Thu, 10 September 2020
This week on the Salesforce Admins Podcast, we’re bringing on Laura Pelkey, Senior Manager of Security Customer Engagement at Salesforce, as a guest interviewer to talk to Kerry Schoepfle, Salesforce Engineer at Rackspace, and a member of our new Trust Champions program. We learn all about Multi-Factor Authentication and how you can use it in your org.
Join us as we talk about how important MFA is to security and how easy it is to implement, how to make it easy for your users to buy in, and how to make security fun.
You should subscribe for the full episode, but here are a few takeaways from our conversation with Laura Pelkey and Kerry Schoepfle.
Why every org should consider MFA
Kerry first got started in Salesforce working as a Certified Financial Planner at a wealth management firm. “We used Salesforce to keep track of client information and assign operational tasks, but I knew there was so much more we could be leveraging the platform for,” she says. Since her firm didn’t have a dedicated admin, Kerry thought she’d give it a go and quickly discovered that she enjoyed building on the platform, so much so that she decided to change careers.
At the firm, Kerry was super excited to roll out MFA (Multi-Factor Authentication), which provides an extra layer of security to your Salesforce login process. This requires users to verify their identity with two or more pieces of evidence to show they are who they say they are. There’s even a free Salesforce Authenticator App which you can download to your mobile device to make the adopting MFA as easy as possible with no coding required. Securing your customers’ data has never been easier.
Making adoption easy for your users
With security, it’s helpful to think in terms of layers. “In the security world,” Laura says, “this is called a Defense in Depth security strategy (DiD).” What can be difficult is getting buy-in from users as to why these extra steps are so essential. “As admins, I think we have a responsibility to be thoughtful and deliberate with the changes we make to our end-users’ experience,” Kerry says, “people can be resistant to change, especially if they don’t understand the reasons behind those changes.”
For Kerry, the answer is to always focus on how to make things as easy as possible for her users. She created a one-page job aid with instructions on how to download the Salesforce Authenticator App, and also spent time with each department to answer any questions they may have had. “Once the users were educated on the benefits of Multi-Factor Authentication, understood how it would protect them and our clients, and saw how easy it was to use, we really had strong adoption,” she says.
How to make security fun
One thing Kerry did to encourage adoption was to gamify the process a little bit by encouraging some friendly competition between departments. Think creatively about how to make the process fun, whether that’s hosting a launch party, or making special videos reminding people that changes are coming. “There’s lots of ways out there to get buy-in from your users by adding a little fun, gamified aspect to it,” Kerry says.
Making MFA a reality means getting buy-in from leadership, and that starts with educating yourself so you can make the case for the benefits of implementing it. Kerry recommends hitting up Trailhead and the Trailblazer community to get started. “Connect with other individuals who have experience with implementing MFA, get their feedback,” she says. There are a number of options for MFA, so think about what makes sense for your org and you can make a strong case to leadership.
Love our podcasts?
Subscribe today or review us on iTunes!
Full Show Transcript
Gillian Bruce: Welcome to the Salesforce admins podcast, where we talk about product, community and careers to help you be an awesome admin. I'm Gillian Bruce.
Mike Gerholdt: And I'm Mike Gerholdt.
Gillian Bruce: And today we are talking about security, a very near and dear topic to all of us Salesforce admins, because we know, well Salesforce trust is our number one value. And I know as a Salesforce admin, it is one of your top priorities for your organization.
Laura Pelkey: Thanks, Gillian and Mike. Hi everyone. My name is Laura Pelkey. I am on the security communications and engagement team here at Salesforce. And my job is to talk to customers and partners about how they can secure their Salesforce data. So I'm really excited to be here today with one of our amazing trust champions, Kerry Shefali. And we're going to talk a little bit about Kerry's story with security and just get to know her a little bit more. So hi, Kerry, how are you doing today?
Kerry: Hi, Laura. I'm doing great. Thanks for having me on the podcast. It's a pleasure to be here.
Laura Pelkey: Yeah. So excited. So just to get things kicked off, I'd love to hear a little bit about how you got started as a Salesforce admin?
Kerry: Yeah, it's been an exciting journey. I was working as a certified financial planner at a wealth management firm, and we used Salesforce to keep track of client information and assign operational tasks, but I knew there was so much more, we could be leveraging the platform for. We didn't have a dedicated admin, so I took the opportunity to start learning the admin tools myself, and I rolled up my sleeves, hit the trails on Trailhead and discovered that I really enjoyed building solutions on the platform to solve business needs. So that sort of prompted my career pivot from certified financial planner to becoming a Salesforce admin. And now I'm a four time Trailhead ranger, I have six certifications and it's been a lot of fun.
Laura Pelkey: That is awesome. That is definitely quite a pivot, but I love that you who were able to utilize Trailhead and just kind of learn everything you needed to learn and be successful. That's great. So as I mentioned, a few seconds ago, you recently joined Salesforce's trust champions program. Can you tell us a little bit about one of your favorite security related projects that you run as an admin?
Kerry: Yeah. So one of my favorite security related projects is when I rolled out Multi-Factor Authentication or MFA, at the wealth management firm, in order to add an extra layer of security to protect our orgs data. So MFA adds an extra layer of security to your Salesforce login process by requiring users to verify their identity with two or more pieces of evidence or factors to prove they are who they say they are.
Laura Pelkey: Well, we are so excited that you were willing to join our trust champions program. This is a newer program that we just started here at Salesforce, and I'm really excited about all the great things that you champions are going to accomplish.
