This week on the Salesforce Admins Podcast, we’re bringing on Laura Pelkey, Senior Manager of Security Customer Engagement at Salesforce, as a guest interviewer to talk to Kerry Schoepfle, Salesforce Engineer at Rackspace, and a member of our new Trust Champions program. We learn all about Multi-Factor Authentication and how you can use it in your org.
Join us as we talk about how important MFA is to security and how easy it is to implement, how to make it easy for your users to buy in, and how to make security fun.
You should subscribe for the full episode, but here are a few takeaways from our conversation with Laura Pelkey and Kerry Schoepfle.
Why every org should consider MFA
Kerry first got started in Salesforce working as a Certified Financial Planner at a wealth management firm. “We used Salesforce to keep track of client information and assign operational tasks, but I knew there was so much more we could be leveraging the platform for,” she says. Since her firm didn’t have a dedicated admin, Kerry thought she’d give it a go and quickly discovered that she enjoyed building on the platform, so much so that she decided to change careers.
At the firm, Kerry was super excited to roll out MFA (Multi-Factor Authentication), which provides an extra layer of security to your Salesforce login process. This requires users to verify their identity with two or more pieces of evidence to show they are who they say they are. There’s even a free Salesforce Authenticator App which you can download to your mobile device to make the adopting MFA as easy as possible with no coding required. Securing your customers’ data has never been easier.
Making adoption easy for your users
With security, it’s helpful to think in terms of layers. “In the security world,” Laura says, “this is called a Defense in Depth security strategy (DiD).” What can be difficult is getting buy-in from users as to why these extra steps are so essential. “As admins, I think we have a responsibility to be thoughtful and deliberate with the changes we make to our end-users’ experience,” Kerry says, “people can be resistant to change, especially if they don’t understand the reasons behind those changes.”
For Kerry, the answer is to always focus on how to make things as easy as possible for her users. She created a one-page job aid with instructions on how to download the Salesforce Authenticator App, and also spent time with each department to answer any questions they may have had. “Once the users were educated on the benefits of Multi-Factor Authentication, understood how it would protect them and our clients, and saw how easy it was to use, we really had strong adoption,” she says.
How to make security fun
One thing Kerry did to encourage adoption was to gamify the process a little bit by encouraging some friendly competition between departments. Think creatively about how to make the process fun, whether that’s hosting a launch party, or making special videos reminding people that changes are coming. “There’s lots of ways out there to get buy-in from your users by adding a little fun, gamified aspect to it,” Kerry says.
Making MFA a reality means getting buy-in from leadership, and that starts with educating yourself so you can make the case for the benefits of implementing it. Kerry recommends hitting up Trailhead and the Trailblazer community to get started. “Connect with other individuals who have experience with implementing MFA, get their feedback,” she says. There are a number of options for MFA, so think about what makes sense for your org and you can make a strong case to leadership.
Love our podcasts?
Subscribe today or review us on iTunes!
Full Show Transcript
Gillian Bruce: Welcome to the Salesforce admins podcast, where we talk about product, community and careers to help you be an awesome admin. I’m Gillian Bruce.
Mike Gerholdt: And I’m Mike Gerholdt.
Gillian Bruce: And today we are talking about security, a very near and dear topic to all of us Salesforce admins, because we know, well Salesforce trust is our number one value. And I know as a Salesforce admin, it is one of your top priorities for your organization.
So we are featuring a guest interviewer and a guest today. We have Laura Pelkey, who is a senior manager of security customer engagement here at Salesforce. She’s been on the pod many, many years ago, and she is helping pioneer our new trust champions program. You’ve heard her on the podcast a little while back, who is one of our trust champions, and we got Laura on the pod because Hey, she’s a security expert here at Salesforce, and we wanted her to highlight another amazing trust champion, Kerry Schoepfle. So without further ado, Laura, take it away.
Laura Pelkey: Thanks, Gillian and Mike. Hi everyone. My name is Laura Pelkey. I am on the security communications and engagement team here at Salesforce. And my job is to talk to customers and partners about how they can secure their Salesforce data. So I’m really excited to be here today with one of our amazing trust champions, Kerry Shefali. And we’re going to talk a little bit about Kerry’s story with security and just get to know her a little bit more. So hi, Kerry, how are you doing today?
Kerry: Hi, Laura. I’m doing great. Thanks for having me on the podcast. It’s a pleasure to be here.
Laura Pelkey: Yeah. So excited. So just to get things kicked off, I’d love to hear a little bit about how you got started as a Salesforce admin?
Kerry: Yeah, it’s been an exciting journey. I was working as a certified financial planner at a wealth management firm, and we used Salesforce to keep track of client information and assign operational tasks, but I knew there was so much more, we could be leveraging the platform for. We didn’t have a dedicated admin, so I took the opportunity to start learning the admin tools myself, and I rolled up my sleeves, hit the trails on Trailhead and discovered that I really enjoyed building solutions on the platform to solve business needs. So that sort of prompted my career pivot from certified financial planner to becoming a Salesforce admin. And now I’m a four-time Trailhead ranger, I have six certifications and it’s been a lot of fun.
Laura Pelkey: That is awesome. That is definitely quite a pivot, but I love that you who were able to utilize Trailhead and just kind of learn everything you needed to learn and be successful. That’s great. So as I mentioned, a few seconds ago, you recently joined Salesforce’s trust champions program. Can you tell us a little bit about one of your favorite security-related projects that you run as an admin?
Kerry: Yeah. So one of my favorite security-related projects is when I rolled out Multi-Factor Authentication or MFA, at the wealth management firm, in order to add an extra layer of security to protect our orgs data. So MFA adds an extra layer of security to your Salesforce login process by requiring users to verify their identity with two or more pieces of evidence or factors to prove they are who they say they are.
