Today on the Salesforce Admins Podcast, we talk to Garry Polmateer, CEO of Red Argyle, a Salesforce Consulting agency, and a member of the Salesforce MVP Hall of Fame. Join us as we chat about why admins need to be involved with cybersecurity at their organization and how to start planning.
You should subscribe for the full episode, but here are a few takeaways from our conversation with Garry Pomateer.
Garry and I go way back—we were both in the first class of Salesforce MVPs back in 2010. We recently caught up at Midwest Dreamin’, where Garry gave a great talk about why Salesforce Admins need to be involved in cybersecurity, so I asked him to come on the pod and tell us all about it.
It can often feel like cybersecurity is a secondary consideration for Salesforce Admins, and it’s too complicated to get involved with. While Garry isn’t here to scare you, he wants to remind you that there’s a lot you can do as an admin to protect your organization.
When it comes to reducing your risk of a cyberattack, it’s a little like running away from a bear. You don’t have to be faster than the bear, you just have to be faster than the people next to you. Hackers are generally looking for low-hanging fruit, and doing some simple things like enforcing MFA and password best practices is often enough to get them to move on.
However, Garry points out that good cybersecurity is a lot more nuanced than simply not getting hacked. A good security plan protects your organization from itself, whether that’s an accident that leads to a data breach or ensuring that you meet regulatory requirements. And if something does happen, you need to know what to do about it.
Garry lays out a simple framework for looking at security in your organization:
What Garry has found in his consulting work is that while most businesses have spent time on #1, they don’t have a clear understanding of what to do if something goes wrong. That comes down to three simple questions: What will you do? Who will you talk to? And what will you do next?
“Any admin can do this,” Garry says, “and having a communications plan that’s nailed down with some specificity is like an insurance policy for your peace of mind.” And if something turns out to be serious, you have an action plan in place for what to do next so you can act quickly.
Be sure to listen to the full episode to learn more about security considerations you might not be thinking about and everything you need to know about backing up data.
Mike:
This week on the Salesforce Admins podcast, we’re catching up with an old friend, or at least an old friend of mine, Garry Polmateer. And we’re talking about cybersecurity. Now, don’t stop listening because I said cybersecurity. This is a super fun episode, and I know I always say that with security stuff, but there is really some meaty things that Garry helps us out with and really helps me understand the level at which admins need to be involved in cybersecurity within their organization. Garry’s also MVP Hall of Fame. He was in the same class as me, so I remember way back in the days, and of course now he’s off being a big time consultant, but super personable, super understandable, and super relatable episode.
So keep listening all the way to the end. Now, before we get into the episode, I just need you to make sure you’re doing one thing and that’s following the Salesforce Admin podcast, either on iTunes or Spotify. I know a bunch of you listen on Spotify, and the reason I’m telling you that is that way every Thursday morning like magic, the podcast is going to arrive on your phone so that when you head out to work, it’s immediately there. But with that, let’s get to this fun conversation we had with Garry. So Garry, welcome to the podcast.
Garry Polmateer:
Thanks for having me, Mike.
Mike:
It’s been forever and a day because you and I believe were the first class of Salesforce MVPs 100 years ago when they first started that back in 2012, 2011, 2010.
Garry Polmateer:
I know. I still can’t believe it that we were there on that stage at that time. And here we’re talking 10 years later, and it’s been an amazing experience, I think, for both of us going through the program and enabling us to do so much for the community and have a lot of fun along the way.
Mike:
Yeah, absolutely. So we had a chance to catch up at a community group, Midwest Dreamin, which I am a big fan of. Shout out to them. And I saw you did a presentation on Salesforce cybersecurity, and I thought it was great because first of all, the only time I’ve ever had anybody on the podcast to talk about security is Laura Pelke, because not a lot of people like to talk about security, and you did an amazing job. I felt the room, you had questions, which was more than I got from my presentation. So let’s start off with just catch people up on what Garry does and head us into cybersecurity.
