Today on the Salesforce Admins Podcast, we talk to Kate Lessard, Lead Admin Evangelist at Salesforce. Join us as we chat about why security is the foundation for how data, automation, and AI work together.
You should subscribe for the full episode, but here are a few takeaways from our conversation with Kate Lessard.
Security can often feel like the elephant in the room. Everyone knows it’s important, but the amount of work needed to do it right can feel daunting. Thorny problems like accumulated tech debt and organizational inertia can make you feel like you’re better off not talking about it.
That’s why I sat down with Kate Lessard. This month, she ran a workshop called Security in Action to highlight the simple steps you can take to strengthen the security posture of your org. She got hands-on with an example org to demonstrate how to use Health Check to identify and fix security problems.
It’s all about taking a proactive approach to security, rather than waiting for something to happen to you.
“Health Check is no longer just a list of settings for you to review,” Kate says, “it’s your dynamic risk mitigation dashboard.” Issues are sorted into four categories: high-risk, medium-risk, low-risk, and informational. There is also a status to rate the level of urgency for each issue: critical, warning, or compliant.
Health Check is also customizable. If your organization’s security policies are different than the Salesforce Baseline Standard, you can download an XML file and tweak the criteria. You can compare your policies to what’s recommended by Salesforce, and maybe identify some low-hanging fruit.
In short, your Health Check score gives you a prioritized list of which security issues need to be addressed first so you can walk into a meeting with stakeholders with a solid plan of action.
Security and user management go hand in hand, and Kate recommends some reports that admins can run to help with governance.
First of all, the Active System Administrator Report can help you find users who might have more access than they need. This can often be an issue in older orgs where it was easier to give someone admin access than to sit down and solve the permission problem. Kate also likes to run a report on Reports, to keep track of what her users are interacting with the most.
As Kate says, it’s all about making a shift towards a security model built around permission set best practices. As admins, we need to find a way to fit security seamlessly into our organization’s business processes, and vice versa. There may be an upfront cost, but it’s all about making security easy in the long run.
Listen to the full conversation for more from Kate about security and Health Check. And don’t forget to subscribe to the Salesforce Admins Podcast so you never miss an episode.
Mike:
This week on the Salesforce Admins podcast, I sit down with Salesforce Evangelist Kate Lessard to unpack why security is really no longer a side conversation for admin, but the foundation to how data, humans, automation and AI all work together. We’re going to cover her new security workshop that she led last week, and talk about health check upgrades, permission set security models, and of course how Salesforce admins can move from reacting to security problems to proactively designing trusted systems. We do touch on a little bit of governance, user access, and why secure data is the backbone of every successful AI implementation. So if you’ve ever wondered how modern Salesforce admins evolve from feature builders into stewards of trust, this episode is for you. And with that, let’s get Kate on the podcast. Kate, welcome back to the podcast.
Kate Lessard:
Hey, thanks for having me back. Excited to be here.
Mike:
Well, it feels like a lot of relevant things for admins are coming out of your camp lately from True to the Core Deep Dive to last week’s security and action. I feel like there should be like a thunderclap after that. Security and action. Dun, dun, dun.
Kate Lessard:
Yeah, absolutely. Data and access.
Mike:
Right. Mm-hmm. Yep. Like a comic book hero. And then you got to do the comic book land. Anyway, totally off topic. Look at that. 30 seconds into the podcast, we’re already in comic books. People-
Kate Lessard:
I mean, I am here for it. Admins are superheroes, especially when they are securing their orgs.
Mike:
We are. So let’s talk about what that first workshop was, and what you covered, and how it went. So tell me a little bit more, tell everybody a little bit more about what that workshop was.
Kate Lessard:
So in the Security and Action workshop, we were really focused on data and access and using HealthCheck as our guide. So essentially we started off with some security basics knowing that much of our audience was at different levels. So we had people joining us that are brand new admins that are working on their first certification. And then we had people joining us that have been in the ecosystem and in a Salesforce role for more than 10 years. So wanted to make sure that we had a strong foundation and that we had reviewed some security foundational knowledge base points for everybody to get on the same level. And then we got hands-on in an org that just didn’t have a great health check score and had some security concerns that we went through, and hands-on adjusted together until we improved our score, we better secured our org, and just increased our security posture.
