How Salesforce Creates Security Advocates
When it comes to advocating for cybersecurity in today’s climate of supply chain attacks, ransomware, and political instability, pointing fingers at who’s responsible won’t get any of us very far. I believe, instead, that there is an imperative for everyone to be a security advocate and I’ve learned that it is more a mindset than a specific role or responsibility.
Take, for instance, the common “if you see something, say something” signs plastered along the NYC public transit system. We are training the public to be on the lookout for potential risks, and the same goes for the tech industry when it comes to securing our most valuable assets. But how exactly do we do this at Salesforce? With the help of our customers!
Put it On Loop
At Salesforce, our customers place immense trust (our number one value!) in our ability to keep their systems running and their data secure. In the medical industry, this might be patient information. In the financial services industry, it might be investor accounts. And countless governments and localities use Salesforce to track COVID-19 vaccinations. Considering the sensitivity of this data, a successful attack by hackers could be catastrophic. Our customers deserve to know what security precautions we take and why they should trust us to hold their data.
As a Director of Information Security for Salesforce, I spend most of my time doing security advocacy work as part of the Security & Compliance Customer Success (SCCS) team within Salesforce’s greater Information Security organization. In addition to educating customers about Salesforce’s security innovations, my team also advocates on behalf of our customers to internal product and engineering teams, creating an important feedback loop.
Information security is a journey, and Salesforce recognizes the importance of learning from our customers’ security requirements and innovations so that we can continually improve. My team is a conduit for channeling these ideas to the correct engineering teams within Salesforce, and to Salesforce leadership and executives for visibility. We advocate to Salesforce leadership and product teams on behalf of our customers to drive continuous security uplift. We have also developed tooling to track and manage any security concerns raised by our customers so that even the highest levels of our leadership have visibility. Being this critical voice of our customers’ needs is all part of our defense-in-depth approach to security, an approach that layers technology, process, and people to try to prevent any single point of failure.
If You See Something, Say Something
When it comes to the “people” part of our approach to security, every Salesforce employee plays a critical role. We don’t want to make our workforce paranoid, however, so we work hard to train them in how to identify suspicious activity that could mark the beginning of something more serious. Phishing emails are a great example of this. According to experts, between 75% and 91% of attacks begin with a malicious email. Today, these social engineering attempts to con people into clicking on nefarious links or giving up secure information also extend to text messages, QR codes, social media, and the dreaded robo-call.
The term “con” as used in the phrase “con-artist” or “con game” derives from the word “confidence”. Cons inevitably rely on gaining the confidence of the “mark” or victim by using psychology. The con artist may play on the victim’s desire to help, or the victim’s ego. Who wouldn’t hold a normally locked door open for someone struggling with two dozen boxes of pizza at lunchtime?
Similarly, attackers may pose as neophytes in the victim’s industry, and attempt to establish a connection with the victim via social media (connection requests generate dopamine in our brains which make us feel good). The attacker may then ask “innocent” questions, aimed at gaining a deeper understanding of the tools and procedures in place in the victim’s company.
The recent interaction below highlights how once the attacker has primed the mark to get used to answering questions, they will often escalate the conversation to try to get information they should not have access to. In this case the information could be used to either impersonate me or identify others in my circle.
Every year the venerable DefCon hacking conference holds a competition where professionals call a target company and attempt to “innocently” elicit internal information using various guises and ruses. Watching the results of these professionals is educational and bone-chilling.
The Whole World, in Your Hands
While information security teams can take steps to reduce the amount of malicious emails and test file attachments, nothing is foolproof, and we need everyone’s help. The types of attacks outlined here (along with countless other cyber threats) require every employee to have a mindset of being a security advocate on behalf of their employer and customers.
How do we as leaders engage our workforce to act as security advocates on our company’s behalf? We have found that by making it fun, and ensuring that employees feel both empowered and valued makes a world of difference. In the email below that I recently received from Salesforce Security after reporting a phishing attempt I am congratulated, thanked, and the impact of my small action is made clear to me.
Of course it would be unrealistic to expect a 100% success rate in preventing employees from interacting with a risky email. Statistically, 12% of individuals who receive malicious attachments will click on them. If your company has more than a handful of employees, your odds aren’t great. But that only underscores the importance of security education for all.
We find it is very important not to make employees who have clicked on something they shouldn’t have feel like they have failed. Instead, these employees should be reassured that they can do better next time, and provided with links to further training. We have found that positive reinforcement leads to significantly better results than shaming does.
At Salesforce, we don’t just build security into everything we do. We share our tools and lessons learned with our ecosystem of customers and partners. We do this because we know that if we can all be better at keeping data private and secure, then we can focus on innovation and growing stronger together.
To learn more about educating your users, protecting your Salesforce org, and encouraging a culture of security at your organization, check out the Security Basics module on Trailhead, our free online learning platform. There, you can learn in-demand skills, earn resume-worthy credentials, and connect with a community of Trailblazers for mentorship and employment opportunities.
I hope that this blog post has provided you with food for thought and encouraged you to be a security advocate and to enlist others to do so.