Today on the Salesforce Admins Podcast, we talk to Laura Pelkey, Senior Manager of Customer Security Awareness & Engagement at Salesforce. Join us as we chat about how to be a security-minded advocate within your organization and what it could do for your career.
You should subscribe for the full episode, but here are a few takeaways from our conversation with Laura Pelkey.
Even though summer is the time for vacations and fun in the sun, Laura wants to remind us that security threats don’t take time off. That’s why it’s so important for every organization to have security advocates: people who are consistently vocal about security.
You might already be doing all the good stuff we’ve talked about in past episodes, like password enforcement and two-factor authentication (TFA), but this is about taking it a step further. It’s thinking like a security leader and looking into the future by requesting budget to address security debt or get more help on your team. “As a business professional, as an admin, as someone who’s in charge of aspects of data security, you’re leveling up by acting this way,” Laura says.
Things have changed since 2020. More people are working remotely, and more and more business operations have gone digital. Hand in hand with that, the responsibilities of an admin have increased.
Security is a big job that touches on all areas of your business. So if you encounter a problem that you can’t address with the security tools in Salesforce, how can you be proactive and partner with security allies across your organization? For example, if you notice phishing emails targeting your users, you could work with IT to create some training around what to look out for.
Being a security advocate has a lot of benefits for you, too. Being proactive instead of reactive will save you a lot of time and headaches. In our phishing example, your users receiving that training could mean you get a suspicious email forwarded to you instead of having to do damage control after your Salesforce org has been compromised.
Security advocacy could even take your career in a new direction. Laura points out that her own job in security awareness didn’t exist ten years ago. “This is a huge value add to your career,” she says. As a Salesforce Admin, you are the expert on what needs to be protected in your org, so make sure you get a seat at the table.
Be sure to check out the full episode for info on the Trailhead Security Superbadge, and what Laura has to say about imposter syndrome.
Mike: Security is more than just long passwords and enforcing multifactor authentication. It’s a mindset. Security is also fundamental to what admins do in our day-to-day, but is too much burden being put on the Salesforce admin? So today I’ve got Laura Pelkey, Senior Manager, Security Customer Engagement on to have engaging conversation about being a security-minded advocate within your organization and what an admin can do. And boy, let me tell you, there’s a lot of stuff I bet you’re already doing to become a security-minded advocate. So with that, let’s get Laura on the podcast. So, Laura, welcome back to the podcast.
Laura Pelkey: Hey, Mike, so good to be here.
Mike: Yeah, well, we kicked off 2023 with you and Lynn helping us be good admin-minded security administrators. I feel like I just said person, people, person. Anyway, and halfway through the year because it’s July, we don’t want to let vacation brain kick in. We want to maintain our security-ness, and you’ve been putting a lot of really great content up on admin.security, dot… Listen to me, admin.security.com. Boy, I bet you wish that was the URL. It is not, admin.salesforce.com. See, I got security on the mind literally.
Laura Pelkey: You got security on the brain and I love to see that. Yeah, even though it’s summer, maybe where some of us are having our vacations, maybe we’re spending a lot of time outside, security never sleeps. I’m lucky to be in this position where I can just annoy everyone and remind them about that all year round.
Mike: You’re not annoying people.
Laura Pelkey: Oh, thank you.
Mike: Yeah. But let’s start off with just kind of refreshing us and talking about what it means to be a cybersecurity advocate.
Laura Pelkey: Yeah. So this is kind of a fairly new way that I’ve been talking about in terms of admin’s responsibilities around security, a new way to think about it. I did a presentation at Dreamforce last year on it, and then one at TDX. I don’t know, maybe a couple people on the call caught those. Or on the podcast, not call, rather. Security advocacy, the concept of that is actually really interesting. It’s kind of like somebody that cares a lot about security that has some responsibility around securing some aspect of their company, and they’re really vocal about it internally and to their leadership. We can talk more about the definition of this in a second, but it’s really a great business skill for admins to have, for anybody to have, but especially for admins. We’re in a really unique position to be great advocates for security.
Mike: I mean, I feel like… So devil’s advocate because whenever we talk security, people are like, “Well, I locked my doors. I do all this stuff.” Same with admins, “I enforce passwords and multifactor authentication.” But I think you’re taking it one step further in thinking, “Dare I say outside the org?”
