TechSpective Podcast Episode 141

I had the pleasure of speaking with Devansh Sharma, Senior Security and Compliance Product Owner at Adobe, about a game-changing approach to security and compliance: Adobe’s Common Controls Framework (CCF). If you’ve ever been overwhelmed by the complexity of navigating multiple regulatory standards—PCI, HIPAA, SOX, you name it—this episode is packed with insights you won’t want to miss.

What is Adobe’s Common Controls Framework (CCF)?

CCF is Adobe’s answer to the growing complexity of managing compliance. Devansh explains how CCF simplifies and unifies security and compliance controls into a single, cohesive framework. Instead of treating each regulatory requirement separately, Adobe created a Venn diagram of overlapping standards and boiled it down to the essentials. This approach allows Adobe to meet over 4,300 different security control requirements while reducing the actual number of controls to just over 300.

In essence, Adobe is ensuring that by meeting the strictest standard in the bunch, they automatically cover all other requirements. This level of efficiency is invaluable in today’s complex regulatory landscape, especially as organizations scale and acquire new products.

Security Should Drive Compliance

One of the central themes Devansh stresses in our conversation is that compliance should not just be about checking boxes. Rather, it should be security-first, with compliance as a natural byproduct of strong security practices. If an organization focuses on securing its systems, compliance will follow. However, the reverse isn’t true—merely being compliant doesn’t mean you’re secure.

By embedding security into the core of Adobe’s CCF, the company ensures that it isn’t just meeting regulatory requirements, but genuinely reducing risks.

Automation and AI Powering the Future

It wouldn’t be an Adobe conversation without touching on the future of AI. Adobe is increasingly incorporating automation into compliance testing, reducing the need for manual processes and ensuring continuous, real-time compliance. Devansh gives us a glimpse of where the industry is headed with automation tools that scan cloud configurations and alert teams to security gaps across thousands of accounts—all without human intervention.

Imagine automating 100% of compliance checks instead of relying on a sample-based approach. AI and machine learning are not only set to revolutionize Adobe’s internal processes but could also be a game-changer for how other organizations approach security and compliance.

Tackling Emerging Threats

While the CCF helps Adobe manage compliance and security, Devansh highlights emerging threats that every organization should be preparing for, including supply chain vulnerabilities and AI-driven phishing attacks. As the world becomes more interconnected, it’s not enough to focus only on internal security. Protecting your organization means ensuring the security of vendors and third parties as well.

Why This Matters: Scaling Security and Building Trust

A particularly compelling part of the conversation is how Adobe’s CCF fosters transparency and builds trust with customers. By open-sourcing the CCF and continuously engaging with customers and external auditors, Adobe demonstrates its commitment to proactive compliance. Customers and partners can see exactly how Adobe is protecting their data and complying with global regulations.

Adobe’s proactive approach also helps reduce “compliance fatigue” within the organization. By embedding compliance within the SDLC (Software Development Lifecycle), product teams aren’t bogged down by the complexities of meeting different regulations—they build compliant products from the start.

Want to Learn More?

If you’re looking for ways to simplify your organization’s compliance or if you’re curious about how AI and automation are transforming security, this episode is a must-listen. Devansh Sharma offers unique insights into how Adobe has built a robust, scalable compliance framework and shares advice on how other organizations can follow suit.

Watch the podcast on YouTube or listen to the full podcast–linked below or on your favorite podcast platform–and learn how Adobe is leading the charge toward proactive compliance driven by security, scalability, and automation.

Don’t forget to subscribe and follow TechSpective for more expert conversations on the latest in cybersecurity, compliance, and technology!

About
Latest Posts

Tony Bradley

Editor-in-Chief at TechSpective

I have a passion for technology and gadgets--with a focus on Microsoft and security--and a desire to help others understand how technology can affect or improve their lives. I also love spending time with my wife, 7 kids, 4 dogs, 7 cats, a pot-bellied pig, and sulcata tortoise, and I like to think I enjoy reading and golf even though I never find time for either. You can contact me directly at tony@xpective.net. For more from me, you can follow me on Threads, Facebook, Instagram and LinkedIn.