What Keeps a CISO Up At Night?

A Chief Information Security Officer (CISO) wears a lot of hats and holds a great deal of accountability. The ever-changing landscape of app development also has them enduring a lot of sleepless nights.

Access control, third-party apps, permissions, machine identity … oh my. And the list goes on and on. We recently sat down for a moderated conversation with Andy Ellis, Advisory CISO at Orca Security and author of 1% Leadership. Hear what Andy has to say about each of those topics and more in our webinar A CISO’s Guide to Salesforce.

The buck stops here – or does it?

Perhaps the first noteworthy dilemma according to Ellis: who owns security? While on the surface this seems a relatively easy question to answer, that’s become unclear in today’s environment. Historically, vetting potential partners meant auditing the company itself, not the platform. And when it comes to Salesforce security, there are question marks as to who should be ultimately responsible. Is it IT, sales operations, or another function? And says, Ellis, that’s a problem.

The CISO may own security for the company, however, he or she is not actually implementing security measures. In actuality, it’s developers or program managers implementing security. The world of developers is rapidly expanding with the rising use of low-code and no-code applications.

Beware notes Ellis: organizations fall short when developers operating in this realm are treated differently than developers who operate in a full-stack environment. This introduces security risks and is certainly an element weighing heavily on the minds of today’s CISO.


To control or not to control

Another facet of security that merits focus according to Ellis: access control. This merits special attention when it revolves around joiners, movers, and leavers of the company.

To complicate matters further, you’ve got a combination of seasoned developers and those that are not historically trained, so-called citizen developers using low- and no- code technologies. It’s a Pandora’s Box of opportunity for security concerns.

The overall ecosystem is another point of concern. With a mesh of applications including third-party apps and apps written by the company’s developers, determining who has what permissions can be a conundrum. Couple that with the sheer human element and you’ve got a recipe for a restless night’s sleep.

Not to say employees are malicious actors by any means. But humans can be prone to mistakes or can unknowingly open the door to security risks through an act as simple as downloading data to a spreadsheet. Malicious, no, but dangerous in terms of risk, absolutely. And yes, there is the occasion whereby malicious intent is involved.

Who’s that you say?
CISOs must also take into account digital or machine identities. Such identities are not specifically tied to a human user but are rather an automated process or app. This presents a huge red flag, says Ellis, and can lead to challenges with authentication and controlling data flow.

There’s also the potential for machine identity “creep”. The identity may appear to be a legitimate user and meanwhile, it continues to ladder up, gaining ever greater access. It’s the stuff of nightmares for CISOs.

What’s a CISO to do?

A CISO must ensure that security decisions and an organization’s security posture are sufficient to safeguard the organization. It’s that simple. Yet with all of today’s worrisome issues, it’s little wonder that CISOs are encountering more than a few sleepless nights.

But there are opportunities to get a better handle on security. One such partner who can provide that better handle: Flosum. Flosum is native to Salesforce and has an organizational scanner feature says Veroljub Mihajlovic, senior director of product marketing at Flosum. It will display on a dashboard your organization’s security posture and provide crucial insight into what’s not being addressed.

Looking to uplevel your organization’s security posture? Learn more about how Flosum can provide the security your organization needs, and schedule a free demo.

To hear the full conversation with Andy Ellis and Veroljub Mihajlovic, watch the webinar: A CISO’s Guide to Salesforce.

signup for our blog


“Flosum is the best native release management tool that you will fall in love with. I have gained confidence in my role and has given me the ability to view release management from a whole different perspective.”

Faizan Ali

Faizan Ali
Salesforce Consultant at Turnitin