Garry Polmateer:
Sure. Thanks for the intro, Mike. So yeah, I’m Garry Polmateer. As Mike said, I’m a Salesforce MVP. I’m in the Hall of Fame now. I joined the Salesforce ecosystem in 2008. Side note, I was about number 3000 in the had admin certification. So I’m pretty low, been around for a little bit longer than I probably care to admit, help get Red Argyle up and running in 2010, 2011. And we are a Salesforce solutions integrator. We started out with my partner, Tom and I just kind of going rogue on some Salesforce consulting work. And then over the years we’ve morphed into, we’re about 60 people on our team now, and we really focus on Salesforce cybersecurity and audits, Salesforce experience cloud, and we do a lot of really heavy UX and platform work.
So that’s my background in two seconds, but I feel like cybersecurity is an often overlooked or secondary consideration, and we’ve seen this kind of evolve over the last few years, especially since the pandemic. And I’ve just noticed a lot of opportunity to raise awareness on the topic, not out of a culture or concern of fear, but really focusing on, “Hey, as admins, regardless of your level of technical skill and perception of risks, cybersecurity is something worth putting a little bit of thought into.” The session was born and here we are.
Mike:
Yeah. I think the perception, people read cybersecurity and they think, “Oh, well, that’s like we had a school district here in Iowa get hacked or something like that. Oh, it’s super hard stuff that I don’t have to worry about or I don’t need to… There’s somebody else in a room full of servers and blinky lights that’ll deal with this.”
Garry Polmateer:
And I think I want to try to dissuade that a little bit because I mean, it’s true. You think there’s all these black hat hackers sitting in dark rooms with 40 monitors just waiting to victimize someone, and one way to really think about-
Mike:
[inaudible 00:04:51] Doritos.
Garry Polmateer:
Yeah. Good diet, breakfast of champions. So I look at it more like you know the euphemism, if you and a bunch of your friends get chased by a bear, as long as you’re not the slowest one, then you probably won’t get chased by the bear. I can’t remember exactly how that works, but-
Mike:
You don’t want to be the slowest one. You only have to be faster than the slowest person.
Garry Polmateer:
And I think that’s, again, I can’t say with a million percent confidence that more complicated targets don’t ever get touched. But if you’re maintaining a certain level of thoughtfulness about security, most of the time nefarious actors are looking for opportunistic targets. They’re going to go cast a wide net and try to find the easiest one to get something out of. But even backing up from there, I think what’s important is that’s still such a small reason for thinking about cybersecurity and just general admin practice. There’s a lot of important things that you can implement in your organization that not only protect you from those types of threats, but really things happening internal, whether they are accidents, whether they’re an integration that goes awry, whether it’s a potential incident where nothing really happened, but you need to have a communication plan, whether you’re in a regulated industry and you need to prove that you can meet certain standards.
So there’s a lot more to it than just that nefarious bad actor. Obviously, we want to protect against them too, but there’s so many other types of things that security are important and really go hand in hand with best practices as an admin in a general sense.
Mike:
Can we start with a plan and communications plan? Because when you started talking about that in your presentation, I really feel like that part is kind of the last part people think about because, and again, I’ve done podcasts on 2FA and multifactor authentication and the importance of hiding PII and stuff like that and encoding different fields. But the one part that I’ve never talked about that you brought up in your presentation was communication. What do we do? Who do we talk to? What do I do as an admin? So where do I start with that?
Garry Polmateer:
Yeah. And I’ll say that’s part of a bigger framework that I covered in the session, and I just want to couch where the plan fits, Mike. Where initially you’ve got to understand where you’re at with security, what your risks are. How are you protecting your information and value? How are you detecting potential issues? And then the last two, how do you respond and how do you recover? And the respond and the recover side of it is where I often see things fall short. It’s like everyone’s like, “Oh, yeah, we did all this security work or work is super secure.” And I’m like, “What’s your plan if you have a suspected incident.” And they’re like, “I don’t know, I’ll call my boss.”
And so I think it’s crucial, and this is why, again, I think any admin can do this. It’s really just getting back to basics and saying, “As a Salesforce practitioner, what’s my playbook? If something goes wrong or even if there’s a suspicion that something is off, how am I going to handle it?” And having a communication plan that’s nailed down with some specificity is like an insurance policy for your peace of mind. If something happens, pull that playbook out and just execute on the plan. And I think it will really help, especially in a time of high stress.
Mike:
So what are some of those things that like, oh, we should be looking at or I should have a plan in place for?
