Even more importantly, the solid bridge within Adobe among different groups helps engender the trust of our customers and other stakeholders that we work hard to make our products as secure as possible.

Creating this level of trust requires clear, defined expectations up-front and an ongoing commitment to remain flexible and always keep an open line of communication. With our security, product and operational teams spread across the world, strict processes and clear ownership are critical. Within Adobe, product and security teams work together to identify issues, assess risks and determine the best course of action. Trust at the infection point between teams – the product manager and the security champion – can positively impact varying levels of an organization.

In the long term, collaboration strengthens the bond of trust and keeps the teams tightly aligned, which is especially important when working with products that have different release schedules. Recognizing which processes are scalable at this cadence and which are not is critical to building and maintaining trust between organizations. More importantly, understanding that security is not a one-time event, but a continuous process can make it easier to maintain a dependable security product lifecycle. These ongoing conversations between our product, security and compliance teams help Adobe prioritize projects and maintain the trust of our customers.

Empowerment

Probably more important than any other principle is keeping your eye on execution success. We empower our teams to gain others’ commitment by providing concise recommendations based on relevant data and actionable next steps. For example, just keeping pace with automation, especially in security, requires us to be very thoughtful and data driven to maintain a prioritized dashboard. Dashboards have proven to be extremely important in addressing this challenge, because the more digestible the information is, the easier it is to recognize items that need attention and keep pace with automation tooling.

Another challenge we face is overcoming ambiguity. Because we plan at least a quarter or two ahead, each stakeholder must have a crystal-clear understanding of what’s required in order for them to be successful. Roadmaps are a great solution to this challenge because having a view of the entire landscape – not just of your particular area of expertise and accountability – empowers everyone with more information to better understand potential risks, make informed decisions and identify solid, achievable commitments. 

Utilizing frameworks has also helped improve planning because they guide as well as facilitate and scale processes. The best example of a successful framework within Adobe is the Common Controls Framework (CCF), which is the foundational framework and backbone to our company-wide security compliance strategy. Within our Cloud Platform Engineering group, the Compliance, Legal, and Security framework (CLSA) provides structure to support the organization with greater efficiency and improve release readiness. Using the CLSA, product teams can more easily incorporate compliance and security requirements into the planning and development cycles. 

Communication

It’s almost trite to say “communication is key” at this point, but I can’t emphasize the importance of effective communication enough. That’s not to say there aren’t significant challenges to overcome in order to become a well-oiled collaborative team. For example, our networks can include many layers of stakeholders with whom we need to communicate; Managing all the layers can be challenging at times. Simply throwing an issue over the wall is not a good solution. Rather, presenting a clear message to a wide audience can give stakeholders greater clarity so they can take appropriate action. For example, if there’s a change, what’s the change? What’s the impact? Where can they find more information to help inform their decision or action? With a well-crafted message that highlights the key points and makes any requests clear and actionable, communication effectiveness improves at all levels.  

Cross-team collaboration has recently benefitted from a plethora of new tools to improve communication. From wikis and Jira to Slack and a range videoconferencing tools, there are more ways than ever before to improve communication and ensure project success. Using each of these for specific purposes and setting ground rules for the frequency of updates is important to avoid ongoing back and forth. And finally, we strive to make the most out of the feedback we receive from customers, internal teams and partners. Freely sharing this feedback with all team members is essential to continuously improving how we work and ultimately the enhanced security of our products.

Sandhya Narayan
Principal Program Manager, Adobe Security Team


Community, Major Initiatives, Secure Product Lifecycle (SPLC)

Posted on 11-12-2020