
Adobe is one of the most ubiquitous brands worldwide, being present in almost every tool or industry imaginable these days. How do you secure everything and keep data safe from cyberattacks when running such a huge company? Eric Anderson, Director of Enterprise Security at Adobe, joins Matthew Stephenson to discuss how they approach cybersecurity within a team of over 30,000 employees and more than 60,000 users and vendors around the world. Eric discusses how they protect their data by keeping an eye on internal threats and always taking customer experience into consideration. He also explains how to utilize advanced technology to improve cybersecurity practices, particularly artificial intelligence.
—
Listen to the podcast here
Eric Anderson: How Do You Secure Everything?
Here in the show, we’re bringing you all of the top experts in the industry for a chat about anything interesting in keeping our world secure, specifically with regard to insider threats, both unwitting and malicious, because you never know. Sometimes people just make mistakes, and sometimes they’re bad guys. Speaking of keeping the world secure, we are, as always, very excited to welcome Eric Anderson to the show.
Eric is the Director of Enterprise Security at Adobe, where his team is focused on delivering enhanced security for directories authentication and Public Key Infrastructure, aka PKI, but also a lot more. We got to call our guy a unicorn at this. He’s been at Adobe many years, which is mind-boggling anymore, anywhere, specifically in security. Over the course of that time, he has had multiple leadership and roles across the organization, including cloud technology, IT tools and automation, IT engineering, QA, and support. I can’t even imagine. I’ve never done anything for many years besides breathing. Eric, welcome to the show.
Thanks for having me, Matt. It’s quite an introduction. I feel like I got a lot to live up to.
It’s your life. You’ve already lived it. It’s me that has a lot to live up to. That could be its own Netflix documentary, given that you have spent that much time.
I don’t know if anyone would want to watch it. Let’s be honest.
You see the stuff that people are sitting through these days. If they’re going to make it through a thirteen-episode thing on Jeffrey Dahmer, they’re going to be a lot more interested in how you’ve kept the world secure. You’ve worn one team shirt. Even Lionel Messi, who left Barcelona to go PSG in the world, just cried. Given the amount of time you have spent with Adobe, which touches everything, how does that give you a different perspective?
It’s an interesting point of view. I hadn’t thought of it. I think it’s about Adobe being such a creative focused company. To your point, we touch everything in all different industries. The part that consistently surprises me is it’s always in a way you probably don’t expect it to touch an industry. The way a financial company might use Photoshop could be very different from how a catalog company or an online retailer would use Photoshop and other suites. You get to see the super broad perspective and push the edge cases for how our products interact. That forces us internally to think the same way.
I always hate asking yes or no questions, but if this comes off as a dumb question, feel free to interpret it any way you want. The fact that Adobe is spread across pretty much every vertical, is it a boon to your team when it comes to developing and continuing to evolve your security approach? Is it a massive pain because you can’t focus on healthcare, FinTech, ICS, or anything like that?
It’s a little bit of both. Think about things like FinTech, healthcare, HIPAA, and all the ways we need to deliver for our customers. They look to us internally. If we’ve got a company that’s under banking regulations, they expect us to be able to meet some minimum bars because there’s a common good that needs to be the same in order for them to deliver to their customers.
It forces us to look at things across the board. The other thing we get good at is finding common ground of what’s the 90% rule or the 80% rule we can solve for and spend additional time in these little edge cases or something more specific and tailored for the customers we’re working with. In my world, I’m dealing more internally and making sure I’m supporting the enterprise so that our teams can interact with these customers in the vast various ways they have to do that.
How much inspiration do you get from external things when it comes to doing your internal work for Adobe, talking to customers, and hearing about their experiences? Do you bring that inside and flip that? Do you bring your internal experience outside to customers? Is there a swap, or do we need to keep these things separate in order to keep both sides equally protected?
It’s a little bit closer to the latter. We’re not building silos or trying to keep things internally without thinking about the external or vice versa. As I work with my peers in the cyberspace that deal with the enterprise, I’ve found that we tend to have more conversations like, “How do we protect employees? How do we protect vendors and anyone else we need to access Adobe data?” We look at it internally and apply our customer-focused ideas and how we’re centric on the user experience. We would reflect that internally on how we approach our security models. We work with external teams, people interacting with customers about best practices, what we think, and how we look at things. We compare that across the industry as well.
