Thu, 12 January 2023
Today on the Salesforce Admins Podcast, we talk to Lynn Simons, Senior Director of Security Awareness and Engagement, and Laura Pelkey, Senior Manager of Security Customer Engagement, both at Salesforce.
Join us as we talk about security and security awareness for admins.
You should subscribe for the full episode, but here are a few takeaways from our conversation with Lynn Simons and Laura Pelkey.
Build good security habits
We wanted to start 2023 off right with a focus on security. Because there’s always a new threat on the horizon, Lynn reminds us that good security is really about understanding the broader concepts and building good habits. That means having a handle on ideas like the Principle of Least Privilege, and then putting them into practice as you set permissions and access in your org.
When it comes to getting started with security, Lynn has three main tips:
Lynn and Laura have some specific tips for each of these, but the big idea is that security is really a state of mind. Understanding the broader concept of limiting access will help with the little things, like defaulting to the most restrictive data access when you’re building permissions, or making sure you periodically deactivate unused accounts.
Engage with other teams in your organization
Laura recommends that you look for ways to actively engage with security and IT beyond the Salesforce platform. Not only will it make it easier to get help when you need it down the road, but it also helps you understand how the pieces of the security puzzle fit together in your organization.
“Salesforce user credentials are probably one of the more targeted things that attackers might be after,” Laura says, so looking at threats outside of Salesforce, like phishing, is crucial to the security of your org. Educate your users and help them understand these threats and why they’re so important. Interface with other departments to get the information you need—for example, so you know someone’s leaving your organization and you need to remove their Salesforce access.
Planning for the worst-case scenario
Despite all your planning, things can go wrong and you need to decide ahead of time what you’ll do in the event of a breach. “Every company that has a good security posture has instant response plans already in place, and remediation plans already in place for many different scenarios,” Laura says.
Talk through what you should do in any likely scenario with stakeholders and your IT team. For example, if one of your user’s credentials get stolen, who should you tell first? Being proactive about security will only reflect well on you—don’t worry about coming across as a Chicken Little. “If one of our Salesforce Admins came to us with a breach remediation plan,” Laura says, “I would be so excited.”
Mike : Welcome to Salesforce Admins podcast where we talk about product, community, and career to help you become an awesome admin. And hey, we're kicking off 2023 by talking about security and security awareness for admins. We want you to be security minded this year as you always are. And to do this, we're bringing back a couple of my favorite guests. Everybody's my favorite guest, but Lynn Simons, who is Senior Director of Security Awareness and Engagement at Salesforce. And Laura Pelkey, I bet you have ran into Laura and Lynn, Laura Pelkey, who is Senior Manager, Security Customer Engagement.
Laura Pelkey: Hey Mike.
Lynn Simons: Hi Mike. So good to be on the podcast again.
Mike : It's been a while. We've had each of you on individually because we know that security is top of mind for admins, which is why we're starting off 2023 with a security minded episode. So Lynn, I'm going to start with you. What's it mean as an admin to be security minded?
Lynn Simons: Love that question. It's really about how you are thinking over time as you're doing your other work as an administrator. And I think it's really smart to think about the broader principles because the thing is with security, it's always changing and the risks are always new. So really understanding key security principles like least privilege and using that as your guide, as you set permissions and access is really going to be a great start to being security minded. Also knowing what resources are out there for you as a Salesforce admin on the admin's website through other Salesforce resources that then by talking to fellow admins, that's another great way to find resources.
Mike : Laura, it's been a while and a few people have been out a couple days ago celebrating the new year, had too much bubbly and forgot what the principle of least privilege is. Can you help me understand that?
Laura Pelkey: Well, I don't know how anyone could forget about the principle of least privilege-
Mike : You don't know how strong the champagne was on New Year's Eve.
Laura Pelkey: ... I certainly think about it all the time. That's a good point. Yes. So the principle of least privilege, that is one of the fundamental tenants of cybersecurity. And really what it is making sure that your users don't have access to anything that they don't absolutely need access to. So it's really about restricting permissions and ability to act within your Salesforce org in your implementation to just what's absolutely necessary. And that helps to reduce risk across the organization.
