How Adobe reduced compliance fatigue

With compliance putting undo strain on product teams, Adobe SVP and CSO Mark Adams and team built an automation platform. The effort paid off in scale, speed, and reduced risk and earned the software provider a CSO50 award for business value and thought leadership.

mark adams adobe cso headshot
Adobe

Adobe puts a premium on compliance, so much so that the company invested in the creation of a common controls framework (CCF) to standardize and guide its teams in their ongoing compliance work.

It was a worthwhile investment, says Mark Adams, Adobe’s senior vice president and chief security officer. The CCF, conceived in 2013 and launched in 2016, helped Adobe’s multiple product, platform, service and operations teams achieve and maintain compliance with various best practices, security certifications, standards, and regulations, such as SOC 2, ISO, PCI and FedRAMP.

Yet, Adobe officials recognized that even with the CCF in place, compliance with its 1,400 controls remained a herculean task for the software company and its workers.

“We’ll always put compliance, making sure data is safe, at the top of the priority list, but it put a strain on product teams. We want them to focus on the next features that will excite people. We don’t want to turn a creative team into a compliance team,” Adams says.

That’s when the company turned to automation, seeing it as a way to optimize the CCF as well as its teams’ time and skills.

To continue reading this article register now

Microsoft's very bad year for security: A timeline