Author Archive: Brad Arkin, Chief Security Officer

The Impact of Public Policy on Cybersecurity

Public policy has been joined at the hip with cybersecurity in some shape, form or fashion for a while now. Whether it’s been efforts to increase information sharing between businesses and government agencies, progress towards developing cybersecurity standards, or laws mandating disclosure of security incidents in a timely fashion, public policy has a clear impact on cybersecurity programs. People are paying closer attention to cybersecurity and the policies put in place to help keep information secure. As cybersecurity teams are constantly re-evaluating best practices, we wanted to gain a better understanding of how cybersecurity professionals view public policy changes.

We fielded a survey of more than 500 private and public-sector cybersecurity professionals to better understand if they think public policy impacts their jobs and perceptions on whether the industry is prepared for upcoming policy changes. Here’s what we learned:

  • Public policy impact on cybersecurity professionals’ roles: Nearly 90% of cybersecurity professionals said that public policy affected their jobs on a daily basis yet only 48% of cybersecurity professionals said that they follow cybersecurity policy issues very closely.
  • Lack of confidence around organization’s preparedness for upcoming changes: only 37% cybersecurity professionals surveyed felt their organizations were prepared for upcoming policy changes.
  • Government regulations have a positive impact on cybersecurity. Even more interesting, 86% agreed that government regulations have a positive impact on cybersecurity. This is contrary to the stereotypical belief that regulations are unwanted or a burden. While, 64% agreed their organizations spend too much time and budget on compliance, 92% agreed that the information security industry needs more common security standards/frameworks. While we found this intriguing, this didn’t surprise us. At Adobe, our teams also felt that we needed to streamline compliance and industry standards, so our security team developed the Adobe Common Controls Framework (CCF) – a framework which streamlined 1,000 requirements down to 200 security controls. We’ve heard from peers and customers this is a critical piece of the security and public policy puzzle, and as a result we “open-sourced” the framework to help other organizations simplify their own compliance standards.
  • Companies should be more proactive with sharing relevant resources for cybersecurity public policy changes. Regardless of the size of your company or organization, there are resources that can help cybersecurity professionals increase their awareness about public policy, and our survey results demonstrate that there is a greater need for cybersecurity professionals to stay informed and up to date on public policy changes that affect their day to day jobs. There are numerous trade organizations, non-profits and media outlets that track developments in the public policy space that specifically pertain to cybersecurity. Internally, your legal department would also be a good source of information, along with your government relations team if your organizations are large enough. Lastly, social media outlets can be a tremendous resource for following public policy events.

Our survey shows that cybersecurity professionals know that public policy is important, but that there’s a gap in following developments closely and the information they have about specific issues. See the full survey results here and an infographic of our survey highlights here. We’d love to hear your thoughts on how public policy impacts your day to day responsibilities – share your thoughts with us on Twitter @AdobeSecurity with the hashtag #AdobeSecuritySurvey.

How We Work to Protect our Brand and Users 

A recent report  by  Citizen Lab  uncovered that commercial spyware was used to trick users into thinking it’s a legitimate Adobe Flash Player update. Unfortunately, this malicious download took Flash Player and repackaged it to include spyware. We have contacted the relevant service providers to request that the systems used to support these activities (e.g., email accounts and domain names) be suspended.  Make no mistake, these activities are illegal and Adobe actively works to protect its users against such deceptive and harmful malware. 

Adobe Flash Player is one of the most ubiquitous and widely distributed pieces of software in the world, and as such, can be a target of malicious activity. We take the security of our products, technologies and customers very seriously. Protecting Adobe’s trademarks from this type of abuse is vital to our brand and our users. Adobe commits considerable time and resources to these efforts — even participating within the Internet governance processes before the Internet Corporation for Assigned Names and Number (ICANN) to help develop, among other things, rights protection mechanisms (RPMs) aimed at safeguarding brand owners and their users from this very type of abuse.

It’s important to note that the spyware  does not affect Adobe products and services. The repackaged software is a completely separate process on the victim’s machine. The Adobe brand is merely used for social engineering purposes.

Adobe continually works with our partners to help protect users from malicious downloads and to remove the need for users to manually update Flash Player. For instance, with Google Chrome browser, Flash Player updates are seamlessly delivered via the Chrome auto-updater on all operating systems. For users who prefer to manually update software, the latest version can be found here: 

We encourage customers and other members of the security community to report new vulnerabilities, abuse and misuse directly to the Adobe via the Security Alert Us page. 

We’re grateful for the work of groups such as  Citizen Lab  and ICANN, and will continue to support their efforts.

Brad Arkin
Chief Security Officer (CSO)

DefendCon – All Systems Go

We are excited to host DefendCon from Adobe –  the first security conference that combines the gender inclusive nature of a traditional women-in-tech conference with cutting-edge, quality technical content presented by a diverse array of speakers.

With DefendCon, we are creating a welcoming environment where attendees will not only learn about security best practices, but also gain insight on hot topics in the industry like artificial intelligence, IoT security, incident response and machine learning.

