What It’s Like To Run a Tech Giant’s Security Team Without Ever Setting Foot in the Office
Mark Adams was appointed Adobe’s chief security officer about four months ago after serving in the same role for four years at Blizzard Entertainment.
Thanks to the COVID-19 pandemic, his onboarding process has been untraditional, to say the least. For one, he hasn’t had a chance yet to visit the company’s physical offices. Instead, his calendar has looked like an ultramarathon of video conferences—days with a dozen back-to-back meetings during the first month to get to know his team and understand the company’s priorities.
“By the third week I finally said, ‘Wait a second. What have I done to myself? I feel tired and I don't know why—I didn't go running, I didn't work out,’” he told The Record in an interview late last month. “I realized you've got to put space in between. You’ve got to mix it up.”
So far, Adams’ biggest challenge might be his own local internet service provider—he temporarily froze during our conversation, just a few minutes after explaining that his team presentations normally start with a few minutes of crackling connection from his end. Other hurdles—like strengthening relationships among a remote workforce and introducing offensive security into the team’s testing practices—have been going well, he said. The conversation below has been lightly edited for space and clarity.
The Record: You started your job at the end of last year?
Mark Adams: I started in November. So I think you've got me in my fourth month.
TR: What has it been like to join a big company as a CISO during a pandemic? I assume that you're not in the office right now—unless Baby Yoda is part of the decoration [Note: Adams was video chatting from his home office, where he had a handful of toys on display].
MA: No! The stuff behind me changes, like Grogu right now. My daughter likes to stick stuff on the shelves behind me and the team gets a good laugh out of those things. But it's a great question. It's an unusual time with COVID-19 to start any role, let alone a senior role, in a 100% remote environment. I haven't yet visited the Adobe offices, although I've seen tons of pictures, lots of video conference backgrounds. So I feel like I've been in many of them.
It's been awesome in many respects. Adobe as a company has some of the nicest people I've ever worked with and are very supportive and they bring you along for the journey. Even though I've never been around a water cooler, it feels like I've participated in that. I think there's things we can take away from it. One of the things I brought in was trying to figure out how do you stay connected to your team, which is one of my top missions—how do you keep that dynamic while being remote. I've discovered things like video logs: send out a ten or fifteen minute log every couple weeks that doesn't have to be super formal. It can be me in a hoodie and just talking about what we're working on as a team.
I'm looking for ways to make people feel included—working remotely can be challenging because depending upon people's personalities, you have introverts, extroverts, people with various levels of expertise at the company. And so we've done everything from global days off to get people to recharge, added things like team gifts—we just got them pullover sweatshirts. Just stuff like that that connects them.
If you asked me to predict what I thought was going to be easy versus what would have been a challenge, I probably would have missed the mark. I wouldn't have wanted to put too many bets on that. I would have assumed video conferences would probably have been more challenging to build relationships over. And oddly, I'm finding the virtual pixels work. You start to really get to know people's homes—their kids walk by, the dogs are jumping around. It's fantastic. If you would ask me what Zoom fatigue was, I would have had no idea. I think in my first month I booked... gosh, I think I was doing like 12 back-to-back meetings a day. And by the third week I finally said, “Wait a second. What have I done to myself? I feel tired and I don't know why—I didn't go running, I didn't work out. Well, something is off here.” And I realized you've got to put space in between. You’ve got to mix it up. Maybe you can walk and talk at the same time. It’s been a learning experience.
TR: It definitely requires doing things differently. I'm curious about the video logs that you talked about. Do they replace the office presentations that you might have with everyone around a table? Or is it more informal than that?
MA: I try not to replace anything with it. We still do our all-hands meetings with the whole team. We do town hall meetings where we bring in our security champions and they get to also participate and hear the strategy. So we keep those going and we keep a regular cadence of team meetings—you used to get in the conference room, get around the table and whiteboard things. We still do all of that. But the video logs are just a very informal, no more than a ten minute way, to tell people what's going on.
I noticed when I started, there's a lot of questions—what are my interests? What's my focus? What do I think about certain presentations? And I started to realize that there was this thirst for feedback and connection. And so I started doing them. And I try to keep them fun because when you're not in an office, you don't have the luxury of, for instance, asking someone to grab a coffee. One of the things over the years I've picked up on is that security is a challenge. It's not an easy profession. So the team dynamic is really important, and there’s a need to find ways to bring them together and make them feel like they're part of that team, that family.
TR: I'm interested in the fact that when you talk about challenges or surprises you mention team building—what about challenges when it comes to just handling security?
Most of the challenges I've actually had have been my own internet connection, my own home wiring, and my own ISP. There's kind of a running joke in the security team about that because when I speak to a large group inevitably the first couple minutes it's like, oh, my internet is crackling.""
MA: I’m lucky that Adobe has invested quite heavily in being able to work remote and they have the right tools at hand.
Most of the challenges I've actually had have been my own internet connection, my own home wiring, and my own ISP. There's kind of a running joke in the security team about that because when I speak to a large group inevitably the first couple minutes it's like, oh, my internet is crackling and I have to redial in. And it all works in the end but never underestimate the power of your local ISP.
TR: What about security practices that normally require an in-person element? Like do you not invite penetration testers into the office when they’re looking for vulnerabilities?
MA: We haven't tackled too much of that yet. But we do remain in constant contact with our partners. So pen testers, third parties—we have built a robust program which includes quite a few remote relationships already. Depending on who they are, we were already in a remote format that we could already work with, so I haven't felt like there’s been a gap in those areas. I feel like we're able to get online and work through it in a whiteboard vide conference session. But yeah, it'll be interesting to see when we come back. It’ll be a new world dynamic, whatever that's going to be and what that looks like.
