Improving the Trust Relationship with our Customers
Author: Ryan Carroll, Technical Marketing Specialist (Intern) — Security
Vendor security assessments are a key component of how Adobe’s — as well as our own — customers evaluate the security and compliance posture of key suppliers. These assessments play a crucial role both in meeting risk management and governance requirements and in ensuring the resilience and security of supply chains. My role as an intern this summer on our security team was to help determine a strategy to make this process better for Adobe and our customers.
Background on Assessments
Today, vendor security assessments are typically filled with hundreds of questions that existing and prospective customers send to Adobe to understand how Adobe meets customer and industry expectations and requirements around security and compliance controls. While industry standards exist for these assessments, companies typically customize them to map more directly to expected internal controls before sending them to vendors.
The process Adobe uses to respond to vendor security assessments includes:
1. The customer sends the assessment, in the form of a questionnaire, to an Adobe representative.
2. The Adobe rep sends Adobe’s existing security documentation, including pre-filled assessments that potentially satisfy the assessment request.
3. If the customer still requires Adobe to complete their detailed assessment, the Adobe rep creates a request in our work management system that assigns the questionnaire to a member of our security specialist team.
4. A member of the security specialist team uses our existing knowledgebase, prior questionnaires, and their personal experience to help them answer each question.
5. Once completed and verified for accuracy, we return the filled questionnaire to the customer.
The Problem
Assessments come in all different formats. The most common format is large spreadsheets, but some arrive as Word documents or, more recently, through online portals provided by third-party risk management solution platforms. What varies between these formats is more than just the platform in which they are generated — they also look quite different on the inside. Some have tables with different column headers, others have “check-the-box” type questions, and still others use drop-down menus. Customers also expect to receive security assessments back in the same format they originally provided, which helps the customer’s internal security assessment process run more smoothly.
Questionnaires consist of hundreds of questions that often overlap or repeat. Most of the questions are part of industry standards in this area, such as the Standard Information Gathering (SIG) questionnaire or the Consensus Assessment Initiative Questionnaire (CAIQ). This means that when Adobe receives an assessment from different customers for the same product, a large percentage of questions are substantially the same, only varying in wording, which results in our security specialists repeatedly answering the same questions.
Questionnaires often take significant time to complete; answering each question manually is a time-consuming process. Because of the complexity of these questionnaires, our security specialists begin answering each assessment from scratch. However, searching and filtering through a knowledge base for any questions to which the specialist does not know the answer — especially with much repetition between questionnaires — is not always efficient. Even when a security specialist finds the answer in the knowledgebase, they must often rely on their own expertise to ensure the question is answered according to customer requirements.
Given these issues, our current process for managing these vendor security assessments can be very time consuming, repetitive, and take up security specialists’ valuable time that could be better spent on more strategic tasks. Adobe knows it is not unique in attempting to tame the complexity and make this process better. My role here was to look at the overall process — from both a customer and Adobe point of view — and provide guidance on how to make it work better for all involved.
Improving the Process for Everyone
The objectives of this project included easing the customers’ assessment process and helping to drive our security specialist team’s 2022 initiative to implement tools to work more efficiently in completing these assessments, thereby improving the overall relationship between Adobe and its customers. To meet these objectives, I took two different approaches.
The first approach involved working more directly with the third-party risk management solution vendors used by our customers, adapting our internal process to that of our customers. An increasing number of questionnaires that Adobe receives come from these vendor risk management solution platforms. It is easy to understand why: customers can easily browse these sites and view profiles containing security controls information for each vendor they are evaluating to help them complete their assessments. If they have additional concerns, they can submit more detailed assessments directly through these platforms.
Pre-populating these vendor risk management solution platforms with information about Adobe’s security controls will help customers complete their assessments faster and provide more focus in their process. Greater transparency will help customers answer most questions themselves and help ensure any additional questions are more targeted. What’s more, this proactive approach will reduce the amount of manual work for both Adobe and our customers, enabling customers to get more value out of the risk management solutions in which they have invested. So far, I have established profiles that contain comprehensive info about Adobe’s security controls on two platforms where we receive the highest number of customer inquiries.
Next, I wanted to help the team in its current efforts to eliminate redundancy and repetitiveness in our assessment response process by helping to find a solution to improve our security specialists’ efficiency. Over the past few months, I have been in contact with many questionnaire automation providers with the goal of finding one that would satisfy our needs. I worked with our team to narrow down the search to two final options and I am helping them conduct month-long proof-of-concept projects where team members use the tool in action to gauge productivity levels relative to our current solution.
Conclusion
Optimizing the workflow, efficiency, and experience for both customers and vendors around security assessments is a particularly thorny challenge in the security world and, in my opinion, is long overdue for a solution. I have learned that to be able to fix a problem you need to broaden your scope and understand the entire process it falls within. For example, instead of just understanding that we receive questionnaires and need to answer them more efficiently, it was essential that I learned how and why we received these questionnaires and the current process for answering them. Understanding this allowed me to play a role in important conversations and identify weak points in the entire process.
Another key takeaway for me is that you cannot be afraid to make your voice heard. Especially being the youngest and least experienced person in the room, it sometimes felt like I was not the one who was supposed to be driving change; I was just supposed to support it. But that does not have to be the case. There were several times where I caught something that others overlooked or brought up an idea that we investigated further.
My internship at Adobe was a constant growing opportunity for me: I had one foot in my comfort zone and the other one out. At the end of the day, I thoroughly enjoyed the work I did and the people I met along the way.
