Let’s talk about something that matters to everyone using Salesforce – security. Not the dry, technical stuff (though we’ll touch on that), but the real-world implications of how we protect data in Salesforce today.
Remember when Salesforce first showed up 25+ years ago? They weren’t just selling software—they were asking businesses to do something radical: “Hey, trust us with your customer data on this internet thing.” Pretty bold ask back then!
That fundamental need for trust hasn’t changed. If anything, it’s become more critical as more of our business lives move to the cloud. Ensure you are deploying only enterprise-grade and certified solutions.
Navigating the regulatory maze
The regulatory landscape has gotten… complicated, to put it mildly. While there aren’t many cloud-specific regulations, we’re all feeling the impact of GDPR, CCPA, Australia’s Privacy Act, and similar laws worldwide.
What’s interesting is how these regulations are actually driving innovation. Cloud providers are constantly evolving their offerings to meet higher standards, from data residency options to local data centers to better cross-border transfer solutions.
Also, make sure your cybersecurity vendor is certified with excellence by the ones that matter, like ISO27001 and ISAE300 Type 2 (SOC2 Type 2).
Being resilient when (not if) things go wrong
Let’s be real—cyber incidents will happen. The question isn’t if, but when. That’s why cyber resilience matters so much.
Being resilient means you can keep your business running even when facing cyber problems. It’s about preparing beforehand, detecting issues quickly, responding effectively, recovering smoothly, and adapting for next time.
And make sure your cyber security solutions provide full visibility of the content activity within your cloud solutions – without that you are flying blind when the proverbial hits the fan.
Who’s responsible for what? The cloud security dance
One of the biggest misunderstandings in cloud security is who handles what. It’s a partnership, not a handoff:
- Salesforce handles the security OF the cloud (infrastructure, data centers, platform security)
- You handle security IN the cloud (user access, configurations, data, malware, and phishing protection)
The problem? Many organizations think moving to the cloud means transferring all security responsibilities to the provider. Not true! And this misunderstanding creates dangerous security gaps.
Even more frustrating, many organizations aren’t using the security features they’re already paying for. Tools like event monitoring, encryption options, malware and phishing scanning options, and log analysis often sit unused.
AI: Double-edged sword
AI is changing everything in the security world. On one hand, it’s giving security teams superpowers—helping them detect threats faster, respond more accurately, and cover more ground with fewer people. And cyber security companies like us have only expanded the usage of AI since we started automated analysis in 2006.
But there’s a flip side:
- AI can amplify biases from training data
- Data privacy becomes trickier when large datasets are involved
- Attackers can fool AI systems with adversarial techniques
- Deepfakes make verification harder than ever
- Ethical questions emerge when AI makes important decisions
The key is finding the balance—leveraging AI’s benefits while carefully managing these risks.
Different industries, different challenges
If you’re in financial services, healthcare, or the public sector, you know the compliance burden is especially heavy. Each region has its own requirements, too—Australia has IRAP, the US has FedRAMP, Germany has C5, and Japan has ISMAP.
Interestingly, these highly regulated industries also see more “shadow AI” use, where employees bypass official channels to use productivity-enhancing AI tools. This highlights why clear policies and education are so important.
Getting CRM and security teams on the same page
Here’s something that happens all too often: CRM teams plan and implement Salesforce without bringing security experts in early enough. By the time security gets involved, major decisions are already locked in.
The better approach? Involve security from day one of planning. Help them understand what data you’re storing, what business processes you’re supporting, how your community is interacting, and how everything connects.
This partnership approach builds security in from the start rather than bolting it on later. Typically, when you open your Salesforce to external communities, the threat level jumps through the roof.
What this all means for you
The bottom line is that securing Salesforce today requires understanding that it’s a shared responsibility. It means being prepared for incidents rather than just trying to prevent them. And it requires thoughtful governance around new technologies like AI.
The organizations that get this right aren’t necessarily the ones spending the most money. They’re the ones fostering collaboration between business, security teams, and cybersecurity vendors, making full use of existing security features, and staying adaptable as the landscape continues to evolve.
What security challenges are you facing with your Salesforce implementation? The conversation is just beginning.
Take a look at the fireside chat I had with Chetan Sansare, Senior Director Security and Regulatory Compliance APAC and Gayan Benedict, CTO (ANZ), Salesforce for an even deeper dive.