Laura Pelkey: Yeah. All those things are still so important. All the security best practices that I talk about, you talk about, the whole team talks about, all those are super-important still and are really just a part of this concept. But this is almost like you’re thinking like a business leader, like a security leader or an executive. You know that security is such a big priority that by advocating for it, what you’re doing rather than the day-to-day management of security, which is still on admins to manage, you’re also looking into the future by requesting budget for things. Maybe you’re long-term planning certain projects where you’re addressing security debt. Maybe you’re advocating for more resources on your team to help you with certain things related to security. So this is kind of like you’re leveling up by becoming a security advocate. As a business professional, as an admin, as someone who’s in charge of aspects of data security, you’re leveling up by acting this way.
Mike: Yeah. Now, I know you look back to 2019, 2018, things changed with COVID. In the corporate world now, is there too much of a burden being placed on admins?
Laura Pelkey: Yeah. We’re in this post-pandemic world for the most part, so to speak, and things have changed. Our world is a lot more… It’s taking place in the digital realm. People are also more dispersed and working remotely a lot of the time. Many people in many professions, especially Salesforce admins, were affected by that and our responsibilities have increased. I say, “Our,” because I used to be a Salesforce admin back in the day.
Mike: It’s the royal we.
Laura Pelkey: It’s the royal we, yes. Our responsibilities have increased. Also, on the flip side, the security landscape has become trickier as it tends to do. The security landscape is constantly evolving. Threats are evolving. The way that hackers try to get information is evolving. I don’t want to get into this too much in this podcast, but especially with the onset of AI, we’re seeing some trends even around AI-generated phishing emails happening already. We can probably have another podcast about that.
Mike: We could do a whole series on all of the things that AI is doing.
Laura Pelkey: Definitely. But just the world has changed and evolved, and admins’ responsibilities have increased. We actually did some really interesting research last year in 2022 around admins’ responsibilities around security. What we found in the research was that admins are feeling the pressure. They’re feeling more responsibility, they have more responsibility, but they actually feel like they have less time and resources to fully own that. So they’re feeling concerned that they’re going to be held responsible in the case of a breach of their Salesforce instance, which is that sounds terrifying. I would not want to be held responsible for something like that. It’s very scary.
So when we did that research, we really wanted to then help empower admins to proactively address that. And so this is where the concept of becoming a security advocate really was tied into the whole Salesforce admin role. So it’s something, I think, if people adopt this mindset, it will not only set them up for success and make them add really an important and critical skill to their resume, but it’s going to give them more peace of mind too.
Mike: Yeah. I’m sitting here listening to it and I think, “Well, I can’t stop the user from clicking on the email of obviously they’re going to join the Pomeranian dog show.” Nope.
Laura Pelkey: Can’t miss that.
Mike: Don’t click that. There’s only so much I can do. I’ve got 15-character password enforcement on. I’ve got multifactor on. Maybe I’ve even gone so far as to setting up IP ranges. I feel like I’ve done my part. I feel like what you’re getting at is so who in the organization should I be talking to pay attention to, “Hey, is our organization being targeted for phishing? Is there things that I can help do and expand the scope?” Who else in the organization’s paying attention to this?
Laura Pelkey: Yeah. We’ll break this down into some digestible steps too if we want, but-
Mike: Yes, please.
Laura Pelkey: Yeah. So yeah, thinking a security advocate so naturally, like you’re leading up to, there’s other people likely at your company, not just within the sales organization or whatever organization you’re sitting in, there’s people at your company and teams that are thinking about this as well. So that would be most likely an IT team, or an IT manager, potentially a cybersecurity team if you are at maybe a larger enterprise company. This is like the extra credit, but also, maybe one of the most valuable things you can do in addition to all the other things you’re doing like making sure your users are using MFA, and strong passwords, et cetera.
You can actually partner with these people who are also security-minded folks like IT. Let’s just say IT director. Let’s just say catchall term for these other groups and say, “You know, I have X number of Salesforce users who log into Salesforce every day. We leverage all of out-of-the-box security controls that Salesforce offers, but they’re still potentially going to encounter phishing emails, for example. And so let’s partner, IT director or whoever, let’s partner on a internal education campaign with our Salesforce users to educate them on what to do if they encounter a phishing email that is asking for their Salesforce credentials.”
So now you’re also going into security awareness work, which that’s technically what I do at Salesforce for our customers. This is like you are upleveling on upleveling on upleveling. You are just crushing it. But this is how you’re going to have a really huge effect on the security of not even just your Salesforce instance, but also your company by acting in a really proactive way.
Mike: Yeah. I think it’s better to have a bunch of users bug you saying, “Hey, I just got this email and I didn’t think you were doing any releases or testing today,” as opposed to, “I got the email and just click the link and put in my username and password, but nothing happened. I’m sure it’s fine.”