For your role and your team, how big is the ecosystem that you are charged with securing? Adobe is not a small organization.
If you think about Adobe itself, we’re somewhere south or getting very close to 30,000 employees across the company. Imagine we probably have double that when we start, including vendors, partners, interns, and contingent workers that come through. We’re talking upwards of 60,000 different types of users, employee types, and interactions on that front and then supporting all the various devices they might come in with.
That’s where we start from over 100,000 or more various devices coming in to access Adobe data and understanding what they’re doing, who they are, why they’re there, and making sure that we’re securing the company along the way. We provide extra support when we’re looking with our infrastructure teams and our cloud teams of extending that discipline, consulting, helping out looking at the vast data centers and the cloud compute and all that. You’re getting into hundreds of thousands, if not millions, of devices and types of roles that might be in play.
You said that the organization has multiple different types of devices. You’ve got the stuff that is in-house, and there’s going to be B10D. You’re also dealing with longtime veterans such as yourself. You’re dealing with people from different countries, cultures, and laws, as well as interns, contractors, and vendors. How do you wrangle that, especially from the notion of insider threats that there has to be a very disparate approach to that? Are you in a position where you’re like, “These are the rules, and this is how you follow them in order to gain access full stop?”
We’re moving towards, “This is how you do it full stop.” However, Adobe has a tradition we’ve built over the years through acquisitions, creating new products, and new markets. Every one of those brings a different challenge, vendors, and types of contractors we interact with. We try to take a holistic approach. What we’re trying to do is be thoughtful and not just do a sledgehammer approach. If you’re an employee using an Adobe-issued device, you may have one experience. If you’re a vendor bringing in one of your corporate devices, you’ll probably have a different experience. What we’re trying to apply is some common-sense entry and basic security requirements to get in the front door and make some intelligent decisions once you’re in about what makes sense and what’s reasonable.
You are a bloodied veteran of Adobe. As big and wide-ranging global company as you are, when it comes to dealing with the chaotic element of humanity, where does culture, and by culture, I mean global, with Europeans as opposed to South Americans, Asians, and Africans? Where does that come into play, or does it when you are building out your approach to security specific to the people involved and keeping them safe from themselves, keeping the network safe from them, etc.?
At Adobe, we pride ourselves on the culture we build within the company and the diversity of our employees and the people we work with. It’s been baked in, even before I was with the company. It’s one of those weird things where it’s something I never remember not being conscious of, which is great because not a lot of people can say that. Our whole company was based on diversity, creativity, and inclusiveness. The company has done a great job of continuing that from its founding up to now and evolving as society changes. Going back to your original question, as we start thinking about working with people across the globe in different regions.

I don’t know how to say this without sounding odd, but that doesn’t come into play a lot thinking about, “Is this user in India? How’s their culture going to approach this?” We’re looking at some of our vendor teams in Brazil and how we approach it. Everybody comes out on the same equal playing field, and we universally apply how we approach it across. We depend on them to help also not buy into it but represent the Adobe culture we’ve created. We look to everybody else to help provide that level of security and thoughtfulness in protecting the company. That approach is how we’ve looked at it.
They combine to make it almost like fusion food. You’re getting the spices from everywhere to continue to build and evolve the Adobe culture as opposed to, “We’ve got to compartmentalize because these people grew up here, and they may have a different approach.” If 1) They’re buying in, and 2) They’re helping to build and evolve things, you’ll get a whole lot more global than 30,000 employees spread across the world.
It feeds into the nature of creativity across the company, whether in product development or trying to secure the company. Having that many types of voices and perspectives approaching it makes us stronger.
Having many types of voices and perspectives makes the team stronger and feeds into everyone’s nature of creativity.
Speaking of that many voices and perspectives, that’s something that you have to be focused on, especially leading an organization as big and important as yours within a company this big is important. When you look at the notion of insider threats, whether unwitting or malicious, where do you tend to focus? We can do the horrific cliché of people, process, technology, or something else. Where do you start, and how do you evolve from there?
There are a couple of ways we look at it. We do a lot of training and educating about what’s expected of you, our privacy, and the standards we try to instill in people. We hope that eliminates a lot of the inadvertent types of activities. We have some mechanisms and technology we use around people as they join the company and people as they exit the company to put some guardrails or protections around them so they don’t inadvertently do something they shouldn’t do. We try to be supportive and make sure that as they leave the company, we take care of things in a secure way or have mechanisms in place to just prevent the inadvertent.