Mike : I think of Dwight in the office letting me know that I'm security level three, but that's out of 300.
Laura Pelkey: Yeah, exactly.
Mike : Got you.
Laura Pelkey: And Beets Battlestar Galactica and Bears.
Mike : Beets. Beets Battlestar Galactica. Lynn, you mentioned reviewing security related changes with every release. What are some of the things that admins should look for in terms of changes in a release?
Lynn Simons: That's a super important thing to do. I would really look for things that have to do with permissions and access first. Looking for words that have to do with how profiles are set around allow lists and block lists. Jump in Laura if you can think of anything. But really those profile and permission related things are the lowest hanging fruit, I think in releases.
Laura Pelkey: And I know there've been some updates around guest user access and configuring that. And it's also something that is important for admins to pay attention to, that particular release update.
Mike : So we can obviously spend a whole lot of time talking about things they should be doing in the app, but we're thinking ahead, we're out there, we're maybe back in the office walking around seeing our users. What are some of the things that admins can pay attention to in terms of security habits outside of Salesforce that they could help bring a best practice for their users? And Laura, if you want to kick us off, you're usually out talking at user groups.
Laura Pelkey: I love this question. So this is something, actually, Lynn and I talk about this a lot. Lynn actually runs our Security Awareness Program at Salesforce, and her and our team have to partner really closely with our IT team on something called phishing tests. And Lynn, obviously you can talk about this in more detail, but that's actually something that's really an interesting way for admins to create inroads with their IT teams or their IT leadership and partner outside of the whole world of Salesforce, but really in a way that uplifts the security of their company or their organization as a whole. Lynn, I don't know if you have any thoughts on how an admin might go about partnering with an IT director or someone on the IT team to do phishing tests.
Lynn Simons: Sure. One of the things that security teams are always thinking about is what is the threat landscape look like? And they'll even do things called threat models to design how particular systems can be infiltrated by an actor. And it's really welcomed by a security team to be finding out from people in the company what kind of risks they're seeing. So as a person who runs a security awareness team, if I heard from our Salesforce administrator, of course we use Salesforce too, and I heard that they were thinking of some behaviors or risks that could be creating some type of potential attack, then I would really want to keep, I'd be all ears. So reaching out to that team and I think you can reach out to a security awareness professional or somebody who does user management and say, hey, the people I'm working with as a Salesforce administrator are using Salesforce.
Laura Pelkey: And if you think about it, Salesforce user credentials are probably one of the more often targeted things that attackers might be after. And so you're not only helping to bolster the security of all of the employees at your company by educating around this passively, using phishing tests, but you're also bolstering the security of your Salesforce implementation by educating your user base on this. So it's a win-win really for everyone.
Mike : Yeah, I could see that. And I think I've seen a few come through that, I don't know Lynn, if you've been the mastermind behind, but they've been awfully legit. They look really good.
Lynn Simons: Definitely my wonderful team is doing that. And we really work with the various departments in the company to identify what's going to be germane to our audiences so that we can understand the difficulty level that they're able to respond to. And also part of that is that reporting behavior. As a security awareness person on a podcast, I have to say that it's really not just all about clicking on these emails, it's really about what happens after that when people like Laura said, might enter their credentials. And then also that activity of seeing something weird, seeing something suspicious and reporting it to your security team. And you can be a great friend of the security team by helping your user population understand that there's a way to report suspicious activity, not just ignore it, not sweep it under the rug, but let the security team know as soon as possible.
Mike : I'd love to know when you sit down with new clients or even existing customers, what are some of the questions that I think genuinely they ask? Not knowing it could be a security risk. I think of, we all know the sharing credentials stuff is not something that people should do, but are there questions out there that people perceive as well, this isn't creating a security risk, but it actually is?
Laura Pelkey: I'll jump in if you don't mind to answer this. So just when I'm on the floor at Dreamforce or on the floor at a world tour or TDX, actually one of the most common topics that come up that people don't naturally associate with security is actually how permissions are configured. How user permissions are configured. So the whole concept of access within a Salesforce org is often not thought of as security, but really this all ties in back to that principle of least privilege that you asked about earlier, Mike. And just because someone is a registered user or is in your org is supposed to be in your org, that doesn't mean that there's no risk associated with them having access to certain objects or fields that they shouldn't have access to.
