How Adobe overhauled their whole security team - and how you can too

ITProPortal is at the 27th annual Information Security Solutions Europe Conference (ISSE), one of Europe's largest gatherings of cyber security experts.

David Lenoe, director of product security at Adobe presented a fascinating keynote talk on how to maintain a security organisation that's able to adapt to change, and how to break out of you security siloes. Since the devastating breach that hit Adobe last year, they've been overhauling their whole system. Here's how they went about it.

The world is a complicated place, and it's getting ever more complicated all the time. From a central team perspective we've moved from our core products like Dreamweaver and Photoshop to offering hosted services and software as a service. And as you move to those kind of services, you have a whole load of new security issues to deal with.

The security market is so hot right now. And all security experts are optimists and idealists, who see themselves as making the world a better place. If you don't give them a sense that they're making a difference, they're going to go out the door – they're going to be demotivated and leave. And you're going to get a complacent security team. And if you have a complacent security team, you're dead in the water. I think we can all agree on that.

The thing is that groupthink causes stale, outdated thinking. You can't have a mentality of "this is how it's always been done" – you have to look past the myopic mindset and give people incentives to change.

Breaking siloes in security

At Adobe, we had a centralised security team, so as we moved to managed services we had to expand our presence all the way down the stack. We had to break down organisational siloes and work with teams we didn't already have a relationship with. People didn't like us coming in and asking questions and telling them how to do things. The problem was, our team wasn't the most diplomatic sometimes, and it caused conflict and tension.

Everyone has the same common goal: that's keeping things secure. So if you're infighting, that can be immensely counter-productive. So what have we done to counteract these challenges?

Firstly, it used to be that we had siloes around security, but now our CSO has oversight into all aspects of the company. As he says it, he's the "throat to choke" about security. And once that was in place, all the turf wars and territoriality melted away, and everyone was on the same page.

You need knowledge-sharing too. We have a security track in our biannual engineering summit now, and we have cross-company hackfests. It's like a capture the flag thing – there's some data that everyone's trying to get to – and it's a visceral way for people to understand how a hacker thinks. I think last year we had over 500 applicants.

Get everyone involved

We also have security all-hands meetings, where the CSO comes down and talks about interesting topics, and invites everyone on the mailing list.

We also have a security training programme, where employees can earn belts like in martial arts. So you can get a green belt with 2-11 hours of online training, or you can get a brown or black belt with hundreds of hours of experiential hands-on training on specific security projects.

Engineers love security, too. It's like a design challenge for them. Don't be afraid to get everyone involved and bring them on board. What you want is "T-shaped people" – that's meant to signify someone who has breadth across a wide range of topics, but then has depth in one specific aspect of security.

Treat you employees and your security people with all the care they need, because at the end of the day, the best assets in your company walk out the door every day.

Follow all of ITProPortal's coverage of ISSE 2014, for all the latest in the world of cyber security.