I would argue and consider if somebody is malicious within the company trying to exfiltrate or have a threat. That’s where we start looking towards some of our intelligence type of activities around user behavior analytics or looking at the device trust and looking for behaviors on it, whether it’s on a device or user activity. We try to build and feed into some of the modern things you’re seeing around AI and machine learning and trying to detect things that, “Maybe this isn’t normal. Let’s do some investigation on it.” We do a lot of work, and we partner tightly with our privacy team and litigation team and try to understand where they are seeing issues come up, where they are spending time and come up with some creative solutions on how we can mitigate those from a risk factor going forward.
I love that you mentioned working with the privacy and litigation teams. You’re talking about the human thing. Over the last few years, we’ve seen a significant cultural evolution of being an employee at a large publicly-traded company. When you are talking with the teams or providing training, or the mandatory videos that we all have to watch and click off and on, does the notion of those two teams being involved with security in any way impede your progress for explaining to the rest of the company, “This is how we make you secure, which is how we keep us secure, which is how we keep you secure?”
You would probably get different responses from different people at the company. I come from a background where my father, my brother-in-law, and a lot of my friends are all lawyers. At one point in time, I wanted to be a lawyer. For me, interacting with our legal team and everything else is always fun. I enjoy it. It’s something that I think is great. Answering your question, it helps us quite a bit and brings a little bit of a level of importance. We can talk about how great security is and what you need to do to protect yourself and the company.
You add a perspective, “We’re here to protect not only your privacy, but we’re trying to protect the company’s privacy and our reputation, build trust with our customers and build trust internally.” We can add some different perspectives that maybe folks that don’t have exposure to that part of the company can start getting some insights on how important that is and what our external customers are coming to us because of our reputation and what we deliver. The legal team is a very important part of protecting and maintaining that. It’s building that whole trust mechanism between us.
This is dope trivia. I’m sure I could google it and if you’re not allowed to tell me. How many machines does Adobe touch worldwide? Can we share that information? I don’t know how many I have in my house, but I know that there are some versions of Adobe on everything that I have here, and I’m just one dude in one house.
In all honesty, I have no idea. Adobe is ubiquitous. If you’ve got a machine running, odds are something of Adobe is on it. Even just to do your taxes or to fill out documents you’re touching, whether you’ve got it on your machine locally installed or a web interaction, it’s everywhere. I would even crank up another notch. You’re seeing it everywhere. Think about going to all the social media sites, people making videos, making memes, and posting their pictures. Odds are the majority of those have touched something Adobe somewhere along the way.
I asked that question to give the audience an idea of the level of responsibility when we talk about what your team has to protect and the way you’re saying, “We’ve got to talk about privacy, litigation unit, legal, and everything else.” You all need to understand how big this thing is.
What has always blown my mind, too, is when you start thinking about it at that scale, Adobe is a small company. We’ve got a small company. When you compare us to some of the other companies out there that are ubiquitous and touch many things, they’ve got hundreds of thousands of employees, and we’re talking 30,000 regular employees and our partners we work with. It’s a relatively small amount of super smart and creative people securing a lot of information about people.
Here’s one specific thing that you have been involved with over your tenure there, which by the way, I cannot expound how impressive that is. You have been working with Adobe ZEN solution, which is a zero-trust solution. That is something that’s been very prevalent. It’s one of those that went from “Cool,” to, “Buzz,” and now back to, “We need that.” Where does that fall into what your team is doing with this solution and this technology in general with regard to insider threats, given what we said about just how many fingers and how you have every finger in every pie in the world?
Our zero-trust adventure started a few years ago, and it was starting to take the approach of assuming compromise and assuming that the network is no longer the perimeter. We all grew up in a world where once you’re on the network, you have free reign, you can do anything, and getting on the network assumes that you are worthy of or trustworthy to get access to everything. We tried to look at what the industry was doing. At the time, Google had published all their information about BeyondTrust. Netflix was doing something along those lines, and we were like, “This makes a lot of sense for us.”
We went down our own adventurous path, taking the Adobe approach, which is, “What do we already have an investment in an engineering company? What could we do with what we have and make a small investment and see if we could get a big return out of it?” That’s exactly what we did. We worked with a few vendors we had been partnering with to deliver our internal services and started figuring out how we get them connected together and deliver us this awesome user experience. The other thing that’s the core to the Adobe group, internally and externally, is how we deliver a great experience yet secure. What we did is we moved to a model where if you had your machine managed by the enterprise, we would provide you a passwordless experience, and we could provide you a VPNless experience.