Mike:
Cool. I didn’t hear Agentforce in there and we’re in the age of AI.
Kate Lessard:
Yeah. So I do think we didn’t specifically touch on Agentforce in this first workshop. We really wanted to focus on that strong security base where it applies to all of your org. And that might mean that it applies to your users, both human and agent, but really focusing in on that prime security. And then we do have plans in the future to enhance this and take this to the next level and really expand on some of those agentic guardrails. But I think that it’s just really important to have that foundation first.
Mike:
Yeah. I mean, all of it bases around good, clean data and secure data.
Kate Lessard:
Absolutely. And you’re not going to have a successful Agentforce implementation without that. That is the foundation point that’s going to set your organization up for success using AI.
Mike:
I did the Agentforce Now workshop that week, and I always emphasize the importance of filling in description and metadata fields as well.
Kate Lessard:
Yes, hugely important.
Mike:
So one of the things, it’s really cool the workshop pivots all around HealthCheck. And I know having worked some of the Q&A, people were like, “Wait a minute, I thought HealthCheck went away.”
Kate Lessard:
Yeah, HealthCheck has not gone away. It is free for admins to use and it actually recently got some pretty impressive and exciting upgrades that we spend some time on in the workbook. So it’s no longer just a list of settings for you to review. It is really dynamic and serves as your risk mitigation dashboard. So you can do things like not only configure the specific settings for your org security, but you can also set up email notifications for system admins or anyone who that you would like to receive notifications when your security score changes. So maybe members of your IT team, your security team, if you work with a governance team, making sure that they get notifications because as you know, security is a team sport.
I think the coolest thing that we do in the workshop and that I really want everybody to be able to take advantage of is you can actually export the standard Salesforce baseline and customize it to your own organization’s security criteria. So if you have different security criteria like maybe your password policy has a minimum of 11 characters at your organization, the Salesforce baseline has eight characters. That is a change. And you want to compare your Salesforce security settings against your own organization standards, and you now have the ability to do that, which is just incredible.
Mike:
Yeah. And it’s not like the way that you walk through it, it’s not that daunting. I mean, is it an XML file that you download?
Kate Lessard:
Yeah, absolutely. So you don’t have to start from scratch, which is the really nice thing. You can actually export the standard Salesforce baseline. It is an XML file. In the workshop, we walk through what the download looks like and how to actually make the edits. It’s pretty easy to read. And even in the file, there’s a link to help notes so that you know exactly what types of formatting to use when you’re editing the XML. And then you can just save it as your custom, re-import it, and set it as your default.
Mike:
Yeah, I thought that was really cool. One other thing that you dive into is, and of course it’s set up because it’s a workshop, but number of admins that…
Kate Lessard:
Oh yeah.
Mike:
Or number of people that have the Salesforce admin profile.
Kate Lessard:
Absolutely. So everybody’s favorite admin horror story that you log into an org for the first time and take a look and realize that you have just a completely disproportionate number of system admins and folks that are over-privileged just because it was easier to give them that permission than to really sort through a proper permission set model. And in our org, we have the very scary informational security setting letting us know that we have 100% of our users as system admins opposed to the typical 5% that you see in the standard baseline. So we address that and we talk about who really needs admin permissions.
Mike:
So I mean, let’s expand upon that because we’ve had that idea of delegated admins as well. So they wouldn’t have a system profile or a system administrator profile.
Kate Lessard:
That is correct. Yeah. You might have your delegated administrators that are taking certain tasks for certain teams, but that doesn’t mean that they have the full system admin profile. It means they’re a delegated admin and they have certain admin responsibilities that they take on, but it does not give them the keys to the castle.
Mike:
Very important. Very important. With HealthCheck, I think it’s always one of those big discussion areas because there’s different levels that we call out. We have critical. What are some of those stages? Non-critical, informative. Would you as an admin getting started approach HealthCheck as maybe it’s like a topic we should bring up in governance?
