There was a time when Salesforce was primarily thought of as a back-office app, but those days are long gone. Over the past decade Salesforce has added many business-boosting capabilities such as storefronts and customer experience systems, elevating its role from support tool to revenue driver. Increased Salesforce usage has also brought more business flexibility, enabling low-code and declarative developers to create and manage SaaS apps alongside more seasoned developers.

It’s time to treat Salesforce like the revenue-generating app that it is and make sure it stays online and secure. If Salesforce goes down, that impacts our revenue stream, said Andy Ellis, CISO at Orca Security and author of 1% Leadership, and that changes the level that we should care about it. Ellis recently joined Veroljub Mihajlovic, senior director of product marketing at Flosum, to discuss this topic and more in in our webinar A CISO’s Guide to Salesforce.


As valuable as your marketing budget

From ticketing systems to commission calculations, many companies are now using Salesforce in ways that completely tie it to their revenue streams. According to Ellis, that should be an eye opener, as a minor outage could now be a major problem. What changes is the urgency and how much you must pay attention to the security and the reliability of everything in the Salesforce ecosystem.

“If Salesforce goes down or we configure it incorrectly, that means our revenue stream might have just gone away for a while. That changes the level at which we need to care about how we’re using Salesforce and what we’re doing with it,” explained Ellis. “If Salesforce is going to increase our revenue, that’s a great thing, but we should make sure that we’re treating it like a revenue-generating app.”

As Salesforce has moved away from the back office and taken this revenue-generating role, it has more customer exposure and mission-critical data. Just how valuable is the data in your CRM tool? Think about how much your company spends on marketing, with the goal of finding prospects and nurturing them to qualified leads and eventually a sale. If you lost access to that hard-earned data, your company would not only be out a large marketing investment, it could potentially hand that customer data to a competitor for free.

“The most valuable data I own is my CRM,” claimed Ellis. “Everyone likes to focus on the IP that’s in their development environment, but the list of people who pay you money is pretty much the most valuable thing the company owns.”


Increased use brings security risks

As Salesforce takes on an elevated role in companies, it is common for them to have large developer teams supporting it as well as citizen developers who are working on behalf of business units. Additionally, there are many people within the organization who have access to Salesforce at varying levels.

Given this scale, it’s important for companies to consider all the ways that developers and users could potentially impact Salesforce, maliciously or accidentally. A common mistake companies make is not treating low-code developers with the same scrutiny as full-stack developers, as they don’t see the potential security risks of clicking buttons. The truth is, people can make just as many mistakes by clicking buttons. While some errors like typos will be easier to avoid, a citizen developer could accidentally select all boxes when they just meant to just select one, thus creating a big problem that may be hard to trace.

Additionally, it can be difficult to segment the environment with so many people working within it. It is important to understand who has rights to read, write or download data, as a company’s own employees often pose the largest risk to security. Something as innocent as downloading data to a spreadsheet can introduce immediate and long-term security problems that may be hard to put back into the box.


Protect your high-value data

For organizations who are serious about getting maximum business value from Salesforce while safeguarding their data, Flosum is here to help. Flosum is 100% native to Salesforce and gives organizations the tools they need to secure and accelerate their entire development lifecycles. Flosum also offers Trust Scan, a free organizational scanner feature that lets you quickly check your company’s security posture and identify potential vulnerabilities.

Ready to uplevel your organization’s security posture? Learn more about how Flosum can provide the security your organization needs, and schedule a free demo.


To hear the full conversation with Andy Ellis and Veroljub Mihajlovic, watch the webinar: A CISO’s Guide to Salesforce.



signup for our blog


“Flosum is the best native release management tool that you will fall in love with. I have gained confidence in my role and has given me the ability to view release management from a whole different perspective.”

Faizan Ali

Faizan Ali
Salesforce Consultant at Turnitin