It was a little bit of a carrot and stick where it’s like, “Help us protect your device, because if your device was managed, then that allowed us to make sure we could check device postures, we could do user behaviors, and we could have some access to make it more secure.” You would have to stop having to type in your password, and you wouldn’t need to do VPN any longer. It was a perfect win-win scenario. That started us down the path, then how we extend that, build upon it, and mature. We’ve been on that road now for a few years. We were a bit ahead of the game, and we were showing other companies how you can take existing investments and start down that road. You don’t have to go and buy a vendor or boil the ocean. You can do incremental steps and mitigate your risk along the way.
Given your career path through Adobe, that you have been involved in product development and cloud-based technology and all the things you are now, how much do they want to hear from you? Are they now like, “We know you used to do this, but we do this now, so leave us alone,” and you’re like, “No, I have thoughts?” How does that interplay work? Do you disagree with being like, “You do your thing, I’ll be over here, and let me know when it’s ready?”
It’s interesting on that front end because I’ve been around for so long at the company. Adobe is very much relationship based. I’ve got some pretty deep roots and relationships across not only the product teams and other groups I’ve worked with over the years. I don’t know if they want me to roll in and tell and provide my insight without being solicited.
I feel like I can offer a voice here and there, and I’ll just reach out. Especially because of my years in the engineering world, I feel I’ve got an insight into how they look at things and what would concern them on some of the security initiatives we have or what we’re looking to do. I can reach out and talk to other folks and say, “We’re thinking about doing this. What’s your reaction to it? What do you think? How would it impact you?” My approach has always been I try to reach out to these different groups way far in advance so they’re not surprised.
Part of my whole organization, as enterprise security, is we try to be very proactive. I’d rather not surprise people. We want to be proactive from a security approach and try to build that grassroots coalition and say, “If we protect source code, how would this affect your everyday engineering and code writing and build problem? Could we help solve that?” We then get them to be advocates for the rest of the org and say, “We worked it out with the After Effects team,” and they can be our advocates to get the Premiere team to get on board. It’s more of that of the approaches we take, and it’s the way I try to interact and leverage my tenure.
It’s the curse of being the Lionel Messi of Adobe. If you’ve been there this long, I don’t have a comp for that. Maybe the Mick Jagger of Adobe. How about if we go with that? For you and your team, it sounds like you are tasked much more with protecting Adobe from the outside in. Going back to unwitting or malicious attackers, are they looking to come at you inside of your building, or is this more about Adobe users and seeking ways to piggyback on you and ride that dragon in? Where did you spend more of your time with the approach to thinking about the human factor involved with securing organizations?
For me and my world, I always see identity as the perimeter in whatever form that takes, whether it’s customers using Adobe identities to access their creative clouds. We work closely with a team that creates, manages, and protects those types of identities. I’m directly responsible for protecting employees, Adobe, and identities. For me, I always see that as the frontline. It’s an evolved part when we’re talking about zero-trust. The past would be the network. Now I’m looking at how we protect them from getting it in the first place and whether it’s social engineering or piggybacking or all the attacks that we could talk about for days of how they try to compromise a user to start with.
For me, where it all starts now is protecting that first and trying to anticipate and think about and keep on top of what’s going on in the news and the research we see. We are partnering with our internal teams. We have my peer teams in cloud security, incident response teams, security coordination centers, and threat-hunting teams. We all work together. I’m trying to figure out how we piece this world together, make sure we’re focused on what’s important and what’s the real world, then get to spend some fun time in the academic and the research space at the same time.
Cybersecurity experts work on the things that truly matter in the real world while spending some fun time in the academic and research space.
The fun time and academics, that’s what everybody else thinks too. They put those two words together.
The academic stuff is my retreat.
Given the breadth of your career and how you have been across diverse, interesting parts of the company, how important is that for someone? Let’s say that he or she is 6 or 7 years in and has been doing product development or whatever to make that hard move from support to engineering to cloud.