TR: When I've talked to analysts and cybersecurity experts about what the biggest themes of 2021 will be, they pretty much all say that the big focus will be on going back into the office. At some places, devices might have not been touched for more than a year. How do you prepare for that?
MA: Yeah, that's an interesting question. I can talk about Adobe's perspective and my past life too, but in our case we're already well integrated on the public cloud side. And so our cloud journey started quite a while ago and we were able to...
[Editor’s note: Mark’s video freezes for about ten seconds.]
Am I back? That is so funny. That period used to be like ten minutes. It must be getting better—I tried to rewire my house. So if I lose you again, I'll dial back into my audio channel.
But I started to say, from a patching perspective, from a vulnerability management perspective, Adobe's programs are already built around the cloud quite extensively. And so we've already built the automated live-ops dev-ops processes to work with those public cloud infrastructures. I don't really foresee a lot of unpatched systems. Obviously on the workstation side, we'll have to put our program in place to bring everything up to speed. But a lot of employees are working with laptops already. We use what's referred to as a Zen virtual desktop environment. And so we've created that infrastructure that the majority of our workers can come in and what you'd consider a zero trust environment so that they can then two factor onto the remote desktop box. They can do their work. In a lot of cases they have workstations that we can run patch reports against and make sure the laptops are up to speed.
It's an amazing shift over the last year—just how much can be done over tablets and can be done over remote systems at the level that we would have only dreamed of maybe five or six years ago.
TR: I haven’t heard of Zen desktop environments before. Is that going to be the next buzzword?
MA: I don't think so. I think it's one of our internal buzzwords. We have a lot of acronyms. I think you just know it as a remote desktop type infrastructure. Zero trust enterprise networking, is what it stands for.
It's an amazing shift over the last year—just how much can be done over tablets and can be done over remote systems at the level that we would have only dreamed of maybe five or six years ago.""
TR: What priorities are on the top of your list for the next year?
MA: I'm going to look at this through the lens that we're going to continue working remotely for many months—Adobe is going to continue with a flexible model. I would look at it through a few different areas. One of those would be how robust is your remote work desktop solution? How far along the journey have you come because it is very much a journey. You can start out with a couple of apps on there and then you can force people into VPN and there's still got a lot of things to go through.
I think understanding how this particular operating environment has impacted the security operations centers of the world is also something that's probably well worth a conversation. We do see alerts going up. We do see additional burdens on research and threat investigators in our SOC. There's obviously the conversation around burnout there and how do we address that.
Part of that is tuning and automating things—we’re putting a lot of effort right now into the machine learning side of security operation centers. Finding the higher risk events versus those that are not considered high risk. I had a mentor when I was getting into security, and the most important thing he said to me was that every large-scale security program has ten thousand, twenty thousand vulnerability reports… The really great security programs know which 10 or 20 or 100 of those actually matter. Getting your SOCs the tools, the automation, to figure out all the different threats that are now coming our way is key.
Another long-term conversation we should be having is how do we scale going forward? I think I’ve seen a number out there that four million positions right now are not being filled in the security industry. This remote workforce model creates a lot of opportunities here. We can build further on that. When I build red teams, one of the number one challenges I have is almost every red teamer I've ever talked to wants to be remote. That's an opportunity for us because with the tool sets that we put in place, maybe there's an untapped workforce there.
I also get really passionate about the hiring side of things. It's so interesting to watch skills sets develop. I have one person who was a Minecraft expert—that ability to build and connect things made her a threat hunter in the making.
TR: Did you give her any flack for not picking Warcraft or Diablo or Starcraft?
MA: No, but that’s a cool comment. The neat thing about Blizzard culture is that they don't care if you’re a gamer. They ask you what geeks you out ? It can be card games. They have a knitting club. It just depends on what you get super geeked out on. We spent a lot of afternoons there playing card games at 5:30pm, 6pm. You’d think we dive into Diablo or Overwatch. And don't get me wrong, there was plenty of Overwatch. But there's a ton of card games and board games because people just kind of geeked out over all kinds of stuff.
But no—no trouble for playing Minecraft.
TR: How big is Adobe’s security team and how is it distributed?
MA: I can give some high-level brushstrokes on that. We're several hundred people. We're distributed globally, so we have people in the U.S., people in Europe, Asia. That's a huge asset for us because we're able to see not just one slice of the world—we're able to follow the sun, we're able to share the threats across different groups. Adobe also has a rich program built around security champions, which are not direct security staff but the software developers, engineers, partners that are in our products. When I first did a town hall, I noticed that the town hall was a lot bigger than I expected because I was just thinking security staff. I'd come to find out there's a lot of other people who want to be part of the conversation. And so they joined in also.
TR: What programs are you excited about implementing?
MA: Security is one of those areas that the program refreshes every year or two or three, because we're constantly having to adapt and look for what's new. One thing I'm looking at right now is what I would call the balanced program model, where we introduce red teaming, we introduce offensive security. My background is heavy on the offensive side. And so I'm looking at what that next generation looks like for Adobe. And that that includes bringing in that balance of the offensive attacks—white hats, red team balanced against the blue team defensive side. And the culture that comes with that is phenomenal because you end up with this healthy tension. You're constantly learning.
Adam Janofsky is the founding editor-in-chief of The Record by Recorded Future. He previously was the cybersecurity and privacy reporter for Protocol, and prior to that covered cybersecurity, AI, and other emerging technology for The Wall Street Journal.