Cybersecurity basics more important than ever in the new normal of remote work says Salesforce Chief Trust Officer

Jim Alkove, Chief Trust Officer at Salesforce, talks security in the new normal of remote work, cybersecurity best practices, and how security jobs can be a way to increase diversity in IT.
Written by Bill Detwiler, Contributor

In this new work-from-anywhere environment that we're all in thanks to the COVID-19 pandemic, cybersecurity, trust, and protecting customer data is more important than ever. In conjunction with Salesforce TrailheaDX 2020, held completely virtually this year, I had a chance to speak with Jim Alkove, Chief Trust Officer with Salesforce, about many of the data security issues Salesforce customers are facing in this new world. The following transcript of the interview has been edited for readability.

Bill Detwiler: So let's hit the ground running. What are you hearing from Salesforce customers about the challenges they're facing with this new normal, where everyone is working from home, where people are taking corporate devices home, where work is happening on home networks? What are you hearing from customers about their concerns?

Jim Alkove Chief Trust Officer Salesforce

Jim Alkove, Chief Trust Officer, Salesforce

Credit: Salesforce

Jim Alkove: We saw the largest workforce transmit transformation in history as everyone went remote almost overnight in March. And as the Chief Trust Officer at Salesforce, it's my job to work with teams across the company to ensure that we're continuing to seamlessly deliver our services to customers as we adapt to this new environment, but also that our global security teams continue to protect data around the clock. What we're hearing from customers is really questions about how we're adapting to the environment so that we can help them with best practices as they're adapting to this environment. And true to many of the things that Salesforce, our core value of customer success, how do we help our customers be successful in this transformation for their businesses?

Cybersecurity best practices: Focus on the basics

Bill Detwiler: What are some of those best practices? We've all sort of known some cybersecurity best practices that we should all be following but I think in moments like this they really rise to the surface. People realize, "Oh, we should have been doing this all along."

Jim Alkove: Yeah, I think the best thing that any business can do in securing yourself, especially as adapting to this new environment, this new work from anywhere environment, is to nail the basics. There are a small number of really important cybersecurity hygiene actions, so think about it in the current climate as washing your hands from a cybersecurity perspective, that businesses can do to really eliminate the risk associated with a lot of common cybersecurity threats. So some examples of this are enabling strong multi-factor authentication or ensuring that you're rapidly patching all of your devices to it to inoculate them against known vulnerabilities, to prevent things like ransomware attacks. And then finally, treating cybersecurity like a team sport, building a culture of awareness in your company so that all the employees in your company can act like security trailblazers.

Bill Detwiler: And let's talk about that concept of trailblazers. How does Salesforce work with its community of developers, admins, product managers, to help them put security first in the work that they're doing in their companies?

Jim Alkove: Well, I think that we provided an enormous number of tools to our customers to help them secure their data. At Salesforce, when we think about the security of data in Salesforce, we think about it as a shared responsibility between us and our customers. It's our job to deliver default security, out of the box tools, and educational resources for customers to secure their data, and then we rely on our customers and partner with them to help them turn on those security capabilities so that they can ensure that their data is maximally protected. So some examples of that would be things like monitoring user behavior by analyzing log information or adopting industry compliance requirements in their given industry.

Ethics and integrity are as important as data security

Bill Detwiler: One of the concepts that I think sometimes gets lost in these security conversations is the concept of ethics and how data is used, and I know these overlap quite a bit. What's the role in working with people who are looking at the ethical use of data? So you maybe have something like least privileged required, a concept of saying, "Hey, look, for security purposes, only a certain number of industries or with certain roles need to have access to this data." But that also helps with the ethical considerations around, well, maybe these people don't need to have this data because it could allow them to have unconscious bias creep into the decisions that they make off this data. Talk a little bit about that, just in terms of merging security and ethical use of data.

Jim Alkove: So I agree. I think there's a strong partnership between security and ethical use, and at Salesforce, we're one of the companies who was first to have an office of humane and ethical use of technology and my organization and the Office of Humane and Ethical Use of Technology partnered together to help make those decisions about how Salesforce is going to engage and the protection of data for users, but also ensuring that those uses of data our ethical. I think of trust and transparency going together, but also integrity and ethics and being, of course, trust as well.

More security: Ransomware warning: Now attacks are stealing data as well as encrypting itIdentity theft protection policy (TechRepublic Premium) | Russian hackers are targeting coronavirus scientists with phishing and malware attacksInternet of Things devices: Stick to these security rules or you could face a banTwitter says hackers downloaded the data of eight users in Wednesday's hack

Bill Detwiler: And let's talk a little bit about that concept of trust too. So you're the Chief Trust Officer as opposed to a title like CISO or something like that. So is it a recognition that because Salesforce and everyone now basically is sort of a data-driven company that people need to have trust in not just the systems and the integrity of those systems but also in the data that they're using to make those decisions?

Jim Alkove: Yeah. So I think it's an acknowledgement that trust has an elevated position in modern companies. At Salesforce, trust is our number one value and we talk a lot about trust and we need to put trust first, and we feel like that trust needs an advocate. In the same way, we have a Chief Equality Officer to advocate for equality at Salesforce, we have a Chief Trust Officer to advocate for our number one value, which is trust.

