Influencing Security Decisions with Effective Communication

Astrid-Bailey
Author: Astrid Bailey, PMP, Sr. Security Program Manager
Date Published: 13 March 2023

Editor’s note: The following is a sponsored blog post from Adobe.

With hundreds of product and service teams at Adobe, it’s simply not feasible to embed a security engineer or even a security-focused program manager in each team. So how do we help ensure our products are built securely, follow security best practices, and stay on top of industry-wide security vulnerabilities? We developed the Adobe security partner program to do just that.

Our security partners are true partners across the entire organization, tasked with building deep relationships with the product teams to both understand their backlog as well as make strategic recommendations. As such, one of the main responsibilities of security partners is strategically positioning security asks to maximize impact for product teams. In order to seal the deal and turn these asks into fruition, it’s important for partners to garner support from all levels of stakeholders — from the product team to our security leadership.

If we’ve learned anything from running the Adobe Security Partner Program, it’s that effective communication goes a long way to help increase leadership buy-in. To that end, we’ve worked hard to refine our communication approach and ultimately strengthen our influence on executives to make better security decisions. Here’s how we did it:

Tailoring Communication to Different Stakeholders

With a global and distributed organization like Adobe, consistency in communications is a massive undertaking.

We have actively sought to resolve communication gaps by using a reporting funnel that models our communication strategy. We use the process illustrated by the graphic below to communicate our plans to leadership.

Figure 1

The reporting funnel weighs two factors: First, the stakeholder’s level within the organization and, second, the level of detail in communication. The further the stakeholder moves down the triangle, the more consolidated the message becomes. We make sure that those who are closest to the core activities have the tactical details they need to get the job done, whereas those who are closest to the decision-making process have enough detail to understand the impact of our projects to make informed decisions.

As a rule of thumb, we strive to tell a story that can resonate with leaders and executives. Typically, this storytelling includes clear, simple language and tangible metrics to drive the conversation. Ultimately, we’ve found that our executives engage most with metrics that impact customers, so we generally try to educate leaders on the impact that security hygiene has on customers and overall business goals. When we present our requests in terms of dollars and percentages — instead of tickets — executives can clearly see the business impact of our security partners’ proposed initiatives and ultimately make more effective decisions.

Equipping Executives with the Right Information

Dashboards are the backbone of all our reporting. We use them to monitor product status, understand overall trends, and track the resolution of initiatives. Our security partners report that dashboards are highly impactful, providing visibility for and engaging to executives. A single dashboard with a red, yellow, or green status along with key metrics equips executives with the right information to make important decisions.

We personalize dashboards for different groups, enabling each group to consume the information that’s most useful for them. For example, each of the dashboards we provide for our three major stakeholders, security champions, senior managers, and vice presidents, pulls data from the same sources and provides the same standard presentation, with specific adjustments in metrics displayed.

Aligning with Security Leadership

To cut through silos and align with leadership goals, our security partners hold bi-weekly initiative meetings with top security leaders about our product team asks. These meetings help security leaders understand current and upcoming initiatives and keep everyone in alignment with our goals.

Additionally, our security partners hold a bi-annual meeting (per product group) with vice presidents and their direct reports to discuss business unit issues and trends, brainstorm potential investment opportunities, and evaluate risks to get ahead of the impact to Adobe and our customers. By the time security partners get to these meetings, they have already been sending the same message consistently to each level in the organization. As a result, they can focus on key asks and recommendations rather than spending time going over what they need to know.

Empowering the Voice of Product Teams

Directly communicating with our product teams and leaders has allowed us to cut through many layers of management and have effective conversations to earn top-level support. In keeping our commitment to be true partners of the product teams, we’ve created an internal Customer Advisory Board (CAB) composed of key product leaders to act as our strategic advisors and help open lines of communication between our security leaders and our product teams.

Every other month, security partner program leaders and security leaders meet with the CAB to discuss a curated list of topics and issues that matter most to them. As we’ve worked through these topics, we’ve been able to gain valuable feedback from product leaders’ perspectives on how the work we’ve sent them impacts their teams and how we can deliver our asks better in the future.

By asking for feedback and listening to their needs, we’ve been able to convert our product teams into security advocates. The more passion we can spark for security in our organization, the more our stakeholders are willing to buy in to the work of our program. Increasing buy-in increases the throughput of security initiatives, which we all know ultimately helps our customers trust us more with their business.

The Future of Our Program

Through everything we’ve done so far, we’ve worked very hard to help our product and security teams not only understand but believe in the purpose of the Security Partner Program. While maintaining and growing our partnerships will always be our number one priority, we don’t ever want to stagnate with the same level of service for the stakeholders we serve. It’s important that we constantly innovate in our role, continue to ask for feedback, and always look for ways to be a better partner.