Editor’s note: The following is a sponsored blog post from Adobe:
You’ve just been directed by your CISO to create a set of operational security standards. Where do you even begin? And, more importantly, as a program management lead, how do you hit the ground running without having to help ramp up a huge team, boil the ocean, or request significant additional financial investment?
At Adobe, we found that forging a loose federation of teams and focusing them on a common vision to enable security features was the solution. This group effort eventually evolved into the Adobe Operational Security Stack, a consolidated set of tools that allows us to quickly gain visibility into the security gaps in our environment. It also helps ensure the use of a common set of solutions across the company, thereby reducing security risks and improving the company’s overall security posture.
We started with one program manager and two solution architects cataloging existing tools and examining processes and practices. What did we discover? Teams using different tools for secrets management, gaps in cloud account monitoring and differences in how each team applied security baselines. This exercise also helped us uncover existing tools and processes that could be used company-wide, tooling and operations teams willing to collaborate, and an engineering community — sometimes enthusiastically — willing to adopt new tools to further enhance security at Adobe.
As a program manager, helping shepherd “tool sprawl” into order involved much give and take. Some of the questions the Operational Security Stack leadership team wrangled with included:
- None of these teams report to us directly, so what is the best way to collaborate? A federation of teams or should we provide a strong central presence?
- How do we prioritize and execute in unison instead of executing in silos?
- Should we focus on ease of use and adoption or be more restrictive to meet security needs, while still providing the highest return on investment for the Adobe security vision?
- Are the above false choices, perhaps?
Even though the Operational Security Stack leadership team provides a central vision, we still look to our contributing teams for both input and innovation in their respective areas. What does that look like?
First, we use a DACI model to clarify who owns/drives the decision and what roles and responsibilities we expect from the various team members (or member teams). Using this framework helped drive decisions down to the appropriate level so that decisions can be made in a timely manner and foster a sense of buy-in from the coalition.
Second, we strive to let all voices be heard — even when feedback can be hard to hear. Engineers (and others!) can be a strongly opinionated bunch. We try to focus on what’s being said, not how it’s being communicated.
Finally, we enable program managers to shepherd decisions, provide choices and set guidelines for our teams. We don’t do these actions for them. Rather, we support the teams to forge their paths and amplify their successes, but we also to help them deal with any fallout. That being said, program managers also sometimes need to remind their teams of the “North Star,” that all-important why of the project, and lay down the path to ensure that the multiple stakeholders in the project meet their goals on schedule.
Speaking of schedule, another needle that program managers must thread is process. When we deal with different teams, we need to choose when to insist and when to give in. Program managers can help remind the team of everything they need to do — from understanding their downstream impacts to ensuring communications are complete and not just focused on their core strengths. There is a saying that “experienced horses know the way home.” For Adobe, that means we trust our tooling teams to deliver the goods, but we need to emphasize consistency and conscientiousness to deliver a repeatable and smooth client experience. With multiple teams working to deliver pieces that need to be stitched together to form the whole, communication is key. Some things that have helped us include:
- Communicating decisions quickly and clearly. Collaborative messaging solutions have been a godsend. Creating channels and setting expectations on how to use messaging solutions to make and confirm decisions has sped up the decision-making process considerably. We don’t want to see our teams waiting until the next check-in or full team meeting to bring up issues or roadblocks. Teams can start conversations so that decisions are discussed in real time and then simply confirmed at the team meeting. Alternatively, larger decisions can be socialized and then discussed more in-depth at the team meeting to make the final decision.
- Fostering healthy discussions. Program managers define the rules of engagement. In other words, program managers steer and provide guidance on how individual teams operate with each other, not within themselves. The “glue” function provided by program managers keeps the machine running smoothly by making sure partner teams are talking to each other, focusing on the same vision, and delivering the same baseline.
- Leveraging external reporting tools. Using KPI dashboards that are reviewed by management is a motivating force that helps spur both adoption of tools as well as hold our teams accountable to our product team clients by keeping schedule and timelines top-of-mind.
Ultimately, we evolved from a very loose federation of teams with each team defining its own roadmaps to a central team providing a cohesive vision with dedicated architects to continue to evolve the Operational Security Stack and reinforce the security posture of Adobe.