Lynn Simons: That's really interesting Laura, because it's related to the example I was going to give with customers I've talked to at Dreamforce. In particular with non-profit customers where they have a volunteer base that might have access to Salesforce, that can be a very transient group of people. And there's also this feeling of goodwill in that industry that assumes the best intent. Of course, we want to assume best intent of people in general, but in terms of protecting data, we generally think more in terms of, okay, let's start with no access and then let's build on that. And particularly with nonprofits, there's this risk because of the donor data and credit card data that's really at the heart of how nonprofits are operating.
Mike : Yeah. Removing unused, especially when an employee leaves. I think that's always something that I know as an admin I had to work diligently with my HR team to try and get on lists. And it's not me being nosy, I don't need to know who's leaving the company. I need to know so that I can ensure the day after they leave, can't still log into Salesforce.
Lynn Simons: Exactly.
Mike : So let me tangent off that. What are some departments that you commonly tell admins to go reach out and have best practice discussions with or build relationships with? I know you mentioned IT, I'm guessing HR is another one.
Lynn Simons: Absolutely. And I think it's important to understand who is the business owner and purchaser of Salesforce at your company, because there can be a scenario where IT isn't deeply involved and there are business people who own the implementation. And particularly in that case, you're going to want to know who those individuals are because the buyer may have received information that's valuable to you. So let's say it's the head of sales, they might be getting emails from Salesforce that are really, really valuable to you as administrator around changes that are upcoming around big announcements and that kind of thing. So I think being in lockstep with that team would be really critical.
Laura Pelkey: And it actually all really goes back to thinking like a security advocate. And so when you have that mindset of, okay, my priority is to really advocate for cybersecurity, not just in terms of to my user base, but to the company and to the leaders in my company, that's a great mindset to have. And the first thing you want to do when you're doing that kind of work is identifying who the stakeholders are, who cares about security. And so that can be IT. If you have a cybersecurity team that's often larger companies may have a cybersecurity team and smaller companies may not, but that's not always a given.
Lynn Simons: And just one other one that can actually be part of HR depending on the company, is your employee communications team. Because those are the individuals who you could influence in terms of company newsletters or other types of all hands where reminders around security best practices in Salesforce if you have a really broad audience of employees using the tool, I think knowing those comms people is going to give you a voice that's perhaps a more powerful and louder voice than your own at a large company.
Mike : Yeah, that makes sense. One thing I thought of, and it's because I watched way too much Weather Channel, which I forgot to get a tour of their offices when I was down in Atlanta, but it's all my to-do list. So anybody that works at the Weather Channel listens to this podcast, because I'm sure there's all of you, I want a tour. One thing they talk about, because it's storm season, we're in the Midwest, you guys are out West, you don't get anything. But in the Midwest and especially the East Coast, it's like prepare for snow and bad weather. And even in the South they're starting to get some tornadoes. One thing I think we often talk about a lot in security is how do we keep the doors locked?
Laura Pelkey: That's such a good question.
Lynn Simons: It's such a great question. And I always go back to the first step to that and actually learned it from an MVP, which is cool, which is that documentation is incredibly important when it comes to dealing with security issues. So if you have a documented plan for how to deal with those things, you're going to be setting yourself up to not panic and be able to have some of your own guide for what to do. And secondly, those relationships that we just talked about really come to the forefront. Because investing in those relationships, you can make the plans that you need. Number one, reporting. Number two, being able to communicate as we were talking about. And then Laura, if you want to take over from the orgs themselves what to do there, I'd love for your take on that.
Laura Pelkey: Well I think so, not to use the B word, but what we're really talking about is a breach remediation plan.
Mike : Thank you for telling me what the B word was.
Laura Pelkey: [inaudible].
Mike : I had no idea.
Lynn Simons: I don't even say the word.
Laura Pelkey: But it's okay. We should be prepared as admins. I say I was an admin a long time ago, but-
Mike : You're still an admin.