One thing I’m super fortunate about at Adobe is that Adobe is very much about internal movement and growth within the company. We bring in brilliant folks, and the last thing we want to do is have them leave the company and take that somewhere else. We like to try to keep the folks around, so it’s providing those opportunities. We had a program for a while, and we have an iteration of it that we used to call a shift shadow share program where people could come in and spend some time in areas that were of interest.
Maybe there’s even an opportunity down the road to join that team if it was something that was like, “This is where I want to take my career.” I’d like to think I’d benefited from things like that over my career. I haven’t done the same thing for all the years, but I’ve got this breadth of experiences in different areas that I’ve been able to try out and hopefully make a difference in and build up that bit of information and hopefully make things better as I go. That’s built into the core of how Adobe works.

Forgive me if this is too personal a question. As you have made moves within the organization to different branches, was there one of them where you were just like, “I’ve never done that before, but I think that’s cool, and I can do that, and that’s why I’m going to go do that compared to what I’m doing now?”
The one I might use as an example is, I started my career at Adobe on telephone support with customers back when it was here in the States, and I was out of the Seattle office. I’d pick up the phone and walk you through the manual parts you should have been reading. My favorite line was when somebody would call up, and I’d say, “Do you have the manual there?” Back in the day, they were printed in the box. It was like, “Turn to page 38 and read me paragraph three.” They’d read it back and go, “You solved my problem. Thank you,” and move on. That was one of my favorite calls.
RTFM was one of the answers that you are ready for.
It was a very nice way to approach it. During those, I was one of the first groups that supported After Effects over the customer support line. I got to know the After Effects engineers, the testers, and what they were doing. I have the whole video and special effects thing I’d never heard of or seen. It was like, “This looks cool. How do I get to do that?”
It was literally by volunteering to be one of the first people to do phone support where nobody had done it before, learning the product and then getting the chance to join the product team and move in that direction. That’s an example of what you asked. It’s the same in the security space. When I first joined, I came in as running directories and identities. I hadn’t done it before, but it was like, “I know this is important. This is cool. I’ve got smart people around me. I’ll figure it out.” Adobe gives you a chance to do that.

I feel like we’re just beating on you about having been there for this long. You have such a great story, and it leans so heavily into everything we talk about. End users have to put their fingerprints on Adobe. Your employees do. You have seen the evolution since the Clinton administration. You and I are the same age. I’m giving that one up. This isn’t an, “Okay, Boomer,” moment.
You have gone from floppy disk to CD ROMs to the internet to the cloud, and now we have seen the inelegant introduction of artificial intelligence, machine learning, blockchain, and NFTs. How are you feeling about where we’re going? You have had great success treading this trail for a long time. You’ve practically hiked from the Pacific to the Atlantic on this journey. Now you’ve gotten a promotion, and you’re looking like, “What do we got?” That will be my inelegant question for you.
It’s being a technologist to your point, seeing how things have evolved, and the one you left off, you forgot about ZIP drives. That’s what keeps it fun. It’s like everything keeps shifting. As soon as you feel like you’ve hit the firm ground, you get a seismic shift under you, and you have to figure out, “Am I going to ride this out, or am I jumping ship?” The way I see things going is I’m super intrigued, especially with the blockchain.
Technology keeps shifting. As soon as you feel like you’ve hit firm ground, you will get a seismic shift that you either ride on or jump out from.
I’m not sure I’m all in on it yet, and I get the idea of it. To be honest, as soon as I hear about blockchain, I immediately start thinking about quantum computing. A few years ago, people didn’t think that was going to happen soon. They got them to the point where they’re going to be commercialized in the next couple of years. What we saw in the news was they finally figured out some of that fusion that could power and pair that with quantum computing.
We’re going to have to strike all of this. We don’t want any reference to any employee of any company saying quantum computing is right around the corner.
It’s scary, isn’t it? That’s the cool part. It’s like, “How do we stay a step ahead on this? How do we make this good for humanity and protect people along the way?” It’s because it’s going to shift things. People would have said this 20 or 30 years ago when all of a sudden, you have floppy disks, and then you go to CD ROMs. That rocked the world, and people thought that was the end game. Now, nobody’s interested in any of that stuff anymore. You gotta put it in perspective. We’re on this curve that just continues to accelerate.
We talked earlier about how Adobe is prevalent on seven continents in over 200 countries and the notion of working for the betterment of humanity. That’s not going too deep. That is a real thing. That is what you guys are doing and have been doing quite well for many years.
