Embracing portfolio-based program management for cybersecurity

In response to the rapid emergence of AI threats and complex security challenges, organizations must prioritize the delivery of impactful security solutions. However, security organizations today often face the daunting task of having to manage numerous programs across key areas such as cloud, product, enterprise, and compliance. Moreover, ensuring comprehensive coverage, prioritizing critical programs, maintaining sustainable domain expertise, and fostering strong partnerships with key stakeholders often remain persistent challenges for the security Program Management Office (PMO).

In this blog, I will explore the advantages of applying a portfolio model in cybersecurity technical program management (TPM) to address these challenges. I will also share practical tips and learnings from Adobe’s approach to help you shape your security program management framework.

Adobe Security’s vision for portfolio program management

While the portfolio model has become a more common practice across many tech companies, its true value emerges from how organizations adapt and elevate it to meet their unique challenges. Adobe’s sheer breadth and diversity of our product ecosystem – where each product presents its own security requirements, architectural nuances, and compliance requirements – creates a uniquely complex landscape. Additionally, Adobe’s innovation in advancing AI technologies continually introduces new security considerations, making it essential that our program management strategy remains agile and forward-looking as we evolve.

To ensure every product is protected and responsive to the rapid pace of threats, Adobe Security leverages a portfolio-based program management strategy that empowers us to strategically tailor, prioritize, and coordinate security execution across all domains.

Understanding the portfolio model

At Adobe, our centralized security PMO is directly embedded within the security organization, bringing together TPMs who execute individual programs and senior portfolio TPMs who provide strategic oversight across entire security domains using a portfolio-based approach.

The portfolio model offers a holistic approach to program management – much like a brain, where each senior leader, or portfolio owner, represents a specialized region with distinct responsibilities overseeing multiple functioning areas. Portfolio TPMs serve as the neural network – connecting these regions, facilitating seamless cross-functional thinking, and enabling the organization to rapidly adapt and respond to new challenges.

Rather than assigning seasoned TPMs to single initiatives, we thoughtfully pair them with portfolio owners – leaders responsible for high-level security domains – ensuring each portfolio TPM delivers both strategic oversight and hands-on partnership across a broader set of programs within their domain.

The strategic value of portfolio TPMs

Under our model, portfolio TPMs are entrusted with responsibilities that extend beyond program execution and status reporting. By serving as strategic business partners to portfolio owners, TPMs are uniquely positioned to deliver value to the portfolio owners by proactively identifying core challenges and capability gaps spanning multiple programs. They then collaborate to address these issues through thoughtfully designed, long-term roadmaps that drive sustainable progress and organizational resilience.

The portfolio TPM model offers us several key advantages:

Comprehensive coverage across security

Portfolio TPMs are embedded directly into the strategic planning of their portfolios as a trusted program management advisor, offering broader coverage and alignment throughout the business. As members of the centralized PMO, portfolio TPMs regularly collaborate with one another to proactively identify and tackle cross-portfolio challenges like securing AI products, reducing supply chain security risks, and preventing data leaks. These initiatives span multiple security teams and often require close partnership with IT and Adobe platform teams, enabling security leadership to achieve broader visibility and address complex, organization-wide issues more effectively.

Sustainable domain expertise

Portfolio TPMs develop deep expertise within their assigned domain, maintaining continuity even as their programs evolve over time. By focusing on a specific technical domain like application security, TGRC, or enterprise security, portfolio TPMs gain specialized knowledge and a deeper understanding of their teams’ culture and projects. This enables them to identify risks and dependencies more effectively and ultimately increase program success.

Stronger strategic business partnerships

When TPMs are assigned to individual programs, frequent reassignments can disrupt domain knowledge and hinder business partnerships as TPMs must repeatedly build new relationships and ramp up to new areas. At a more senior level, portfolio TPMs are empowered to cultivate long-term partnerships with their portfolio owners, enabling them to onboard more quickly and gain the context needed to operate effectively. Partnering closely with their respective portfolio owners throughout the entire lifecycle – from planning to delivery – enables portfolio TPMs to foster deeper, end-to-end business relationships that promote alignment and long-term success.