Garry Polmateer:
So I think a key thing is having very specific roles. So who is responsible for what in a, and I’m just going to call it a suspected incident because most of the time you have a false alarm or just some level of concern where you need to say, “Okay, I’m going to look into something that is odd with my logs or whatever.” So we really need to focus on what are the roles, that we are surrounding ourselves with the plan? What is the timetable that we can have expected responses out to key stakeholders? And then what is a reasonable set of criteria for escalations? So if I’m coming in for my morning coffee, look at some logs and I see something that looks a little suspicious, how do I take that small level of suspicion to, OMG, this is a legitimate concern. I need to raise the siren?
And what are the criteria to do that? Or is it, I need to do some investigation to validate and what are all the steps in between? So just having a playbook for that is really helpful. And most of the time they only take a few hours of work to really think through. And then once a year you just do a quick audit, make sure that things are still accurate. But having all those names, phone numbers, cell phone numbers, means of communication, timetables, and even a little bit of how.
An instance, one customer of ours says, “Hey, we need a kill switch in our org. So if we find an API that’s going rogue, we need to know how to shut it down immediately, or we need our third admin that generally doesn’t do these things to have information so that they can respond if our first two admins are on vacation.” So that kind of stuff, all basic, just need to sit down and think through it. And not to put in a huge plug, but we do have a plan template that I posted on our website. You can go to redargyle.com and check it out, and that might give you a big jumpstart on the planning.
Mike:
Yeah, I think one of the things that you brought up in your presentation, because obviously people that work with social security numbers or credit card numbers or anything that smells like PII are immediately like, “How do we data mask this? How do we make sure that the visibility on these fields or these objects is super locked down?” Only the right people can see it. One thing you brought up that I thought was interesting is the stuff that’s super obvious is super obvious, but the stuff that’s not super obvious is the stuff that you should be questioning. And I think one of the things in your guide that you talk about is are you working with children? What are some of those things where as an admin, I’m sitting there, I’m listening to a business process, maybe there’s something we’re going to move into Salesforce and like, “Oh, should this trigger a question of security when we’re tracking that?”
Garry Polmateer:
Yeah, I appreciate the thoughtful question, Mike. So I think you’re totally right. There are just very basic items that are important to get your ducks in a row, social security number, PII and what we consider SPII, which anything like bank account numbers and stuff where if you have one piece of information about someone, you could potentially do a lot of harm. And again, those credit card numbers, social security numbers, bank account numbers, those are, as you said, obvious. We of course want to abstract those. So there’s one area of that that isn’t as obvious is could I accidentally type a social security number in a chat or something along those lines where I’ve seen this happen a lot. You have a live agent up and running, and customers might not be the most infosec savvy. They’re typing in their social security number into a chat window because they’re trying to get service faster, and that is getting consumed and somehow stored in your Salesforce database in a field that’s not flagged as a PII super dangerous field.
So we want to look at those pieces of information, but also where are likely points of entry for inadvertent information that that could need to be managed. And there’s a lot of solutions, training and analytics to help suss that out, make sure it’s not an issue. The other side of it when you’re talking about, “Oh, I’m tracking households and there’s children in my database,” that kicks off other conversations about compliance standards and general data processing practices, which the term data processing is very broad, and it depends on the compliance context that you’re working on, but you can really think of it as if you’re collecting, storing, copying, moving, using, reporting on people’s data you are under many definitions quote, unquote processing that data. And if you are processing that data, that’s where it does make a lot of sense to say, “What standards and compliances am I beholden to with the means that I’m processing?
And also are all of my customer facing privacy agreements and expectations up to date to make sure that we’re protected and we are doing a good job being a steward of our customer’s data?” So again, I think it really comes down to just being thoughtful and not cavalier about collecting data and doing things with it. We have so much power. So just slowing down a little bit during the planning phase and say, “Well, what are we doing with this data? Why do we need it? Is it going to potentially throw a compliance flag? How are we going to have safeguards that our customers are protected and our authorities are happy and all that good stuff?”
Mike:
And is it data stored elsewhere? Right? Man, the number of times that I’ve had people ask, “Well, can we bring this data over in Salesforce?” Well, it’s stored somewhere else. Now it’s in two places. Now we’ve got to worry about people breaking into two places as opposed to just keep it in the one.