Kate Lessard:
I absolutely think it’s a topic we should bring up in governance. And it really is set up well to help you prioritize. So if you’re going into a governance conversation or maybe a meeting with your security stakeholders, and you want to present different actions that you would like to take or approaches and settings that you’d like to address in your org, it’s broken down by high risk, medium risk, low risk, and then informational. And then in each of those different categories, we have it called out what is a critical status, what is a warning status, and then where you’re compliant. And so you might want to prioritize your high risk critical items, and then you could share that information of what your value is versus that baseline so that you can provide a really strong recommendation about where to take action to better secure your org.
Mike:
That makes sense. You’ve been doing a lot of security stuff lately. I mean, you’ve had some workshops. Outside of this, we had the True to the Core Deep Dive. What are one of the areas that almost consistently comes up as a theme that really maybe this year admins could address the most?
Kate Lessard:
That is a really great question. I think we’ve seen it in the True to the Core Deep Dives that we’ve had. We had one recently on security and user access. And I think those are two things that go hand in hand and something that comes up consistently. It was also a major discussion point at our admin day of security before TDX. We had a day zero event with several admins and that was just a common conversation as well. Really making that shift towards the best practice of having a permission set led security model, what that looks like for your organization, how to get there, what tools are available to help. I think that things like user access summaries, which we dove into in the workshop as well last week. There are just so many tools that can help admins better move to that permission set led security model.
And I mean, I don’t have to tell you that security and user management really go hand in hand, and oftentimes are interchangeable topics about how we can better secure our orgs and create a better user experience as well.
Mike:
Absolutely. And being proactive on topics that come up, one of the things that you cover that I really enjoyed, this is also, this speaks to how long I’ve been in the ecosystem. It wasn’t until I joined Salesforce that I think you could do really in depth user reports, basic reporting was available, but one of the things that you create is the active system administrator report. I’d love to know, I mean, you were an admin out in the world more recently than myself. Were there reports that Kate always created to help her understand her users outside of just if they had a license or if they didn’t?
Kate Lessard:
Yeah, absolutely. I think that the active system administrator report is a great one to call out, but it is looking specifically at users that have that system admin profile. And you might have other concerns about your users or things that you’re checking up on them and what they’re doing and what they’re using. I loved to create the report on reports to get little snippets and information into what reports my users were using. I found that to be really helpful. And also there is a great Salesforce Labs report package about different administrator reports to help you get a little bit more insight into your user activity. So I think that something like that is really helpful if you don’t have advanced security options to pinpoint that user activity for you.
Mike:
Yeah, that definitely makes sense. In addition to knowing when people log in and when they don’t, it’s also what are they doing? Because I remember I did an implementation and they were adamant about having a login component on a dashboard. And I had one user that I, to this day, I think all they did was wake up, check their email, and then log in and out of Salesforce because they were always head and shoulders above everybody else. They’d have 300 logins for the week.
Kate Lessard:
Oh, interesting.
Mike:
I’d be like, “Are you just logging in, updating a field, and logging out?” And they were very dodgy about their answers, but I think that’s what they were. I think that’s what they were doing because they liked being at the top of the board.
Kate Lessard:
That is hilarious.
Mike:
And I always had to reframe the conversation with executives of, we have to look at the entire dashboard, not just logging in because it could be meaningless.
Kate Lessard:
Right. They’re just like logging in, logging a single activity, logging out, coming back in.
Mike:
Refreshing a dashboard, refreshing a report, and then that’s it.
Kate Lessard:
Oh my goodness. Well, and then the other concern is where are they logging in from, if we’re talking about dodgy behavior. When I was an admin out in the wild, one of the stories I like to tell about why security is so important. I worked for a mental health hospital system, and as you can imagine, we dealt with a lot of PHI. And I noticed some funky login IP ranges, and it turns out that someone had given a local college student access to their Salesforce credentials and was having them log their activities for them.
Mike:
Uh.
Kate Lessard:
Yeah, I know. And thankfully they didn’t actually have access to any PHI because we had a good security model set up. However, obviously huge concern and something that Salesforce was able to help us identify because we were able to see those different login IP ranges, spot what was going on, and address it, and prevent it from becoming a big security concern, which I feel like that’s really one of the big takeaways that I… If you asked me what I wanted people to take away from this workshop, it is to shift from being reactive about your security and just waiting to become a statistic to really being proactive and getting ahead of things and making sure that your org is secure and that you are addressing those risks versus waiting for them to happen to you.
