How Adobe reduced compliance fatigue

Adobe puts a premium on compliance, so much so that the company invested in the creation of a common controls framework (CCF) to standardize and guide its teams in their ongoing compliance work.

It was a worthwhile investment, says Mark Adams, Adobe’s senior vice president and chief security officer. The CCF, conceived in 2013 and launched in 2016, helped Adobe’s multiple product, platform, service and operations teams achieve and maintain compliance with various best practices, security certifications, standards, and regulations, such as SOC 2, ISO, PCI and FedRAMP.

Yet, Adobe officials recognized that even with the CCF in place, compliance with its 1,400 controls remained a herculean task for the software company and its workers.

“We’ll always put compliance, making sure data is safe, at the top of the priority list, but it put a strain on product teams. We want them to focus on the next features that will excite people. We don’t want to turn a creative team into a compliance team,” Adams says.

That’s when the company turned to automation, seeing it as a way to optimize the CCF as well as its teams’ time and skills.

“The whole vision behind it was to make things efficient and reduce compliance fatigue,” Adams says.

Building on a strong start

When first launched, Adobe’s compliance framework brought immediate benefits to the company’s compliance efforts by making its work in that space more streamlined and effective.

In fact, the company found its CCF so useful that it decided to share it with others, opting to open source it so Adobe customers and peers could leverage the framework to aid their own compliance efforts.

At the same time, however, Adobe recognized that the volume of work required around compliance was a drain. Even with the CCF in place, compliance took up significant amounts of workers’ schedules. For example, there was still manual extraction of audit artifacts such as access reviews and business impact assessments and the need for manual reports demonstrating the controls’ operating effectiveness.

Such activities proved not only time-consuming but also operationally inefficient.

Adobe officials wanted a way to scale and enhance the compliance process to ensure they could most efficiently and effectively meet both ongoing and emerging compliance needs.

So Adobe’s Technology Governance Risk and Compliance (Tech GRC) team, which had developed the CCF, worked through 2017 and 2018 to build the automation platform.

Tech GRC built the platform on a layered framework, which consists of a visualization layer, an application layer, a services layer and a data layer.

It deployed the first module of the automation framework in July 2019.

Pushing forward through challenges

Although Adobe built its new platform on its already successful existing CCF program, Adams acknowledge that both the Tech GRC team as well as the company itself had challenges to overcome when adding automation.

The biggest challenge was adjusting to the new time elements associated with the automation platform; automation had Adobe shifting from annual auditing and assessment activities to ongoing compliance-related tasks and activities and shifting from point-in-time testing to near real-time checks.

Adobe also had to enable cross-functional collaboration, ensuring that compliance, product management, and engineering professionals could come together on the processes targeted for automation.

The company also had to ensure it had the right data to feed the automation platform. “We had to have very clear sources of truth so we could focus on building up the rules engines,” Adams says.

That, he adds, required Adobe to build up the software development skills required for creating rules engines in-house—another challenge that company leaders had to address in moving the initiative forward.

Benefits and ROI

The CCF Automation Platform eliminates a significant amount of the manual work that went into compliance by ingesting logs directly from source systems and performing automated checks against them.

“It automates for users what’s due and what’s coming up,” Adams says, adding that the platform essentially removes the need for project managers to chase compliance checklists.

As automation typically does, the CCF Automation Platform lets Adobe scale and speed its compliance work. (Adams says the platform delivered a 30% to 50% increase in scalability. “It makes the time required to implement new things go way down,” he adds.)

At the same time, it helps further reduce risk by continuously monitoring controls.

And it gives significant time back to its engineering and operations teams who, thanks to the automation, no longer have to manually perform the time-consuming control checks.

Adams points to product teams that had spent 30 hours completing gap assessments against compliance frameworks but now see those assessments generated instantaneously. Such time-saving capabilities highlight the platform’s benefits, he says.

Additionally, the platform helps the company effectively and efficiently collect the audit evidence required for quarterly and annual reviews.

Just as importantly, the platform provides Adobe leaders with detailed dashboards that visualize a near real-time view of the controls’ operating effectiveness and the company’s overall state of compliance.

Automation also brought benefits to the security team, Adams says.

It helps ensure that Adobe meets its numerous security compliance certifications and regulatory requirements across all its cloud accounts and private data centers, thereby supporting Adobe’s strong security posture.

Second, the platform analyzes in near real-time data from the company’s security information and event management (SIEM) system and its ticketing solution. That analysis then gives the security workers the ability to identify risks early in cycles.

“It forces a security-by-design mindset,” Adams says.

Adams, who joined Adobe as its CSO in 2020, is now looking toward maturing the CCF Automation Platform. He’s seeking to adapt it to other areas of governance such as enterprise resiliency and internal assessments, and he’s supporting plans to automate more complex areas of compliance.

“Already the ROI has been scalability, more simplicity, and reducing compliance fatigue,” Adams says. “But there are always new regulations and standards [to add to our compliance framework] and we’re chipping away at edge cases where it might not seem like we can automate but we’re finding a way. We definitely see the value continuing.”