Enterprise security is an incredibly complex subject, and it is easy to get lost in the details. Enabling individual security measures here and there might provide some small protection against a threat, but it is far more important to maintain focus on the big picture. If each individual defense measure is like a brick, the end goal is not a pile of bricks but a cathedral.
I like the concept of a cathedral of governance because it describes an effective — and to some degree, uncommon — approach to security. This approach is about building something elegant that people want to embrace instead of combining various ingredients like walls and a roof in a poorly designed jumble.
Many enterprise organizations started using Salesforce as a CRM and paid little attention to the amount of data they put online. Salesforce takes security seriously and has never had a breach to date, but customer organizations were handing out the keys to their data kingdoms internally to everyone from senior-most executives to freshly hired interns.
Now that Salesforce has become an entire platform with functions far beyond the original CRM, CIOs and CISOs must take an even closer look at platform-as-a-service security and data governance.
It’s Easy to Overlook Several Critical Aspects
When it comes to data protection, people are all about finding the right tools. They want to plug something in and know their data is safe, but it does not work that way. That is like laying bricks without an idea of the greater structure in progress. To embrace a more thoughtful approach to Salesforce governance and avoid unnecessary vulnerabilities, you need a plan.
First, you’ll need to determine your exposure. You cannot shore up security weakness if you do not know where your data is and how it is being used. It is important to take a data inventory and decide which areas are contributing the most risk.
For example, when we worked with a financial services company, the CFO mentioned that users had too much access to data on Salesforce. When we dug around, we found that it was true: every single user had access to the entire database. By changing a few permissions, we easily created a significant improvement in security posture.
From there, put the proper focus on the people. You don’t spend decades constructing a building if you do not believe in what it represents, and your team members will not spend their valuable time and energy working toward a governance plan they disagree with.
When key players are on board, it’s easier to assign clear ownership so that each individual knows his or her responsibilities.
Gaps make it easy for things to slip through the cracks, but so does overlap. If two people are responsible for the same function, it is easy for both to assume that the other person took care of it.
You want to start small and work up: maybe 85% of your users have admin privileges when only 15% actually need those functions to perform their roles; maybe your password policy needs to be rewritten so that employees must change passwords regularly and not repeat passwords they have already used. Taking care of these issues allows you to focus your attention on the important things that take your security posture to the next level.
Ultimately, security professionals such as CISOs should never be afraid of an audit. It provides your team with objective, third-party input in order to point out blind spots or gaps in security coverage. Audits do not always result in good news, but every audit is an opportunity to make improvements and optimize your security strategy.
When you put off or neglect to perform audits, you are acknowledging that your policies include issues that you need to address and simultaneously deciding not to address them.
As your organization grows and evolves over time, your data governance needs will as well. You might merely scale up without changing functions, or your company might switch platforms entirely and have to take a new approach to governance.
It’s best practice to reevaluate on a somewhat regular basis how well a platform meets your needs. If better options are available, there is no sense staying the course just because that is what you have always done.
Salesforce is an incredible platform that can add vast capabilities to your organization, but you should always be aware of the risks of storing data in the cloud and giving a large number of your employees access to that data.
Be thoughtful about how you approach security and build a cathedral of data governance instead of just putting up walls. An elegant and purposeful solution will accomplish far more than a host of disparate methods that have been stitched together, and it will keep your organization’s data secure for years to come.