Garry Polmateer:
And I’ve seen that a lot, Mike, where data replication is often a, you’re doubling your problem if you’re unnecessarily replicating data. Sometimes you have to, sometimes. But a good example is off platform analytics. I’ve got a whole bunch of stuff in Salesforce. I want to run heavy duty off platform, BI on it. I’m going to make a copy of my database once a week and have a reporting database over there. You’ve literally just doubled your problem.
And that’s one thing I think that Salesforce does so well. When we think about Tableau, CRM or whatever it’s called this week and Salesforce on platform data storage, we have a lot of confidence that the platform is solid and it’s trust being Salesforce’s number one value. We can put a lot of stock in that, but those other ancillary considerations of people kicking off side databases and spreadsheets where we want to think about is this a required business process? Can we minimize the exposure for a lot of reasons? Even your prototypical, I don’t want my sales rep to quit and steal my customer list, that’s all stuff that does fall under infosec. But yeah, I’ve seen that many, many times.
Mike:
Exporting reports, I remember when that was just a simple permission.
Garry Polmateer:
And it still is actually a simple permission, but most of the customers we work with end up needing a lot more nuance to can export certain types of reports, can export summarized data only. We only want them to export 50 records at a time. And again, the platform has really great built-in safeguards for that, but it’s just got to be thoughtfully applied.
Mike:
So I feel like some of the people you work with, and I think it’s true for many admins, they’re in the business unit. I’m feeling like when you do some of this cybersecurity work with organizations, it’s the admin and, if I’m a Salesforce admin listening to this, who is that and? Who are the people that you most often interact with that as an admin in an organization I should be thinking about making friends with?
Garry Polmateer:
And this is highly dependent on the size of the organization. So maybe I’ll throw a couple archetypal sizes that I’ll do the SMB and then talk more enterprise. On the SMB front, pretending that there’s a full-time admin, they can typically be supported or working alongside of maybe a marketing manager or marketing director. And then they probably have some upper level management in the executive ranks where they’re trying to hit their bigger OKRs, things like that. So for me, those admins or solo admins, I always say this, “If you’re getting ahead of this stuff and working on a security plan that is part of greater Salesforce planning processes, it will make you look really good for your boss if you don’t talk about it in a way that just scares the crap out of them.”
And this is an area where depending on the personalities involved, it does require a bit of tact where you want to create a healthy conversation about keeping your org not only well architected, but also at an appropriate level of security and compliance thoughtfulness. And those can be pretty easy to have conversations with those stakeholders just under your own roof.
Mike:
Yeah, no, it makes sense.
Garry Polmateer:
As companies grow, there’s usually two more sets of stakeholders that I think are critical, and I’m thinking we get to enterprise scale. One, is IT, IT teams who innately have a security mindset more likely than not. And instead of Salesforce being this black hole that IT doesn’t understand, which I do see sometimes, it’s a really great opportunity for collaboration with IT and helping them hit their goals by keeping your org healthy and secured and aligned with what they know they need to do. And then at the most complex, most of our enterprise customers do have some form of privacy counsel, or at least some level of outside consulting to help with making sure at the legal side that things are being done in the right way. So there’s a quick roundup of some stakeholders to think about.
Mike:
I mean, as organizations grow, the stakeholders always grow, right? Because there’s always added complexity and different departments and reshuffling too.
Garry Polmateer:
Oh, yeah. I mean, data volumes are bigger, risk is bigger. I mean, that’s par for the course, but the fundamentals remain the same. When you think about what we’re trying to do from a infosec perspective, the smallest business in the world to the biggest enterprise in the world, they still have the same fundamental problems. It’s like laws of physics, gravity works the same for all of us.
Mike:
Yeah. One thing you brought up that I hadn’t really thought about and was kind of when I was an admin was new, but I think probably more and more is caught on, and I know Salesforce has the feature, but backups and restoring. Databases are the one place that apparently a DeLorean actually still functions because we can go back in time and hit the reset button, I suppose maybe PlayStation games or whatever have that feature too. But let’s talk about that because I don’t know everything. Everybody’s always looking forward, here’s the reports, or here’s stuff that we need to log. But rarely, it’s like, what happens if you hit that button and you accidentally nuke all of your opportunities? How do you go back? What is some of the thought process that you work through with admins on picking backups or choosing how to back up and then also making sure that that backed up data is secure?