Laura Pelkey: Yeah. Right. Yeah. This kind of brings us into the like okay, so what are the benefits of becoming or acting as a security advocate? You led into that perfectly. I don’t even know if you meant to do that, but you did it perfectly.
Mike: Oh, 100%. Giving you the segues every time.
Laura Pelkey: Yes. Thank you. So there’s so many benefits to you. Not even just securing your company, which is a pretty great benefit, but for you yourself, number one, you are just setting your future self up for success by proactively addressing the security concerns like phishing and partnering with your IT team on doing internal education around that but also advocating for budget far in advance or resources too so that you can ensure that you’re going to have what you need in order to be effective in managing security. You’re also going to save time. So by thinking strategically, the more proactive you are about security, the less likely you’ll need to be reactive.
And you outline that scenario perfectly, which is rather than somebody saying, “Oops, I just clicked on this email. It took me to this weird page. I typed in my Salesforce login information thinking that’s what I was supposed to do, and then something happened to my computer. And I’m not sure, but I may have downloaded malware.” And then you have to scramble and engage with not only just the IT team, but probably many people on the leadership level to explain how this happened. That is such a headache. I wouldn’t want to have to deal with that. That sounds terrible. So you are doing everything you can do by acting as a security advocate to prevent stuff like that from happening before it happens, which that’s just going to save you stress.
And then the last thing, and the things that we just talked about are sort of future benefits, but one immediate benefit that I think is possibly the most appealing to people is that this skill being a cybersecurity advocate is actually an emerging job function on the job market now. I think maybe we talk about what exactly is a security advocate after this, but this is now a job that industry-wide, across many industries, people are recognizing that this is a necessary function. So you can add this to your resume. If you just even just repeat some of the things I’m saying on this podcast right now, if you’re interviewing or if you’re trying to get a promotion at your current job and you talk about this, this is going to just make you look like… I think the people you’re talking to are going to have stars in their eyes with what you’re saying. This is a huge value add to your career.
Mike: Yeah. I mean, if I’m going to say I’m in an interview, I would hope the interviewer or the person across the table is going to say, “Okay, so what does that mean? What do you do to be that advocate?” Because every time, and I said this before I pressed record, every time I turn around, I feel like somebody’s asking me to be a super fan or an advocate and I immediately get that picture of Puddy and the face paint and being like this all out… And I’m like, “I can’t be a super fan of everything.”
Laura Pelkey: Yeah, right. Yeah.
Mike: But advocacy, I can do, right?
Laura Pelkey: Yeah.
Mike: So, what am I doing? If I said I’m going to be a security advocate, what am I doing?
Laura Pelkey: Yeah. So security advocacy, so this term was created by a government body called NIST, N-I-S-T, which stands for the National Institute of Standards and Technology. If you work in the technology space, you may be familiar with this, NIST is really looked at as the definer of security standards across all industries. So this is the authority on security basically. Companies follow a NIST framework for cybersecurity. This is the benchmark that companies measure their cybersecurity on. So this is the authority for all things security. They, in 2021, actually said that a security advocate is the emerging job function to look out for when you’re looking for skillsets in hiring people. The kind of work that these people do are essentially, they promote, educate, and encourage the adoption of security at their organization.
Now, this is typically not at this time something you’re going to see as a person’s title. It’s most likely not just the one job that this person has. When something’s an emerging job function, it means that many people in different types of roles share this responsibility. It’s kind of like security awareness. So I am a security awareness professional. That is one of the groups that’s considered a security advocate. My job was not a thing 10 years ago. It was functions that many people were doing, and then it became its own function. So that’s where security advocacy is right now.
So in addition to a security awareness professional, it can also be someone that’s a security researcher. It could be a consultant who maybe is advising their clients on security best practices. Also, it can be somebody that is like a Salesforce admin, someone that is in charge of certain aspects of security at their company. So obviously, admins are in charge of securing data within Salesforce, which is highly valuable to all organizations. These people, it’s really anybody that is vocal and advocate… I don’t want to use the word advocate, but anyone who’s really vocal and tries to do education, whether it’s upward to their leadership or within the employee group, at their company around security. Does that sound…
Mike: Yeah. No. I mean, that totally makes sense. I was just reading through some notes because I feel like a lot of this is, “Okay, so I’m asking for all this. What are some of the…” I think one of the things I always felt insecure on… Get that, insecure?
Laura Pelkey: I see what you did there.