We’re all familiar with the stats around the growth of jobs in information security and the fact that women make up less than 11% of the cybersecurity workforce∗.  Historically, women also leave the IT workforce at almost twice the rate of men. In an industry with an increasing demand for qualified candidates, we need to attract, train and retain high performing individuals.  We know that diverse teams lead to higher performance and better results and we‘re continuing to build on our initiatives in diversity, security best practices, and security education to help creatively solve these issues.

The first ever DefendCon will take place this week on September 21-22 at the Adobe Seattle office.  We hope to provide women and men in the security industry with a quality experience to connect, collaborate and learn. We currently have speakers and participants from across the tech sector including LinkedIn, Netflix, Apple, Microsoft, Salesforce and Google.   From Adobe, our own Senior Security Researcher  Cindy Spiess, Security Researcher  Todd Baumeister, as well as Principal Scientist  Peleus Uhley  will be presenting.

With DefendCon, we’re helping the industry move faster than the status quo and addressing a serious need for more women in cybersecurity.  We look forward to building upon this inaugural effort in the months and years to come.

Check out our full list of speakers and sessions.  You can also follow the latest around the event  on Twitter @DefendCon.


Brad Arkin
Vice President and Chief Security Officer


Saying Goodbye to a Leader

We learned last Thursday of the passing of Howard Schmidt. I knew this day was coming due to his long illness, but the sense of loss upon hearing the news isn’t any less. While others have written more detailed accounts of his accomplishments, I would like to add some personal recollections.

I first met Howard at the RSA Conference during my first role at Adobe as director for Product Security. After that first hallway chat I had many more opportunities to spend time with Howard and learn from watching him work, particularly during our time together on the SAFECode board.

I always marveled at his energy, confidence, and consistency in front of a crowd — not only his ability to knock out one good speech, but the fact that I never saw him turn in a bad one. Despite his enthusiasm, Howard had a clear eye on the challenges, but never gave in to security nihilism.

Howard loved to tell stories, and he had an inexhaustible supply of them – from his time working as an undercover cop in Arizona when he once posed as a biker — to his time working at the White House (driving his Harley to work there, naturally), and beyond. But he also loved to hear stories from others. As a result, he had a massive network of friends he could tap into in order to get things done. As such, he was a real facilitator and leader, and always eager to help.

I will remember Howard as an incredibly accomplished man who could get along with just about anyone, and I will miss having him in my life. The outpouring of warm memories the last couple of days shows that, not surprisingly, I am far from alone.

Brad Arkin
Chief Security Officer

The Adobe Security Team at RSA Conference 2017

It feels like we just got through the last “world’s largest security conference,” but here we are again. While the weather is not looking to be the best this year (although this is our rainy season, so we Bay Area folks do consider this “normal”), the Adobe security team would again like to welcome all of you descending on our home turf here in San Francisco next week, February 13 – 17, 2017.

This year, I will be emceeing the Executive Security Action Forum (ESAF) taking place on Monday, February 13th, to kick off the conference. I hope to see many of you there.

On Thursday, February 16th, from 9:15 – 10:00 a.m in Moscone South Room 301, our own Mike Mellor and Bryce Kunz will also be speaking in the “Cloud Security and Virtualization” track on the topic of “Orchestration Ownage: Exploiting Container-Centric Data Center Platforms.” This session will be a live coaching session illustrating how to hack the popular DC/OS container operating environment. We hope the information you learn from this live demo will give you the ammunition you need to take home and better protect your own container environments. This year you are able to pre-register for conference sessions. We expect this one to be popular given the live hacking demo, so, please try and grab a seat if you have not already.

As always, members of our security teams and myself will be attending the conference to network, learn about the latest trends in the security industry, and share our knowledge. Looking forward to seeing you.

Brad Arkin
Chief Security Officer

SOC 2-Type 2 (Security & Availability) and ISO 27001:2013 Compliance Across All Adobe Enterprise Clouds

We are pleased to report that Adobe has achieved SOC 2 – Type 2 (Security & Availability) and ISO 27001:2013 certifications for enterprise products within Adobe’s cloud offerings:

  • Adobe Marketing Cloud*
  • Adobe Document Cloud (incl. Adobe Sign)
  • Adobe Creative Cloud for enterprise
  • Adobe Managed Services*
    • Adobe Experience Manager Managed Services
    • Adobe Connect Managed Services
  • Adobe Captivate Prime
*(Excludes recent acquisitions including Livefyre and TubeMogul)

The criteria for these certifications have been an important part of the Common Controls Framework (CCF) by Adobe, a consolidated set of controls to allow Adobe teams supporting Adobe’s enterprise cloud offerings across the organization to meet the requirements of various industry information security and privacy standards.

As part of our ongoing commitment to help protect our customers and their data, and to help ensure that our standards effectively meet our customers’ expectations, we are constantly refining this framework based on industry requirement changes, customer asks, and internal feedback.

Following a number of requests from the security and compliance community, we are planning to publicly release an open source version of the CCF framework and guidance sometime in FY17 so that other companies may benefit from our experience.