Kerry: Sure. So as we all know, and Salesforce holds very important, customer trust is a sensitive topic for companies in every industry, but particularly when you're talking about access to someone's personal and financial information, it doesn't really get much more sensitive than that. And at the time we decided to implement MFA, there were some high profile data breaches in the news that impacted millions of people's financial information. So this sort of prompted us to examine our own security practices and evaluate how we could best protect our client data. Obviously, the threat landscape is constantly changing, It's a lot to keep up with, but it was clear to us that user credentials alone are no longer adequate to guard against unauthorized account access.
Laura Pelkey: That's awesome. And you mentioned an added layer, and I just want to call that out. We definitely think about security in terms of layers, and the more layers you have, the more secure you are basically. And this is called, in the security world, it's called a defense in depth security strategy. So I love that you brought that up and MFA is definitely a really important layer of security for really any account.
Kerry: As admins I think we have a responsibility to be thoughtful and deliberate with the changes we make to our end users experience. Now people can be resistant to change, especially if they don't understand the reasons behind those changes. We're probably all guilty of operating on autopilot at times, and any deviation from that can seem disruptive. So I really tried to make it as easy for the users as possible. I created a one page job aid with instructions on how to download the Salesforce authenticator app. And I spent time with each department in order to answer questions, provide assistance, and just sort of walk them through that process.
Laura Pelkey: That's awesome. Yeah. I know one of, probably the biggest deterrence for admins to implement MFA is probably the work that's involved, getting your users to actually use it. And I would say, it is definitely a little bit of an undertaking initially, but after the second time a user logs in, it's just kind of second nature. I want people to feel who are listening and who might be interested in MFA that it's a little bit of an undertaking at first, but it definitely is worth it in the long run, and users get used to it pretty quickly.
Laura Pelkey: Yeah. So security can kind of be a bit of a dry topic you can say for users and for even some admins, it's not necessarily the most exciting thing. And you said this also Kerry, sometimes it's just not a huge priority for users, especially. What are some ways that you have made security fun for users or made using MFA a little bit more fun or the rollout? How did you kind of make that appealing to your users?
Kerry: I think we made it fun by keeping it simple. We've really put the focus on reducing the potential for user frustration by having strong communication about the change over a period of weeks before we actually implemented it. So depending on the version of Salesforce that you have, there's some flexibility when implementing MFA that can help you strategize your rollout. You can roll it out to all of your users at once, or you can adopt a phased approach, which is what we did. So we had a smaller group of pilot users that we implemented first, and we walked them through the initial setup and collected their feedback before rolling it out across departments.
Laura Pelkey: I love that you talk about gamification. We are huge fans of that at Salesforce and especially on the security team here. Some of the listeners that are tuning in today may have attended a Dreamforce or Trailheadx where we ran a game called secure the force, which is kind of something that I am a big fan of which sort of gamifies learning about how to secure a Salesforce org.
Kerry: The first step I would say, would be to educate yourself as an admin. There's a great Trailhead module called user authentication, that provides a lot of information on the background of why MFA is so important. And it also gives admins the hands on opportunity to implement MFA in a Trailhead playground or a developer org. And then I would say to leverage the amazing trailblazer community, connect with other individuals who have experience with implementing MFA, get their feedback. There's a great community group called MFA getting started, that has linked to a lot of excellent resources. There's an implementation video and admin setup guide ebook. And then after you reviewed these resources, you can evaluate the implementation options within MFA, think about really what makes sense for your organization.
Laura Pelkey: Yeah, that's really good to point that out. Communication is key. So I think you also mentioned earlier doing a phased approach when rolling out MFA, and I think that's super important as well. We look often at who would account have the highest level of privilege or access you can think of. Who has the most access at your company inside of Salesforce? And that would most likely be a Salesforce admin or the equivalent of an admin and an executive probably. So I think getting buy in from executives and also having them be part of your pilot group is a great way to do that. Just demonstrating how important it is to secure their access and the accounts that have very high access is a good thing to point out.
Kerry: So I would say to educate yourself as an admin, that way you can have all the tools in your arsenal, then be prepared to have those conversations with your leadership, be prepared to have those conversations with your users. Tap into the Ohana, get in touch with people who have already rolled out MFA. The Ohana, as we all know, lots of help. So post your questions to that MFA getting started group. There's also the Salesforce trust website. That's at trust.salesforce.com. It has a lot of great tools and resources for admins. So I would start there.
Laura Pelkey: Awesome. Yes, we are here to help. There are resources that are out there and also don't feel afraid to contact your success manager or post questions in the trailblazer community. We're here to answer your questions and to help with this process.
Kerry: Thanks for having me, Laura. It's been a lot of fun.
Laura Pelkey: Yeah. So I will hand it back over to Gillian and Mike.
Mike Gerholdt: So it is great to meet Kerry, and I'm so thankful that Laura could jump in and be our guest interviewer this week. I do think everybody who enjoyed this podcast should tweet Laura, ask her to come back, we're always happy to have a guest host, especially when we're talking about really fun things like security.
Gillian Bruce: Tadaa. Yeah, I'll take a drink of water too. It sounds good.
Mike Gerholdt: Oh, it's coffee.
Gillian Bruce: Yeah. I could tell by the way you sipped it. Because there's like with coffee, you always do a little bit of like a Slurpee thing. Because it's still a little hot.
Mike Gerholdt: Even if It's not hot, I think you have to do the Slurpee thing.
Gillian Bruce: It's just the way you drink coffee.
Mike Gerholdt: Yeah.
Gillian Bruce: I wouldn't know. I don't drink coffee because God knows what that would look like. Hi, my name is Gillian and I love coffee.
Mike Gerholdt: I know. There would be no periods in your sentence and exclamation points in between every word.
Gillian Bruce: Yeah, it would make transcribing a podcast very difficult.