Garry Polmateer:
And so one general principle for infosec and just general Salesforce practice in general is we call it data classification, but it’s knowing what you’ve got, knowing what your risks are and what your level of acceptance of loss data can be in your organization. And the bigger the acceptance of loss data, the more casual of a backup policy you can have, while the more mission-critical data ends up being the more aggressive of a policy. Example, if you’re e-commerce and you miss one hour of transaction data and a million dollars just disappears off your AR, you obviously need a very aggressive backup. Where a small business like me, we have a couple thousand contacts and 20 open deals, and a weekly backup is sufficient. But what I like to advocate, and I’ll say this, Mike, and I don’t know if anyone’s ever done this on your show. There’s so many awesome episodes, I haven’t heard them.
I want anyone listening to this show that doesn’t have a backup that’s at least less than a week old to hit pause right now, log into Salesforce, hit the export button, and be prepared to store a secure backup somewhere on your infrastructure so you at least have a recent backup and then come back and push play when you’re done with that and we can continue the conversation.
So again, at bare minimum, everyone, please use that weekly backup feature religiously with one caveat. And that caveat being, again, going back to our previous comments on PII, SPI, if you’ve got that type of data that you’re processing, just remember that your backups are as much of a liability as other things. And often I’ve seen companies they go to all the way to the max, and they secure all their Salesforce stuff and they’ve got a beautiful sharing model, and it’s so well architected and users are all seeing the data that they should and not see what they shouldn’t. Then they dump a backup and they just put it on the network share where literally all the data’s exposed again in your backup because they’re flat CSV files.
So backups need to be handled with as much care and consideration, perhaps more because they’re so easily packaged up and moved than your org data. So that’s the caveat, but that’s just the basic stuff. And as you mentioned, Salesforce brought the backup product on platform to market. I think that’s a really great alternative. And there’s some awesome app exchange partners who are very mature, specialized in certain verticals also worth looking at to figure out what your best fits with your organization’s needs. But backup is another part of the cybersecurity framework where the recover side of it. If someone is feeling naughty and they want to delete data or some integration accidentally deletes data, and I did it, I’ve done it more times than I would care to count, but thankfully less times than I have fingers on one hand in my career where something goes awry and you’re like, “Wow, that didn’t perform the way I thought. I need to pull data from a backup now.” So having that safety net as an admin will again give you some peace of mind and help you meet your goals.
Mike:
Yeah, and that’s referring to just, I mean, your core operating data. Do you have any best practices around backing up your metadata?
Garry Polmateer:
That’s a nice zinger, Mike.
Mike:
Oh, Next level. Oh, I wasn’t expecting that.
Garry Polmateer:
So let’s get into that. So there’s a parallel, right? So you’ve got your weekly data export now that Salesforce is so nice and gives us bucket loads of sandboxes. There’s no reason why you couldn’t burn a fresh sandbox periodically. And that isn’t… Again, it’s not very convenient, but it at least is a snapshot of your metadata at a point in time. Now, if you have regular deployments, DevOps going on in your org and things of that nature, things can rapidly become more sophisticated and very well managed using some of the same tools for data backups and or a whole host of development tools that will allow you to version and manage a lifecycle of your metadata.
Mike:
That’s good. Yeah, I think I’ve burned sandboxes before. I also like that term.
Garry Polmateer:
Do you remember when we only used to get one?
Mike:
I do. And then you had to pay for more, and then you had to set them up correctly and you had to call, what’s the difference between dev and config? Because there was no chart, there was nothing. We were just guessing. So I was looking through, and I think this is kind of a good way to wrap things up. We rolled out a org health check a while back. I feel like I put it in a ton of presentations because it demoed really nice. Like you could click and change passwords and update password policies and get that org health check score up, and then it just went away. But I noticed you reference it a lot and you reference that scores under 90 are easy to fix. So tell me about org health check and what you do and why scores under 90 are easy to fix.
