Salesforce’s recent acquisition of Slack underlines the organization’s desire to improve efficiency and drive value in a multitude of ways. Since its inception as a CRM designed to empower sales teams through automation, Salesforce has added countless features and capabilities while becoming a storage hub for vast amounts of an organization’s data.
That evolution has made the tool a dream come true for companies in a wide variety of industries, but it’s proven to be a massive headache for compliance professionals and internal audit teams.
Although companies might begin their Salesforce adoption in a single department — sales, for instance — the platform’s broad use cases mean that the implementation could expand to other parts of the
organization. As capabilities expand, new users and permission sets are added and developers write new code, expanding a company’s exposure to vulnerabilities and making it far more difficult to conduct accurate audits.
As complexities increase, both due to broadening Salesforce adoption within an organization and the growing number of regulatory bodies that hold these organizations to account, internal audit teams are likely to struggle with compliance and should consider outsourcing some of their needs to specialized third parties. These groups will have experience securing highly customized applications, the sharing of data between independent departments, and a wealth of valuable customer and company data.
Before picking up the phone and calling an expert, however, take these three proactive steps:
- Configure the right tools for the job
As much as people wish it were, security isn’t a plug-and-play initiative. Purchasing tools to secure your data is like buying bricks to build a house — they’re absolutely part of the picture, but no more an end result than a pile of bricks. You need a strategy that takes into account how your data is used, the tools you have to control its flow, and how those tools are configured to mitigate risk.
Once you have a plan, you need to decide how it will be put into action, and by whom. Explain how the plan will help improve security to get buy-in from stakeholders, and assign key players clearly designated responsibilities to ensure that nothing slips through the cracks.
- Evolve with your organization
Organizations change, and new fields, lists, reports, and features are constantly being added to your Salesforce org. Before they’re released into the wild, make sure each piece of data is classified properly. That means identifying which fields should be protected and whether Salesforce Shield, other applications, and/or the Salesforce platform itself can meet these protection needs.
The Security Architecture designed in your aforementioned strategy must be periodically reviewed for proper implementation and compliance. This is best achieved by implementing SecOps and ensuring that the applications built and deployed upon the Salesforce platform are subject to it. Given the potential for rapid development and deployment on the Salesforce platform, failure to implement SecOps translates directly to being perpetually at higher risk — and behind a mountain of security debt.
- Don’t fear the audit
Audits are designed to reveal blind spots or security vulnerabilities before they present a problem, and while the resulting reports are hardly best-seller material, they contain valuable insights that can shore up gaps in your organization’s security posture — provided you take advantage of them.
Conducting regular security audits will help stress-test your strategy, but these exercises are useful only if you put the findings into practice promptly. Make sure that each audit concludes with a thorough
investigation into findings and a reassessment of your security strategy before the books are put away until the next quarter.
Salesforce is an incredible tool, and the platform has expanded far beyond what early adopters could have thought possible. Unfortunately, that impressive suite of capabilities has led some organizations to mistakenly assume Salesforce is solely responsible for data stored on the platform. That couldn’t be further from the truth, and business leaders should reevaluate their security measures and Salesforce configuration settings to take steps toward a more secure future.
Here's more to explore:
- Learn about Cloud Security Cockpit® to implement, manage and prove Salesforce security controls
- Free Download: The Auditors Guide to Salesforce
- How to Maintain Compliance in the COVID Era
- 3 Steps to Securing Your Salesforce Org in a Remote Work Environment
- Contact us to learn about a Salesforce Security Risk Assessment