Career growth opportunities for TPMs

By establishing the portfolio TPM role as part of the next evolution of program management, we create new pathways for career advancement and growth for our TPMs. Senior TPMs can transition into portfolio-level roles, where they serve as strategic partners to portfolio owners, who are typically senior directors and above overseeing broad areas of responsibility. At that level, portfolio TPMs gain unique visibility with security leadership by being fully integrated in staff meetings, quarterly business reviews, and annual planning cycles to lead strategic discussions and provide greater impact to the security organization. This career progression demands advanced capabilities in strategic roadmap planning, stakeholder engagement, and budget management, positioning them to drive greater organizational impact over time.

Portfolio program management in action

Given the numerous programs in security, having a clear and effective prioritization framework is necessary to allocate TPM resources effectively. This approach allows the most critical programs to receive the support they need while still providing adequate coverage to less critical programs.

The Adobe Security PMO offers tiered program management services classified by high-touch, low-touch, and self-service to cater to different needs:

• High-touch program: Comprehensive end-to-end program management, including scope, timeline, budget, risk, and dependency management.
• Low-touch program: Limited program management coverage for issue resolution, escalation, or achieving quick wins.
• Self-service program: Initiative owners can leverage the PMO-provided and supported self-starter package to manage the program independently.

A portfolio TPM may typically manage two to three high-touch programs end-to-end with “white glove” service. For larger portfolios, the PMO will provide additional TPM support for the rest of the complex programs within. The remaining, less complex programs would then follow a low-touch or self-service model, usually overseen by engineering or operations managers. When issues arise in these lower-touch programs, the portfolio TPM steps in to assist with resolution or escalation. By prioritizing programs using the tiered model and with support of additional program-level TPMs, it allows the portfolio TPM to balance overall portfolio health and scale execution excellence.

Another core element of what makes our portfolio TPMs successful is their close collaboration with one another, often meeting regularly to discuss cross-portfolio challenges, gaps, and overlaps to identify areas of synergy and potential for consolidation. By bringing portfolio TPMs together as a collective brain trust, security leadership can leverage their combined program and organizational knowledge to gain a comprehensive view of the entire organization.

Key takeaways and best practices for security

Now that you know about Adobe’s approach to portfolio-based program management, here are some best practices for implementing it effectively in your organization:

Identify portfolio owners

Identify leaders such as directors, senior directors, or VPs who oversee a broad range of programs in unique security domains where program management partnership is most needed.

Assign the right fit

Identify senior TPMs who possess both the right security domain expertise and a complementary work style to partner with the portfolio owner. Because the portfolio model relies on long-term, high-responsibility collaboration, it is essential to select TPMs with strong strategic thinking, proven execution excellence, and the interpersonal skills needed to build enduring strategic alliances.

Create a comprehensive portfolio health dashboard

Each portfolio TPM should maintain a dashboard for their portfolio, consolidating regular status updates in near real time to enable a holistic assessment. This dashboard should offer clear visibility into portfolio health, allowing portfolio owners to quickly identify both at-risk and on-track programs.

Define a clear portfolio prioritization strategy

Classify each program by criticality, complexity, or other factors to determine prioritization. This helps portfolio TPMs balance their focus on the most critical parts of the business, using models such as high-touch, low-touch, or self-service.

Collect feedback regularly

Regularly collect feedback from portfolio owners to maintain high satisfaction. Conduct program-level stakeholder surveys to gain a comprehensive view of stakeholder input.

Leverage cross-portfolio collaboration

Recognize that many programs extend beyond individual portfolio boundaries. By bringing portfolio TPMs together and leveraging their collective expertise, core challenges and risks can be surfaced to security leadership. This collaborative approach enables leadership to quickly gain a 360 real-time view of portfolio health across the organization and respond quickly to emerging challenges.

Adopting a portfolio TPM model with tiered program management services can effectively address the industry's challenges in cybersecurity program coverage, fostering stronger partnerships and enhancing our business impact as a PMO.

Looking ahead

At Adobe, we believe portfolio-based program management in security is not about structure, but about how we harness the collective knowledge and execution rigor of our PMO to empower teams to anticipate, not just react to, emerging security challenges.

As we look ahead to 2026, we’re focused on refining our portfolio TPM by standardizing best practices, capturing lessons learned to drive continuous improvement, defining portfolio-level KPIs, and integrating cross-portfolio initiatives. By investing in these areas, we hope to strengthen our ability to deliver strategic value, foster trusted business partnerships, and ensure our program management approach remains agile and effective in the face of emerging security challenges.