Garry Polmateer:
Sure. So org health check is a suite of tools that does a very basic heuristic scan of a few security settings in your Salesforce org. And again, I’m calling it very basic because it covers some fundamentals. It’s still a really nice tool for any admin under the sun to just do a quick run and say, “Am I landing in the realm of best practice according to Salesforce with this stuff?” I think that it’s very easy to fix for a few reasons. One of them is like, “Do you have all of your org updates complete?” Periodically, Salesforce will push these different security patches or updates that change behavior in an org. Some of them you obviously have to check and make sure there’s no performance or regression potential, but apply your updates, it wants to check that you have a reasonable password policy, a reasonable login session policy, and everything within the realm of 90 plus should be pretty easily attainable.
Like your password must be more than eight characters and contain a symbol, that used to be one of the checks. It’s like, “Yeah, of course. That’s basic stuff.” So getting over a 90 means that you’ve attained a good baseline level of security to then begin more advanced conversations about what’s appropriate for my risk and my data and my industry and all my compliances and things like that. So I’ve never seen an org that under 90 was a problem to fix, even complex ones with a few exceptions, but they’re special.
Mike:
Right. I just like that you don’t have to hunt around when it gives you the recommendation. It’s literally click here and then you can go right back to it.
Garry Polmateer:
And I think it’s a good reminder, Mike, like some of these tools on the platform that the Salesforce optimizer, they don’t get a lot of press now. There’s still some really good stuff in those tools for any admin. It’s just like, “Hey, how am I doing? What is Salesforce telling me?” And they’re quietly continuing to be updated. I’ve seen some of the criteria change for an org that was 90 in health check turned into an 87 because Salesforce added a new check to the health stuff. So that stuff’s been… It’s good. And then one other one I’ll call out is data classification is now built in as a platform feature. And that is a huge win for admins because when you’re looking to classify your data to identify everything you need to worry about, basically, Salesforce does it for you, and you go through and you tag the fields that you consider certain types of data, you can load that back in and it’s permanently imprinted on your metadata. That stuff is awesome, and it’s all just baked into the platform.
Mike:
Wow. Yeah, some of that I haven’t had time to dig into. Thanks for coming back, Garry. It’s been forever. I feel like the last few months I’ve been catching up with a whole bunch of people that I’ve talked to in a long time because we’ve been so busy.
Garry Polmateer:
Yeah. Mike, thanks so much for having me, and I’m really glad we got a chance to catch up at Midwest Dreamin, which again, awesome show and props to the organizers and sponsors there. And yeah, I’m happy to be back. And obviously you can probably notice I’m a bit of a nerd about this stuff these days. And if anything I can do to help you or the community, feel free to reach out and happy to share anything else.
Mike:
It’s okay. That’s why we have the podcast so we can nerd out.
Garry Polmateer:
Yeah.
Mike:
See, I told you it was a fun conversation. Org health check, when was the last time you heard that? It is exactly why I have Garry on the podcast. Now, if you enjoyed this episode, I need you to do me a favor. If you’re listening on iTunes, all you need to do is just tap the three dots. It’s just over to the right and choose share episode. And then you can post it to social, you can post it on threads, or you can text it to a friend. And if you do that, it really helps the podcast out because then more people are listening and we can help share some of this cybersecurity goodness with everyone.
And of course, if you’re looking for more great resources, anything Garry mentioned, don’t worry about it. Your one-stop shop for everything admin is admin.salesforce.com, including a transcript of the show and any links that he mentioned. And of course, be sure to join our conversation in the Admin Trailblazer group that is in the Trailblazer community. Don’t worry, link is in the show notes. And with that, until next week, we’ll see you in the cloud.
Today on the Salesforce Admins Podcast, we talk to Laura Pelkey, Senior Manager of Customer Security Awareness & Engagement at Salesforce. Join us as we chat about how to be a security-minded advocate within your organization and what it could do for your career. You should subscribe for the full episode, but here are a […]
Today on the Salesforce Admins Podcast, we talk to Lynn Simons, Senior Director of Security Awareness and Engagement, and Laura Pelkey, Senior Manager of Security Customer Engagement, both at Salesforce. Join us as we chat about security and security awareness for admins. You should subscribe for the full episode, but here are a few takeaways from […]
On today’s episode of the Salesforce Admins Podcast, we’re bringing on Ian Glazer, SVP Identity Product Management, and Laura Pelkey, Sr. Manager, Security Customer Engagement at Salesforce. We talk all things multi-factor authentication (MFA) and have a really honest conversation about implementing it and the benefits. You should subscribe for the full episode, but here […]