Laura Pelkey: Think once an admin, always an admin. We do need to be prepared in the event of a breach. And every company that has a good security posture has instant response plans already in place and remediation plans already in place for many different scenarios. And so it really depends on your implementation and your company and the resources you have at your disposal. So I don't want to give one blanket answer because it just depends on a lot of different factors. But proactively sitting down with those security stakeholders like we were talking about, this would actually be an amazing first step at connecting with these people once you've identified the stakeholders and saying, hey, I would like to create some breach remediation plans for the following scenarios.
Lynn Simons: Those incident response teams really live and die by their operating procedures. So I think by working together to create that documentation, they can actually integrate that plan into their own plan. So they know, okay, they hear from Jane admin that that means that this particular procedure kicks into play in that moment.
Mike : I think one of the key things I thought you said there, Laura was and who owns the step. I think a lot of documents are always drawn up with here's the steps and then everybody looks at themselves as to okay, who does number one?
Laura Pelkey: Yeah, that's super important. And I think Lynn can probably feel the same way, if one of our Salesforce admins came to us and said, hi, I'm proposing this breach remediation plan, here are the scenarios. I'd love for you to be an owner of this, will you agree to do this? I would be like, oh my gosh, this person is so amazingly security conscious. I would be so excited.
Lynn Simons: We'd be thrilled.
Laura Pelkey: But we're just security dorks. But still it would be really great. And if you want to just purely from a career perspective as an admin, if you want to make a name for yourself and you start doing things like that at your company or organization, people are going to start knowing who you are and thinking, wow, this person is bringing a lot to the table.
Mike : I think for our next event that you are both at, you should have fancy buttons made or stickers, people like stickers, maybe put a Twitter pull out, see what people like more because I don't know, Mike doesn't always know and have them bring you their security plan for some sort of fancy hot rod sticker or plushy that's like, I've got a security plan.
Lynn Simons: Ooh, I love that.
Mike : You could rock that badge. Because that's a badge you want people to have.
Lynn Simons: And I also-
Laura Pelkey: I know I'm getting ideas for content that while we're talking about this.
Mike : Yes, and you can write that content on admin.salesforce.com
Lynn Simons: I just also want to just mention one thing, I'm sorry Mike, is that you also, in these kind of big B scenarios, you want to avoid communication paralysis, which is what happens. So keeping your list of users really clean is important, and knowing what your primary mechanism is for reaching them during these situations is really critical. So if you're using Slack, that's can be really easy to reach people on a special channel dedicated to, I don't know what you call the channel, but emergency Salesforce things or something like that. But-
Mike : The channel you don't want to get a notification from.
Lynn Simons: I think that having a mechanism planned in advance for reaching people, because really in these kind of scenarios people just want updates. And even if the update is there is no update, I think that that can be enough.
Mike : So as we wrap a bow on our first episode of 2023, I'd love to know if you have one best practice or something you do that you think is unique to you that is a security thing that admin should be doing. And I ask that because I continue to go back to the example of how Lynn at a Salesforce office when I very, very, I was just a wee little Salesforce employee, I was only a few months old, showed me how to use Last Pass and it has forever changed my life. And I feel like I have been a Last Pass advocate to all of my friends ever since then. But it's kind of peering over the shoulder of a mechanic. You're like, oh wow, that's how you do that. Or watching a chef cut something, you're like, that's so much cooler than the way that I would love to do. Is there something from your security minds that you do that you feel could be passed on to other admins?
Laura Pelkey: Oh, I love the Last Pass example.
Lynn Simons: Yeah, that was-
Laura Pelkey: I love Last Pass also.
Lynn Simons: I was just going to say eight years later. It was the one I was going to say. So that tells you how powerful of a security tool it is. It's just incredibly critical.
Laura Pelkey: For me, just my friends, my family, I get made fun of constantly for how security minded I am. And I don't feel bad about it. I think it's great to be security minded, just the amount of information that I will share on social media, on the internet in any way. I'm very restrictive of the information that I'll put out there. Even my phone number, when you're online shopping and you have to enter your phone number. I really don't even like to do that. I like to do the 555-555-555, million fives, if I can. But just being really, really, really conscious when somebody's asking you for information. So if you get a call from your bank or if you get an email from your bank or someone pretending to be your bank asking you for any personal information or data, I'm the first person that will be like, no, I'm not going to give you that.