It is a core part of who we are. Going back a little bit to AI and blockchains, one of the things I thought was neat was that Adobe announced at MAX is doing authenticity. How could we help our creators when they create images, create videos, or whatever media they’re doing and be able to guarantee their authenticity in some way through a digital footprint or fingerprint of ways we can do that by leveraging some of these new technologies? If you look at some of the stuff, we’ve got our whole AI business with the sensor, and we now have some capabilities to generate pictures that aren’t real.
As AI technology becomes more powerful, content creators must guarantee the authenticity of their works through a digital footprint.
You can say, “Show me a purple elephant,” and it will create one for you. It will also let the users and the creator know, “This is generated. This isn’t real.” This is something we’ve created and provides a level of authenticity for that so people can distinguish between reality and creation. There are some interesting ways that some of that technology’s going. If you take that up a notch, how do you apply that in a security world? How do you do that for identities or authentications and provide that level of security like a passport?
Ironically, talking about AI-generated art, over coffee I was reading an article about major comic book publishers that are putting the word out that they will not accept solicitations that are AI-generated. The idea of what you can build with AIs getting to the point where the lines of “reality” are blurring, but where is the application to security? That’s a very hippie road. We can go down to our basement in 1977 and listen to the rush and vinyl with black velvet posters on the wall.
We got a lot more to talk about. Unfortunately, we are pushing up close to time. Speaking about authenticity, this is one of the moments where I want to turn things over to you a little bit. I have one last question before we go into the leadership corner. You may have already touched on this. Is there anything that has your eye now that you feel we should be paying more attention to, some tech that looks interesting but may not quite be ready for prime time? You mentioned the fusion thing, which I saw as well. What are you looking at going that might be the one?
There’s one that I’ve been on the bandwagon for a while that I still haven’t seen something revolutionary in it yet, which is identity-proofing. That’s one of the things I’d love to see some great advancements in. When I say identity proof, what I’m talking about selfishly from an enterprise perspective is the initial onboarding of people getting them into your ecosystem.
We all talk about, “You’ve got a secure password. You’ve got your MFA. You’ve got your Adobe, your Adobe or company-issued device, that’s all secured up the gate,” but we forget about the manual and the process of getting them into the ecosystem in the first place. I think of it like when you have to go to the passport office, and you’ve got to have all this documentation to prove you are who you say you are, then they give you the passport, and then you get to use that going forward as an easy way to show people you are who you say you are.
What’s the digital equivalent of that? How can we start doing that, not only in an enterprise but in a personal world? When you sign up for your Amazon account or whatever new accounts you’ve got, or you lose your password or your account is compromised, how do we go back and have a way to prove, “This is me. Nobody else should be doing this.” That’s a whole place where we’re not spending enough time and looking at how to solve it.
You want to talk about the intersection of tech, security, legal, and privacy. That’s the conversation. Forget about a six-episode Netflix series. That is its own streaming service.
It is. If there’s a way, we can start figuring out how to crack that nut. There have been all kinds of conversations about a true digital ID that you could take with you. I find that intriguing and scary at the same time. It’s the identity-proofing piece that’s secure and private. All those things are fascinating.
Let’s move over to the Leadership Corner. This is always one of my favorite parts of the show because we’ve had some incredible guests who do incredible work and talk about all the people that they want to help and all the things that are going on that are awesome for their company and their customers. What’s happening in Eric’s world? What’s on your Spotify playlist? What are you reading? You got books on the coffee table and magazines in the bathroom. Are you cooking things? Do you garden? Do you ride unicycles?
The best part is my niece rides a unicycle to the point where I have an awesome video of her being in a unicycle parade this summer in Seattle.
I would like it to be known. We did not prep this ahead of time. There was no pre-planned unicycle talk. This is amazing.
I’m unicycle adjacent. Let’s just put it that way.
I would like to be unicycle adjacent. That would be an incredible thing to add to my CV.
In the leadership world, a book I almost go back and reread every year if you’re not familiar with it is a book called The Four Agreements by Don Miguel Ruiz. It was recommended to me many years ago by a good friend. He’s a shaman, so there’s a little bit of a spiritual angle to it. I have the poster on my wall. Whenever somebody new starts on my team, I personally buy the book and give it to them and say, “This is something I live by. I try to remember it. You can do with it what you will. Read it if you like. Throw it in the trash if you like. This is something I value.”