Mike:
Yeah. I mean, to that point, I often look at things that are security that don’t sound like security. And one of them is process management. So to me, that sounds like there’s a complete separation between what executives expect in Salesforce and what the actual process is. Because the process, the technology should support the process that’s needed, and here it sounds like it’s burdensome to the process. And that to me is a security risk. I mean, if you don’t have the process ironed out so that it feels natural, every action has a deliberate and equal technology component, then the security’s going to fall apart. Much like a Salesforce admin shouldn’t learn about a person being separated from a company four days after they’ve left the company. They need to be part of the off-boarding or onboarding process. They don’t need to know why, but they need to make sure because that person should or should not have access to that system.
Kate Lessard:
Absolutely. I think that it is certainly a role of power and responsibility because you are getting that notification, best case scenario, to freeze that user. And again, you don’t need the why or the explanation, but to have an actual process in place to be able to continue to secure your org so that after someone’s left an organization that you’re able to say, “Yes, this is still secure, this is not a risk.” And you know you’re not maybe going through a full deactivation process right away, but that ability to freeze that user and be able to take action is just so important.
Mike:
Absolutely. Well, Kate, I appreciate you coming on the pod and helping admins keep all of their data secure and their org secure.
Kate Lessard:
It is my pleasure. I mean, I love to talk about security any chance I get, and I think that we have so many brilliant people on our security team at Salesforce who I’m always learning from and happy to partner with. And this workshop was just a real labor of love, and I’m so happy that so many people were able to attend last week and glean the information and be able to take that and go use HealthCheck and better secure their actual orgs, not just our fake, very poorly-secured org that we fix and adjust in the workshop.
Mike:
Yeah. I mean, it works because you can spot things very easily because I think in the real world, sometimes things aren’t as obvious as they should be. I know the biggest question that we can answer, and we’re doing it at the end on purpose, will there be more of this content?
Kate Lessard:
Yes. So I can’t give you a date, but we are planning to continue this on a monthly basis. I do think that there are plans to expand the content as well. And you’ll also maybe catch us doing these workshops hands-on at some community conferences over the next year.
Mike:
Ooh. See, even more of a reason to go to community conferences besides the fact that they’re super fun and held at really interesting locations.
Kate Lessard:
Absolutely. And get to actually really connect with the community, which I am very excited about.
Mike:
Yeah. Yep. I hear you. Well, Kate, thanks so much for coming on the pod.
Kate Lessard:
Thank you so much. I’ll talk to you later, Mike.
Mike:
So big thanks to Kate for joining us and reminding us that security is more than just a technical checklist. It’s really a mindset for Salesforce admins as we operate to bring scalable systems to our entire enterprise. Of course, be sure to check out admin.salesforce.com for the announcement of more Security and Action workshops, which are also coming to future community dream and events, and start thinking about how your own org can shift from being reactive to an intentional system stewardship even with IT. Now, if you enjoyed this episode, subscribe, share with a fellow Salesforce admin, and of course, I always appreciate it if you leave us a review. And until next time, we’ll see you in the cloud.
Today on the Salesforce Admins Podcast, we talk to Joshua Birk, Senior Director of Admin Evangelism at Salesforce. Join us as we chat about how Agent Script helps admins build more predictable and reliable AI solutions. You should subscribe for the full episode, but here are a few takeaways from our conversation with Joshua Birk. […]
Today on the Salesforce Admins Podcast, we talk to Sri Srinivasan, Senior Director of Information Security at Salesforce. Join us as we chat about his recent presentation at TDX and how to build secure, reliable AI experiences with Agentforce. You should subscribe for the full episode, but here are a few takeaways from our conversation […]
Today on the Salesforce Admins Podcast, we talk to Andrew Russo, Salesforce Architect at BACA Systems. Join us as we chat about Salesforce Foundations and why it’s a game changer for solo admins and small orgs. You should subscribe for the full episode, but here are a few takeaways from our conversation with Andrew Russo. […]