Mike : I like that. That's one thing that I think I've definitely picked up from you and the security team and a lot of the stuff that I've read too is if somebody calls you and how come you don't know this? You should know this, so let me just call you back because then I'm not giving that information out. But that's good to know. Because especially the phone number thing, I think we're so innocuous and Lynn, you can probably tell me what that is, but it's like when somebody tries to win over your confidence, because I feel like what Laura described was at our heart in nature, we want to be helpful, we want to help this person on the other line and just get back to our work. But that's actually a certain type of attack and I forget what it's called.
Lynn Simons: Social engineering.
Mike : Social engineering. Darn it. I'll get that question wrong on our quiz.
Lynn Simons: And I'll tell you one of the more recent ones that I think is particularly interesting and something that parents or just friends of friends or people who have parents, something to be thinking about is how much we use video and photos now in our online personas. And we even work with our own marketing and social teams at Salesforce as they use photography and videos, that whatever is in the background of your photo are all clues for some nefarious personal organization to learn more about you. I always try to remind our employees that attackers have all the time in the world and they will be very patient until they get all of the information they need in order to do that attack.
Mike : Both good tips. Leave on a positive note as a to-do item for our listeners, what would be an article or a piece of content you would suggest they read on admin.salesforce.com?
Laura Pelkey: Well, we have one of our amazing colleagues, Tammy Ron has written a blog series covering MFA and really how to prepare your end users. Lots of amazing tips. I think it's a three-part series and I know they're all up on admin.salesforce.com, so I would definitely urge people to check those out.
Mike : Cool. And of course, Trailblazer DX is just around the corner, so.
Laura Pelkey: Yes.
Mike : I'm sure we can see both of you there.
Laura Pelkey: [inaudible].
Mike : And they can show up with your security plans and get a fancy security shield.
Laura Pelkey: Where Lynn and I are hesitant to agree because we're like, are we going to get in trouble for advising our customers on cybersecurity?
Mike : I know we could just wear a button.
Laura Pelkey: No, I love that idea though.
Lynn Simons: Yeah. And I'll admit it, I still love the stickers. Still love the stickers.
Mike : People like stickers.
Laura Pelkey: Yeah.
Mike : They're good. They're always good. And plushies, we learned that on a previous podcast. People-
Lynn Simons: I like stickers more than Plushies, but that's me.
Mike : Stickers have mobility. It's hard to-
Laura Pelkey: And variety.
Mike : ... A few hundred plushies with you and not look creepy.
Lynn Simons: It's been done, I'm sure.
Mike : Sure it has.
Laura Pelkey: The day after Dreamforce, all the people on all the airplanes.
Mike : Planes.
Laura Pelkey: And with all their plushies.
Mike : [inaudible] Luggage just...
Laura Pelkey: Must be a site.
Mike : Well, it was great having both of you on and I'll be sure to include the link to the piece of content that you mentioned. So thank you both for hopping on the podcast and kicking off this year, keeping us safe and secure.
Laura Pelkey: Thank you, Mike.
Lynn Simons: Thanks so much, Mike.
Mike : So it was fun to have Lynn and Laura back on the podcast. What a great way to kick off 2023. Let's be security minded. I go back to all of the tips that they've shared with me and a lot of stuff that we've thought about too. The one takeaway that I really happen to think of as we were recording this podcast was I never really sat down and thought about what I would do if a user showed as logging in two different locations. What are the steps and how do I follow that? And who are the people I need to reach out to in my security? But that's why we do the podcast because then we're thinking about this stuff in advance, right? It's like the weather channel. We're making a plan before the storm comes so that if the storm comes, we're already set and we're prepared and we know who needs to do what.
Direct download: Kick_Off_2023_as_a_Security-Minded_Admin_with_Lynn_Simons_and_Laura_Pelkey.mp3
Category:general -- posted at: 3:00am PDT