Mike: You see what I did? When I would talk to IT, yeah, mostly IT because that’s who it was, I always felt like I knew the least amount of security. It always felt weird advocating for security because I also didn’t know what we were doing as an organization for security. I think that’s what you allude to is as an admin, yes, you own that platform and there’s a lot of security that comes baked into the platform. There’s even more controls that you can dial in around it. But it’s also getting in with your IT and sitting down talking to them, “What’s happening with the organization that I operate my platform within?” and understanding the environment outside of just that platform and understanding what are some of the emerging threats that are coming as a result of that.
We often use the phishing email a lot because it’s pretty ubiquitous and people have probably all gotten one. But in recent years, I mean, we’ve seen this with other things, it doesn’t have to be an email, it can be a phone call. They can call and just be like, “Hey, this is so-and-so with IT.” You think about it, you’re at a 20,000, 30,000-person org, they don’t know who Sally in IT is. “Oh, she must be a new hire.” Right?
Laura Pelkey: Right.
Mike: And then you get your credentials out over the phone. So it’s also understanding, “Hey, when IT calls,” and making sure my users know that and that it comes from the Salesforce admin as well, as opposed to just coming from IT and hoping that they cover that. That’s what I’m hearing.
Laura Pelkey: Yeah. You’re drawing such a great comparison between the security advocacy work, security awareness work, and how an admin can be involved in all of that, which is awesome. Yeah. I know we don’t have extra time. Salesforce admins do not have extra time. I know it’s kind of… I would understand if when your people are listening to this, they’re like, “Okay, how am I supposed to fit all this in?”
Mike: Right. “How can I be an advocate for everything? I’m tired.”
Laura Pelkey: Right. “I’m tired.”
Mike: “I just got to reset a password.”
Laura Pelkey: Yeah. I don’t have the answers for that because that is on an individual case-by-case basis how you would fit this in, but it’s really like a mindset shift almost. It’s not necessarily a lot of extra work. It’s really a mindset shift. So like you were saying, opening up a dialogue with your IT team, with your leadership team. And this goes also for your leadership, whoever you report to, whatever organization you report to, they need to also be aware of this. It’s opening up an ongoing dialogue with them and saying… Maybe you are setting up quarterly meetings, or maybe not monthly meetings, but potentially, depending on how much you feel that you need to discuss, with the stakeholders who are in charge of security at your organization, at your company, and say…
Get a seat at the table, first of all. I mean, I think a lot of us have this imposter syndrome. If we don’t have a highly-technical background and we’re talking about security… I even still do to this day and I did for a very long time. It was much worse and I still sometimes have it, but you are the expert. Salesforce admins are the experts on Salesforce. You know exactly inside and out what needs to be secured. You are the expert on this, and so do not feel like you don’t have a seat at this table or you shouldn’t have a seat at this table because you 100% should. So this is your chance in these quarterly meetings or however frequent you like to have them with your security stakeholders. You want to say, “I want to understand what security challenges the company is facing at this time and how they might affect my Salesforce users, and then how we can partner together on addressing those.”
We talked about partnering with your IT team on potentially doing phishing campaigns or phishing education together internally. That also could be, “Okay, so I’m seeing there’s an increased problem with overprivileged users,” let’s just say, “in the Salesforce org and so I need to bring in a consultant,” depending on how large your org is. “I need just bandwidth to do this myself, but I need to run a project on a large scale where I’m evaluating permissions of all of my Salesforce users.” You tell them why that is. You give them the business value of that. It’s not just a technical thing. It’s not a technical need. It’s a business need. Security is a business need.
And then you say, “This is either the budget I need for this, or the time, or the bandwidth, or resources, whatever that I need to accomplish this, and I’m going to do this in Q4 of this year. And I need your buy-in to make this happen. And here’s what it’s going to look like.” That is being a security advocate, just getting a seat at the table with security stakeholders and advocating for the needs of securing your Salesforce org and then making it happen.
Mike: Yeah. I think it’s more being there and designing the fence as opposed to being on the emergency team that realizes they needed a fence.
Laura Pelkey: Yeah. Right. Exactly. Yeah. And then again, this is being proactive, not reactive. And you’re going to just save everyone time, money, headaches by doing stuff like this.
Mike: Well, I go back to that very first conversation I had with Lynn, how many years ago? It also just changes the way you think. You look at things as, “How do I pressure test this before?” So, “What happens when?” And to your point of overprivileged users, yes, be at the table so that when people are planning budgets and you find out IT has extra budget, hey now is a good time to schedule that audit. Now is a good time to get this help because maybe your business unit doesn’t know that. So that’s a great call out.