The Four Agreements are 1) Be impeccable with your word, 2) Never make assumptions, 3) Never take anything personally, 4) Always do your best. If you could live by those four things every day, imagine how great the world would be. It’s next to impossible to do it and super hard, but it’s something to aspire to that I believe in.
I like to work with a little John Lennon there too. You could also mention if you’re reading stuff, like if you’ve got a Clive Cussler over there or James Patterson. You can mention that too. It doesn’t always have to be, “This is the most important thing in my life.”
That was my next one. You caught me before I said it. My guilty pleasure reading is my all-time favorite author. His name is Steve Berry. He wrote this series of books from a protagonist named Cotton Malone. All these books, I swear every single one of them could be an Indiana Jones adventure novel. He’s got the best racket I’ve ever heard. He researches every one of his books. What’s fun is he’ll have this book, and it has a historical take, so you always learn something cool about history when you’re reading it in this frame of an adventure. In the last bit of the book, he’ll tell you what’s fact and fiction, “Here’s the part I made up to make the story cooler. Here’s the part that’s true.” I’m thinking, “What a great tax write-off. You got to travel the world, make a great story, and you’ve got these awesome books.” I strive to be Steve Berry.
I want to meet someone named Cotton Malone just once in my life. What better name than Indiana Jones is there than Cotton Malone? That’s incredible.
That’s my point. They’re fantastic. He usually puts out one book a year. I look forward to it all year. I read it in eight hours and have to wait another year.
Whereas opposed to the leadership books, even though you’ve read it every year for twenty years, “It’s going to be a week.”
I got to think a lot about the leadership book versus the Cotton Malone book. I can blow through it.
Shameless plugs, what do you got going on? Are you writing? Are you speaking? TED Talks? Do you host a cooking show on TikTok or anything like that? Where can people find you if they want more information?
As a security guy, I lay pretty low on the social media stuff. I have sites where I can lurk and watch things happen. I’m on LinkedIn. People can find me at Eric Anderson on LinkedIn. As far as where I’m going and what I’m doing, to be quite honest, I’m looking forward to the holiday break. One of the other great benefits of Adobe is we’re shut down between Christmas and New Year’s as a company global. We get a lot of time to reconnect with family and friends and come back refreshed in the new year. In the short term, that’s the most exciting thing I’m looking forward to. Nothing big is on the horizon yet, but I’ll make sure you’re the first to know if something cool comes along.
We’re bringing you back. As I said, we got through about half of what was written down because you kept talking about other interesting things. We gotta get back to that stuff too. In between now and then, we’re going to travel the world with Cotton Malone. You’ve given me something to do for my shut down between Christmas and New Year.
I appreciate all of your time on this. As we said, Adobe has as big a fingerprint as anybody in the world on everything we do. Knowing that the work you are putting in to keep your internal people safe, which, by extension, keeps the rest of us safe, because we touch your stuff probably a little bit less often than you do, but pretty often.
Yes, I love doing that.
Thank you for joining us on the show. A friendly reminder, all comments reflect the personal opinions of the participants and not necessarily those of their employers or organizations. For more information on all that’s good in the world of cybersecurity, make sure that you check us out. You can find us on LinkedIn and Facebook, and the mothership, ElevateSecurity.com. You can find me @PackMatt73 across all the socials and the pod.
Anywhere you go, that’s where we are, Apple, Google, Spotify, and Stitcher. Friends and family, we’re all there. All we ask is to subscribe, rate, and review. You’ll never miss all the great folks like Eric who are telling you about people named Cotton, which I don’t know why you wouldn’t want to learn more about that. By the way, you may learn something about cybersecurity as well. Until then, we will see you next time.
Important Links
- ElevateSecurity.com
- LinkedIn – Elevate Security
- Facebook – Elevate Security
- Adobe
- Eric Anderson – LinkedIn
- The Four Agreements
- @PackMatt73 – Instagram
About Eric Anderson

Eric Anderson is the director of the Enterprise Security team at Adobe, where he is a strategic leader driving proactive cyber security for the enterprise including security reference architecture, zero-trust architecture, identity and access management, and endpoint security. His team is focused on delivering enhanced security for directories, authentication, public key infrastructure (PKI), and more. He is passionate about delivering a seamless user experience while helping increase the security posture of the organization. For more than 25 years, Eric has been inspiring and driving initiatives that pioneer the technology industry.