Cloudy holding a laptop next to text

3 Security Habits That Will Help Your Admin Career


Editor’s note: As of January 2022, Essential Habits for Salesforce Admins has been refreshed and is now available as a Trailhead module. This blog post was updated in July 2023 to reflect the content changes. 

At Salesforce, we’ve identified four core responsibilities that all admins share: user management, data management, security, and actionable analytics. And underlying these four core responsibilities is your personal success. To keep our responsibilities actionable, we’ve broken them down into habits—actions you can take on a regular basis over time! We believe these habits are essential for success. To learn more about habits and core responsibilities, check out the Essential Habits for Salesforce Admins badge.

In this post, we discuss the third core admin responsibility: security.

Why is security so important?

Trust is our #1 value at Salesforce, and we’ve built our platform with security front of mind. We’re committed to providing solutions so our customers have the flexibility to configure access as they wish. In other words, we securely provide the Salesforce service to the customer, and then provide the customer with additional features like profiles, permission sets, and multi-factor authentication (MFA).

In addition to offering a secure service and security features, we also produce resources like this! Our goal is to educate you on the importance of security and how to enable the security features we’ve provided.

We consider security to be a partnership between us, Salesforce, and you, the admin. That leaves a number of security responsibilities on the shoulders of capable #AwesomeAdmins like yourself! It’s your responsibility to:

  • Adopt evolving security controls and features
  • Continually monitor user behaviors and event logs
  • Protect sensitive data in alignment with compliance standards

Security roles and responsibilities for Salesforce and admins.

Before we begin discussing our security habits, remember that Salesforce users should have the least level of access to the system necessary to do their jobs. Think of the benefits of keeping access limited in this way: Users are more productive because they have access to only the applications, objects, fields, and pages they need—that’s a lot less clutter. And orgs are better protected from phishing attacks and internal bad actors.

With the principle of least privilege, bad actors are less likely to gain system-level access, and it’s easier for admins to manage access this way over time. Who doesn’t love things that are easier to manage?

Now, let’s dive into our three security habits for admins.

Essential habit 1: Communicate regularly with IT

We recommend communicating with IT regularly on a number of topics. Why? IT may provide compliance standards upon request, for example. It’s also important to understand the user onboarding and offboarding procedures at your company and any expectations that IT may have for you as a Salesforce Admin.

In our data management blog post, we discuss maintaining a data dictionary. It’s helpful to share this document with IT and also ask them for documentation should you require it. You’d be surprised by how much time this will save you in the long run!

Salesforce is not the only system that has sandboxes or nonproduction environments. If your Salesforce org has integrations, it’s likely that you’ll need to connect your sandboxes to external systems’ sandboxes. We suggest you coordinate well in advance with IT. Remember, sandbox provisioning may take time and can often require a bit of work for your IT partners. Giving them a fair warning is a great way to demonstrate amazing teamwork. ?

IT may also be able to provide automated scripts for things like sandbox data seating, or test scripts.

Reasons why admins should communicate regularly with IT.

Now, these suggestions are just the tip of the iceberg, really. There are other features that are worth discussing with your IT counterparts, like MFA and single sign-on (SSO).

As you know, security is complex, and different IT departments will have different policies and requirements. Use these topics as a place to start and modify them as necessary!

? Make it a habit: We recommend scheduling an hour at the end of each week to communicate with IT. This gives you time to collect any requests or updates and send them to your IT partners in their preferred channel.

Essential habit 2: Review access and visibility

The next essential security habit for admins is to review access and visibility. Four distinct layers control Salesforce access and visibility: organization, persona, record, and field. Within each layer are various features you can configure as an admin! Everything from MFA and permission set groups to sharing rules and even field-level security. It can sometimes feel a little overwhelming. Remember, though, that our essential habits build on one another.

The four distinct layers that control Salesforce access and visibility are organization, persona, record, and field.

In the Understand User Management unit on Trailhead, you can learn how to ride along with your users and explore user audits. And in the Delve into Data Management unit, you can discover how to streamline and optimize your data and metadata—which makes reviewing access and visibility much easier.

We recommend compiling your access-related notes each week and organizing them according to the four distinct layers. Doing so will better prepare you for any changes you’ll need to make. Remember, while you’re responsible for configuring all of these security features, it’s rare that you’ll need to do them all at once. When you sit down to a meal, no matter how big that meal is, you finish the meal one bite at a time—and configuring security features is no different.

You’ve also got an ace up your sleeve—Security Health Check! Health Check identifies specific security settings that may need improvement. When you run it, you’re essentially comparing your Salesforce instance to an industry-standard security baseline. You can also add additional baseline criteria to ensure it’s most relevant to your business. When complete, you’ll receive a score and detailed recommendations for follow-up. Recommendations will be grouped by high, medium, or low risk. If you see any item labeled critical or warning, you should take time to explore and make some improvements immediately. Health Check may not always yield actionable results, but it can be a great tool to get some quick wins.

? Make it a habit: We recommend scheduling an hour each week to review access and visibility. Aim to do this in the middle of the week so you can incorporate any notes you took during your ride-along.

Essential habit 3: Learn continuously

Our last, and potentially most important, security habit is to continuously learn. Admins must be proactive about the ever-evolving state of security in the cloud. Explore our Trust resources as well as admin-related security content. We release a lot of security-related content, which you can find when you subscribe to our Admin Digest.

In addition to these sites, don’t forget to read the release notes and check the Setup menu for security release updates. Take time to understand what they are and the implications they may have, and then be sure to activate them in a timely fashion.

Tips for staying informed about security updates.

? Make it a habit: We recommend deepening your knowledge of security for an hour at the beginning of each week. By scheduling this earlier in the week, you’ll better prepare yourself for any configuration work or communication with stakeholders later in the week.

More essential habits

Now that you have a better understanding of the importance of security management, the habits you need to succeed, and key takeaways for you to implement, you’re ready to roll! For a bird’s-eye view of all of the suggested habits and timelines for security management, check out our handy calendar below.

Security habits mapped out on a calendar.

Want to dive deeper? Check out our new Essential Habits for Salesforce Admins badge.

Additional resources

Image of Mia Pacey next to text that says "Skills for Success: Security Management."

Hone Your Security Management Skills as a Salesforce Admin

As Salesforce Admins, we work with important data and have a powerful platform at our fingertips. But as the saying goes, with great power comes great responsibility. You, as an admin, must promote a culture of positive security controls, protect your organization’s data from unauthorized access, and be security responsible. You play a crucial role […]

Introducing the Salesforce Admin Enablement Kit.

Introducing the Salesforce Admin Enablement Kit

How many times have you been asked, “So, what exactly does a Salesforce Administrator do?” We get it, sometimes it’s hard to sum up everything you do, your expertise, and the impact you make at an organization in a clear and concise manner. Here’s the tough reality, though — your ability to communicate these important […]

Introducing Files and Attachments Backup in Salesforce Backup.

Introducing Files and Attachments Backup in Salesforce Backup | Spring ’24

What is Salesforce Backup? Salesforce Backup is our native backup and restore solution designed to safeguard customers’ valuable data. Geared for user-friendly operation, Salesforce Backup automatically creates backup copies of business data, empowering organizations to effortlessly restore data and recover from even the most challenging scenarios. With the Spring ’24 Release, we’re thrilled to announce […]