Laura Pelkey: Yeah. When you’re coming to the table and initiating these conversations, you might initiate creating an ongoing meeting series with security stakeholders at your organization. You might just ask to join an ongoing meeting, whatever it is. Before you do that, you want to also have your own list that you’re working off of. So you want to understand where the gaps in your org currently are, in your Salesforce org, how you can fill those gaps, and then have already mapped out some proposed actions or requests to start accomplishing those things. So you don’t want to come into this totally blind. Through these discussions, you might learn additional things that you might add to this list, but you want to already have this prepared.
Mike: Last question. So I’m going to link to that superbadge that you shared with me on becoming a security advocate specialist. What are some highlights that you have of that superbadge?
Laura Pelkey: So the superbadge is really great. It actually goes into a lot of technical things that you can do to shift your mindset and start addressing on many, many levels. So what we talked about today was really kind of more of the business-minded way of going about this. The superbadge goes into it on a little bit more of a technical level.
Mike: Gotcha. Great.
Laura Pelkey: But both things, it’s kind of like two sides of the coin.
Mike: Yeah. I mean, it’s one thing to know how to configure something, it’s also another thing to know how to communicate that, what you just configured, and how great it is that you configured that thing.
Laura Pelkey: Yeah. Exactly. Exactly.
Mike: Laura, it was great to have you back on the podcast. So I feel like we’ve got our midyear check-in checked.
Laura Pelkey: Well, check the box on that.
Mike: Can’t use the… It’s a whole episode, “How do you use a word to define the word you’re defining?”
Laura Pelkey: I know.
Mike: The advocate is really about advocating.
Laura Pelkey: Advocating.
Mike: Darn it. That’s not… “Checking a box is all about putting a checkmark in a box.” “You guys are two for two.”
Laura Pelkey: Yeah, we really needed a thesaurus for this episode.
Mike: I can feel the iTunes ratings going through the roof right now.
Laura Pelkey: Yeah. Yeah. I mean, I think this to me was kind of a game-changer moment when we heard the feedback from our customers on what they needed. My hope is that people are really, really start to internalize this concept of security advocacy and start shifting their mindset to act that way.
Mike: I mean, there is no downside.
Laura Pelkey: Right.
Mike: There is no downside.
Laura Pelkey: 100%.
Mike: The downside is the bad people get to stay out.
Laura Pelkey: Exactly.
Mike: I love it.
Laura Pelkey: Too bad for them.
Mike: Thanks so much for being on the pod.
Laura Pelkey: Thank you so much for having me, Mike. I always love doing these with you.
Mike: So that was another great discussion with Laura about security. Just to call out that all of the links and everything that we talked about in the show are just on the show notes there. We’ve got a video on YouTube, and then we talked about the Trailhead superbadge, so we also linked to that. That is really, really good to go through.
Now, if you enjoyed this episode, can you do me a favor? Just share it with one person. If you’re listening on iTunes, here’s what you do. I want you to tap on the dots, choose Share Episode, and then you can post it on social, you can text it to a friend. Maybe it’s somebody that’s kind of interested in learning more about security. And of course, all those resources, everything for Salesforce admins, your one-stop shop is admin.salesforce.com. I totally messed up that URL at the beginning of the podcast, but look at me getting it right for the second time. We also include a transcript of the show, so that is in the show notes as well. And if you got security-minded questions, Laura is in our admin Trailblazer group. That’s the place to go to join our conversation. And of course, the link to that community is in the show notes. So until next week, we’ll see you in the cloud.
Today on the Salesforce Admins Podcast, we talk to Garry Polmateer, CEO of Red Argyle, a Salesforce Consulting agency, and a member of the Salesforce MVP Hall of Fame. Join us as we chat about why admins need to be involved with cybersecurity at their organization and how to start planning. You should subscribe for […]
Today on the Salesforce Admins Podcast, we talk to Lynn Simons, Senior Director of Security Awareness and Engagement, and Laura Pelkey, Senior Manager of Security Customer Engagement, both at Salesforce. Join us as we chat about security and security awareness for admins. You should subscribe for the full episode, but here are a few takeaways from […]
On today’s episode of the Salesforce Admins Podcast, we’re bringing on Ian Glazer, SVP Identity Product Management, and Laura Pelkey, Sr. Manager, Security Customer Engagement at Salesforce. We talk all things multi-factor authentication (MFA) and have a really honest conversation about implementing it and the benefits. You should subscribe for the full episode, but here […]