Empowering employees to be security trailblazers

Bill Detwiler: If there was one or two things that you would recommend, steps that you would recommend companies take right now with this new distributed workforce, and we've talked about a few and you mentioned two-factor authentication, some of these best practices, but if there were one or two things that you really think companies should maybe be thinking about for the next five months, six months as we settle into this hybrid working environment where some people go back into the office, some people stay home, or we go through periods of time where people can go back in the office or people stay home, what would those one or two maybe things be?

Jim Alkove: So I think we have to remember that we always have to continue to nail the basics, which means patching your systems. That has got to be one of your top priorities, if not your top priority, and multi-factor authentication is something we're taking very seriously at Salesforce. We provide a native multi-factor authentication capability in the platform. We enable strong multi-factor authentication using the Salesforce Authenticator App versus, say, a text message or an email, and I think that nailing those basics are super important in this time. But I think that the work from anywhere in the world has also brought to the top things that are now basics but may not have been in the traditional nail the basics category for CISOs in the past. And an example of that is the exponential rise in the use of virtual meetings.

And so your web conferencing platform uses at an all time high and I think that while that might not have been a top priority for a lot of CISOs prior to the pandemic, it needs to be now. So ensuring that you take a look at the platforms that you're using for video conferencing, ensuring that you're properly taking advantage of the security capabilities that those platforms provide to prevent gatecrashers in meetings, making sure that you're creating new access codes and links for each of those meetings, I think has become super important thing for CSOs today. And then the last thing I would say is securing your connection. A lot of people were working in offices and they relied on being on office networks, and while we all had VPN for the times that we would go home, it was not something people had created muscle memory for using and I think that users need to build a muscle memory that wherever you are, you should connect to VPN. Even if it's not gating you accessing the corporate resource that you're looking for, it provides an enhanced level of security.

Bill Detwiler: How much of securing our data, securing the connections, securing our systems is really reliant on the end user. We've always talked about, at least I have been talking about this for 20 some odd years now, that people are often the weakest link when it comes to security. So how do companies help address that now maybe when it's more important than ever? Because like you said, you don't have the perimeter security model, which was always a little kind of wonky. But now that people are outside those corporate networks, like you said, they may not know to use the VPN, or the bandwidth overhead on the VPN may make platforms or services like video conferencing difficult to use, depending on what companies are using. So what role does just end user education and mitigating those end user risks play now, maybe more so than in the past?

Jim Alkove: Yeah. I think that I look at it very differently. I look at it as our people are our number one asset in our security program and it's our job as a trust or security organization to empower them to be security trailblazers. And the way we do that at Salesforce is through a wide variety of training education and enablement for them and we do all of this through Trailhead, our free online learning platform. And the great thing about that training is that the vast majority of it is made available for free on Trailhead to our customers as well for them to leverage the investment that Salesforce has made in protecting our employees to protect their employees. We've taken this another step further with a partnership with the World Economic Forum on a cybersecurity learning hub on Trailhead to allow people to become cybersecurity professionals to get the training they need to actually start down the path of a career in cybersecurity via Trailhead as well.

Cybersecurity can be a driver for diversity in IT

Bill Detwiler: Is that still a growth area? I mean, we've been talking about that for years, is that cybersecurity as a sector of IT is an area that we don't have enough professionals in that we need more in. It seems like it may even be more important as we have a more spread out, a more diverse geographically workforce that makes the attack surface bigger as well, so it gives people more places to attack with so many people working from so many locations.

Jim Alkove: Yeah, absolutely. I think it's an incredible opportunity. I think that depending on which research you read, we're short several million cybersecurity professionals around the world, and that gap is probably only going to grow, as you pointed out, when we look at the transformation to this all digital work from anywhere environment. I also think that we're at a tipping point as a global society that we need to all lean in to provide a greater opportunity for all in equity and equality and that I think that when you have an opportunity for skilled high paying jobs like cybersecurity that we have an obligation to ensure that we are using every tool available to us to create that kind of opportunity for all.

Bill Detwiler: Well, Jim, I really appreciate you taking the time and I will do my best to become an optimist as opposed to a pessimist when it comes to end users and being champions of cybersecurity. So thank you for that point. I guess in closing, I would just love to hear your thoughts on what we need in cybersecurity going forward. For a long time, I've heard people talk about having a national strategy for cybersecurity, having private companies step up and take the lead, having a public-private partnership when it comes to security, and looking at uses of technology to solve some of our cybersecurity problems. What is the one thing we need that you think going forward to improve our cybersecurity posture, not just in the States, but as you say, we've become an increasingly global workforce around the world?

Jim Alkove: Yeah. I think the first thing I would say is that we all need to continue to remember to nail the basics. Never, ever forget to nail the basics. But you hit on something that I think is also incredibly important. It is really the underlying motivation for our partnership. We're a founding partner in the World Economic Forum's Center for Cybersecurity and the driving motivation behind that is that we believe that partnership and collaboration is how we ultimately make cybersecurity better for all. And that means that we, as corporations, need to learn to share more, share best practices, share information about threats, but that we also need to partner of between the public sector and the private sector and partner globally. And, again, we're living in a time where those kinds of partnerships are very strained and I think cybersecurity outcomes are worse when we don't partner globally. There are no geographic boundaries in cyberspace and it's really important for us to remember that in order for us to defend all of the users of the internet, that we're all working collectively together, private companies and public sector, around the world.


The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet's global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.


Editorial standards