Adobe Security Program Management Office PMO

Standing Up a Security Program Management Office

By Ningjing Gao, Senior Group Program Manager, Security PMO


Program management is not sexy — or easy. Think about it as project management on steroids: program management is the practice of managing multiple, related projects that are all connected to a larger strategic initiative. Whereas projects have a specific scope, clear deliverables, and completion deadlines, programs often include multiple deliverables with interrelated dependencies, which can lead to new, unforeseen initiatives and oft-changing deadlines. Because of this, program management is not for the faint of heart — but it does deliver long-term benefits and unlock new capabilities for organizations.

In 2021, Adobe Security launched several large-scale and complex initiatives that required a strong coordination between security engineering and product development teams. Adding program and vendor relationship management to the plates of engineering managers responsible for specific projects and deliverables within the overall strategic initiatives was clearly a non-starter. Thus, the Adobe Security Program Management Office (PMO) was born.

A good example of one of these strategic initiatives is the significant upgrade to our endpoint detection and response, or EDR, solution. With each host and server within Adobe in scope for this initiative, the program required close collaboration between the EDR team within Adobe Security and hundreds of infrastructure owners at Adobe, all following an extremely tight project schedule. In addition, we were faced with managing the availability of our EDR vendor’s agent for all the various operating systems used at Adobe, a significant dependency. An initiative of this scale and mission-criticality to Adobe needed a dedicated technical program manager to effectively keep all the project trains on track and on schedule to arrive at the final destination at the same time.

How the Adobe Security PMO works

The Adobe Security PMO is composed of a team of technical program managers (TPMs) tasked with delivering complex, cross-functional security programs across organizations. We execute, manage, and deliver on programs that are in full alignment with Adobe’s business goals and management priorities, and we foster collaboration with other Adobe PMO organizations.

Before the security PMO takes on a new program, our rigorous project intake process pulls all relevant information about the program in a single repository before we take the program to leadership for approval. Some of the intake questions include why the work is needed, what its business impact will be, how much effort will be required, and what key assumptions have already been made prior to this point. Most importantly, we ask the requestor to provide a definition of “done” for the program, so we know what the end goal is before we even start. This intake process reduces the many emails that are typically required in the project approval request process and avoids allocating precious resources to low-priority initiatives.

One of the most important deliverables of the Adobe Security PMO is a portfolio-level view of all major programs in process or in the pipeline, enabling the security leadership team to see the status of all programs in real time and to reshuffle priorities if needed. By also providing visibility into this dashboard to the entire organization, we help ensure the security organization is always working on the most important projects that align with the leadership’s objectives.

A huge part of our success — and why we’ve grown from managing a few initiatives to close to a dozen concurrent, high-impact security programs — is because of TPMs. So, what makes a good TPM?

Key traits of successful technical program managers

When screening candidates for the TPM role, we typically focus on three layers of skills:

  • Solid program management fundamentals, including scoping, budgeting, timeline, quality management, and stakeholder communication skills
  • Strong technical background in software development or implementation with a demonstrated ability to speak engineering language
  • Broad security domain knowledge and expertise, which enables a TPM to move between different programs in the PMO seamlessly and ramp up on a new program as another one is winding down

Where the Adobe Security PMO is today

As of today, the Adobe Security PMO collectively manages more than 10 high-impact security programs across Adobe. In addition to the strategic EDR initiative mentioned above, we drive the programs around our cloud infrastructure security stack, M&A-related security workstreams, implementation of a security-organization-wide data lake, and development of a centralized application code scanning platform for Adobe.

In the near future, we hope to make security programs more transparent throughout the organization by more fully embracing agile practices and increasing the visibility of engineering work. With the Adobe Security PMO leading the agile transformation across the organization, we hope to include not only engineering teams in our processes, but also non-engineering teams in critical function areas, such as compliance and operations. This transformation effort will help lead to greater business value for every team within Adobe.

Scroll to Top