Brad Arkin
Chief Security Officer

Join Me at Privacy.Security.Risk 2016 in San Jose this Thursday

I will be speaking this Thursday, September 15th, from 12:15 – 1:15 p.m. at the Privacy.Security.Risk 2016 conference in San Jose, CA, sponsored by the International Association of Privacy Professionals (IAPP) and the Cloud Security Alliance (CSA). The topic will be “Achieving Container Security at Scale.” Containers are an exciting technology that show great promise in improving efficiency, scalability, and repeatability in cloud service development environments. However, as with any new technology, it also presents a unique set of security risks that must be addressed. As a company on the “bleeding edge” in use of this technology at scale, we believe we are in a unique position to help the security and compliance communities adopt the best security standards possible around this technology without sacrificing its benefits. My session will discuss our vision for use of container technology, the current security issues we have observed that require industry remedies to help us and our peers achieve necessary scale, and our own ideas for helping to address these issues both in the immediate and longer term. If you are attending the conference this week, I hope you’ll be able to join me.

Brad Arkin
Chief Security Officer (CSO)

Adobe @ BlackHat USA 2016

We are headed to BlackHat USA 2016 in Las Vegas this week with members of our Adobe security teams. We are looking forward to connecting with the security community throughout the week. We also hope to meet up with some of you at the parties, at the craps tables, or just mingling outside the session rooms during the week.

This year Peleus Uhley, our Lead Security Strategist, will be speaking on Wednesday, August 3rd, at 4:20 p.m. He will be talking about “Design Approaches for Security Automation.” DarkReading says his talk is one of the “10 Hottest Talks” at the conference this year, so you do not want to miss it.

This year we are again proud to sponsor the r00tz Kids Conference @ DefCon. If you are going to DefCon and bringing your kids, we hope you take the time out to take them to this great event for future security pros. There will be educational sessions and hands-on workshops throughout the event to challenge their creativity and skills.

Make sure to follow our team on Twitter @AdobeSecurity. Feel free to follow me as well @BradArkin. We’ll be tweeting info as to our observations and happenings during the week. Look for the hashtag #AdobeBH2016.

We are looking forward to a great week in Vegas.

Brad Arkin
VP and Chief Security Officer

RSA Conference 2016 Is Just Around the Corner 

It is that time of year again. The world’s largest security conference is descending on San Francisco next week, February 28th – March 4th. This year, myself and members of my team will be participating in the Executive Security Action Forum (ESAF) and speaking during track sessions of the main conference.

First up will be Mike Mellor, our Director of Security for Marketing Cloud, speaking on, “Security Monitoring in the Real World with Petabytes of Data.” This session will discuss how we use intelligent security monitoring to help safeguard our customers’ data. His session starts at 2:20 p.m. on Tuesday, March 1st, in the “Sponsor Special Topics” track in room North 131.

Later in the week will be Peleus Uhley, our Lead Security Strategist, speaking on, “Techniques for Security Scalability.” His session will discuss proper strategies and solutions for implementing security “at scale” in large organizations with diverse technology stacks. His session starts at 9:00 a.m. on Friday, March 4th, in the “Security Strategy” track in room West 3004.

As always, members of our security teams and myself will be attending the conference to network, learn about the latest trends in the security industry, and share our knowledge. Looking forward to seeing you.

Brad Arkin
Chief Security Officer

An Industry Leader’s Contributions

In the security industry, we’re focused on the impact of offensive advancements and how to best adapt defensive strategies without much reflection on how our industry has evolved.  I wanted to take a moment to reflect on the history of our industry in the context of one individual’s contribution.

After many years in the software engineering and security business, Steve Lipner, Partner Director of Program Management, will retire from Microsoft this month.  Steve’s contributions to the security industry are many and far reaching.  Many of the concepts he helped develop form the basis for today’s approach to building more secure systems.

In the early 2000’s Steve suffered through CodeRed and Nimda, two worms that affected Microsoft Internet Information Server 4.0 and 5.0.  In January 2002 when Bill Gates issued his “Trustworthy Computing memo” shifting the company’s focus from adding features to pursuing secure software, Steve and his team went to work training thousands of developers and started a radical series of “security pushes” that enabled Microsoft to change the corporate culture to emphasize product security.

Steve likes to joke that he started running the Microsoft Security Response Center (MSRC) when he was 32; the punchline being that the retirement-aged person he is today is strictly due to the ravages of the job. Microsoft security was once called one of the hardest jobs out there and Steve’s work is truly an inspiration.

The Security Development Lifecycle (SDL) is the process that emerged during these security improvements.  Steve’s team has been responsible for the application of the SDL process across Microsoft, while also making it possible for hundreds of security organizations to adopt, or like Adobe, use it as a model for their respective secure product engineering frameworks

Along with Michael Howard, Lipner co-authored of the book The Security Development Lifecycle and he is named as inventor on 12 U.S. patents and two pending applications in the field of computer and network security.  He served two terms on the United States Information Security and Privacy Advisory Board and its predecessor.  I’ve had the pleasure of working with Steve on the board for SAFECode – The Software Assurance Forum for Excellence in Code – a non-profit dedicated to the advancement of effective software assurance methods.

I’d like to thank Steve for all of the important contributions he has made to the security industry.

Brad Arkin
Vice President & CSO