Catching up with Adobe’s Chief Security Officer, Maarten Van Horenbeeck

Image credit: Adobe Stock/ bizvector.

Maarten Van Horenbeeck joined Adobe as our chief security officer last fall. We caught up with Maarten to get his thoughts on the industry, his career journey, what piqued his initial interest in cybersecurity, and predictions for what’s next.

Maarten Van Horenbeeck, Chief Security Officer at Adobe is part of the Adobe Legal, Security, Policy, and Trust organization. This group is focused on leveraging technology, law, and policy to further strengthen Adobe’s products and services to deliver exceptional digital experiences built on trust.

Let’s talk a bit about your career and background. Did you always know you wanted to work in cybersecurity?

When I was quite young in the ‘80s, my mom introduced me to a movie called, “War Games.” It was a movie about a boy who is looking to break into a vendor of computer games, but accidentally hacks into a military computer in charge of the nuclear arsenal of the United States. When I saw that movie, I had this immediate feeling of excitement and wonder about the endless possibilities that the world of technology could offer.

For me, the most interesting aspect of cybersecurity is that we always continue to learn. A few years after I got my first computer, I was introduced to the harsh realities of cyber technology. Within the first week of having my computer, I had my first encounter with a computer virus. Instead of the panic that is typically followed by discovering you have a problem, it kicked off a deep interest where I started collecting and analyzing computer viruses and eventually dedicated the rest of my career to the exciting unknowns of cybersecurity.

You’ve had experience across several companies and industries, what are some of the key takeaways from this journey that have helped you grow in your career?

My first takeaway is that security can be a very lonely industry. By definition, the challenges we are faced with are adversarial — you’re not only defending against reliability issues, but on the other side, there is an adversary who is actively probing the defenses you build, and is looking to bypass them. As a result, as a defender you need to get many things right, and the adversary only needs to find a smaller set of issues to be successful. This can be a deeply sobering experience.

My biggest learning from this was that nothing is more important than the network you build. Find individuals who are facing the same issues, and collaborate with them to constantly grow your own capabilities. Having the ability to share your concerns with others, and learning from each others experiences, is crucial to building a happy and healthy career in cybersecurity.

Second, in cybersecurity, you have the ability to truly stand on the shoulders of giants. This industry has a long-standing history, and it can be easy to look at the latest technologies and ignore what we’ve learned. Don’t. There is much to be learned of attempts, both successful and failed, to build better security programs. Whether it’s standards published by NIST, research papers and books published, or public incident response reports. Each of these offer opportunity to continue learning. Getting the historical perspective is an important part of becoming a well-rounded cybersecurity professional.

Third, avoid the secrecy trap. It’s easy to think in security that we need to keep all information on our programs secret, to best protect the organization. This can even lead to security teams not even sharing lessons internally, within our own teams. The very best security programs are rooted in an understanding that we need to effectively learn as an organization. This means sharing what we’ve learned in ways that make sense to others, providing them with the context they need to make better security decisions. When we tell others exactly what to do, without sharing the “why”, we don’t give them the ability to learn, which is what truly leads to resilience.

What attracted you to Adobe?

I mentioned partnerships being an important aspect of the security industry, and that is one of the main things that attracted me to Adobe. The most successful teams I’ve built have had close partnerships with others across the industry.

When I learned of Adobe’s next chapter to bring together the Legal, Security and Policy teams, I was drawn to the company’s vision. To strengthen products and services and deliver digital experiences that are built on trust, you need to have this combined strength. With this, we can influence policy to further improve industry cybersecurity efforts — have a solid understanding of the regulatory and legal landscape, and bring strong technical solutions to bear — you can be more successful with more tools in your toolbox.

The second thing that attracted me to Adobe is the talent that we have. I first worked with the Adobe security team while I was at Microsoft, over 11 years ago. From that partnership, I walked away realizing the depth and width this team brings to the table. Over the last few years, the Adobe security team introduced and open sourced our Common Controls Framework, helping others implement streamlined compliance programs. We also released a Living off the Land classifier, to help identify so-called Living off the Land tools, which adversaries use to maintain a foothold on systems without using malware. There’s a lot of talent at Adobe and I am really excited to work together and share more learnings with the community.

What do you feel is the most important aspect of your job?

The most important part of my role is to meet the right people, and share with them the right stories to truly make an impact. As a CSO, it is hard to try and control every situation — and play defense to try and prevent every issue. Instead, hone in on where the organization isn’t sufficiently resilient, and make the case to the right people and make improvements that better protect the organization.

This means we have to be excellent networkers, and understand the needs and challenges that engineering, IT and business leaders encounter on a daily basis. We also have to be really good at sharing security opportunities in a way they understand. Not scare them with fear, uncertainty and doubt, but offer realistic risks and practical approaches to help mitigate them.

We also need to continue to have an open mind and learn. Cybersecurity is constantly changing, and it’s hard to keep up to speed with the latest attacks and technologies we can leverage to protect our organizations. The best way to get there is by hiring incredibly talented people, and giving them the opportunity to experiment and build.

What are some of the current trends in cybersecurity you see the most opportunity?

Some of the most significant challenges I see ahead are regulatory — global organizations that operate across the world must continuously evaluate the laws and policies of those countries. It is not uncommon for cybersecurity policy in different countries not to be aligned, and it requires diligent work and creativity to stay current with those requirements. There’s a real opportunity here for government policymakers and the industry to come together and build solid, aligned best practices.

A second area of opportunity I see is the deepening interdependence between software and services. This type of integration can enable rapid innovation online. When you’re building a new application, you can focus on the things you are best at, and use different tools that specialize in ways that may not be your core expertise, but this can also introduce new potential risks. Finding ways to build these integrations safely requires focused effort by teams. This can create opportunities for new solutions and ideas that safely allow these interactions.

What advice would you give to aspiring cybersecurity leaders?

If there were two pieces of advice I could share with new cybersecurity talent, it would first of all be to always seek opportunities to try new things in the field. When I got started, a cybersecurity consultant would have to do it all — forensics, hardening systems, penetration testing, compliance. Because there were few consultants and many problems, I often got to learn entirely new fields “on the job.” Today, that’s a lot harder. Security teams have many more specialized roles, making it harder to try new things and really figure out what you enjoy, and what you are good at. For security leadership roles, having that broad experience is truly invaluable, so I’d highly recommend seeking out teams and roles where you get exposure to a broad understanding of the field.

Second, with any cybersecurity issue, as you’re working to understand it, always ask yourself the question “why?” The security field goes very deep — it’s easy to be satisfied with the first answer to that question. For instance, you may feel the reason for a successful phishing attack is that someone clicked a phishing message and they “shouldn’t have.” That’s not sufficient enough of an answer — you will never get every user to not click such a message. Understand the root causes of the issue, and how you can mitigate it, and you’ll be vastly more successful at your role. That does require becoming familiar with the technical ins and outs of most security risks, but it will pay dividends as you look to puzzle together the right solutions to truly protect an organization.

Finally, what would be something people would be surprised to know about you?

I am a huge gardener! Few things give me more joy than seeing plants grow, especially trees. One of my proudest accomplishments is growing a giant sequoia, the large trees growing on the western slopes of the Sierra Nevada mountains, from a seed at my home in San Francisco.