So these factors are something the user knows, like their username and password, plus something they have like the code from an authentication app, on a mobile device or physical security key. So we use the Salesforce authenticator app, which is free and can be downloaded to your mobile device. And there’s some initial configuration necessary, but it’s a very straightforward process for admins to set up. There’s no coding required. And once it’s configured users will receive a push notification on their device every time they log into Salesforce and with a single click, those users can either approve or deny the login.
And MFA is really a very effective way to add that extra layer of security to your orgs data. Because even if an attacker or what we call a bad actor were to obtain a user’s login name and password, it’s highly unlikely that they would also have access to that mobile device as a second factor. So they’d be blocked from gaining access to your org. And what I love about the trust champions program is the focus on educating Salesforce, admins and users about the benefits of MFA, as well as providing resources for admins every step of the way.
Laura Pelkey: Well, we are so excited that you were willing to join our trust champions program. This is a newer program that we just started here at Salesforce, and I’m really excited about all the great things that you champions are going to accomplish.
So it sounds like MFA is kind of a magical thing that helps protect you against some really just common things that we face nowadays with security, like phishing attacks. So that’s great that you decided to roll that out at your company. Can I ask, what made you decide to implement MFA?
Kerry: Sure. So as we all know, and Salesforce holds very important, customer trust is a sensitive topic for companies in every industry, but particularly when you’re talking about access to someone’s personal and financial information, it doesn’t really get much more sensitive than that. And at the time we decided to implement MFA, there were some high profile data breaches in the news that impacted millions of people’s financial information. So this sort of prompted us to examine our own security practices and evaluate how we could best protect our client data. Obviously, the threat landscape is constantly changing, It’s a lot to keep up with, but it was clear to us that user credentials alone are no longer adequate to guard against unauthorized account access.
So we chose to implement MFA specifically because it’s an effective way to add another layer of security to our environment. It was something that we could implement quickly, and because it was the right action to take for the duty that we have to our clients.
Laura Pelkey: That’s awesome. And you mentioned an added layer, and I just want to call that out. We definitely think about security in terms of layers, and the more layers you have, the more secure you are basically. And this is called, in the security world, it’s called a defense in depth security strategy. So I love that you brought that up and MFA is definitely a really important layer of security for really any account.
So this definitely sounds like a little bit of an undertaking rolling out MFA. I know there is several components to doing something like this and getting all of your users to adopt MFA. What was the most challenging part of rolling this out for you, would you say?
Kerry: As admins I think we have a responsibility to be thoughtful and deliberate with the changes we make to our end users experience. Now people can be resistant to change, especially if they don’t understand the reasons behind those changes. We’re probably all guilty of operating on autopilot at times, and any deviation from that can seem disruptive. So I really tried to make it as easy for the users as possible. I created a one page job aid with instructions on how to download the Salesforce authenticator app. And I spent time with each department in order to answer questions, provide assistance, and just sort of walk them through that process.
And once the users were educated on the benefits of Multi-Factor Authentication, understood how it would protect them and our clients, and saw how easy it was to use, we really had strong adoption.
Laura Pelkey: That’s awesome. Yeah. I know one of, probably the biggest deterrence for admins to implement MFA is probably the work that’s involved, getting your users to actually use it. And I would say, it is definitely a little bit of an undertaking initially, but after the second time a user logs in, it’s just kind of second nature. I want people to feel who are listening and who might be interested in MFA that it’s a little bit of an undertaking at first, but it definitely is worth it in the long run, and users get used to it pretty quickly.
Laura Pelkey: Yeah. So security can kind of be a bit of a dry topic you can say for users and for even some admins, it’s not necessarily the most exciting thing. And you said this also Kerry, sometimes it’s just not a huge priority for users, especially. What are some ways that you have made security fun for users or made using MFA a little bit more fun or the rollout? How did you kind of make that appealing to your users?
Kerry: I think we made it fun by keeping it simple. We’ve really put the focus on reducing the potential for user frustration by having strong communication about the change over a period of weeks before we actually implemented it. So depending on the version of Salesforce that you have, there’s some flexibility when implementing MFA that can help you strategize your rollout. You can roll it out to all of your users at once, or you can adopt a phased approach, which is what we did. So we had a smaller group of pilot users that we implemented first, and we walked them through the initial setup and collected their feedback before rolling it out across departments.
But once we did roll it out to other teams, we tried to gamify the process as much as we could and add some friendly competition just to see which department it could reach full adoption first. But there are other ways that you can introduce some fun into implementing MFA as well. You could have a launch party, you could send out special videos reminding people that the change is coming up. There’s lots of ways out there to sort of get the buy in from the users, by adding a little fun gamified aspect to it.
Laura Pelkey: I love that you talk about gamification. We are huge fans of that at Salesforce and especially on the security team here. Some of the listeners that are tuning in today may have attended a Dreamforce or Trailheadx where we ran a game called secure the force, which is kind of something that I am a big fan of which sort of gamifies learning about how to secure a Salesforce org.
And so I can speak to this firsthand. If you want to make security engaging, make it into a game. I love the idea of having different department’s kind of competing against each other to adopt MFA and even having a launch party. I know, at Salesforce we use MFA as well. And when we started having employees use that years ago, we had some internal events where we were trying to build awareness internally and make it fun and appealing, and you can give away some prizes to like the first some number of people who downloaded the Salesforce authenticator app. So there’s definitely things you can do and ways you can make security a little bit more fun for your users.
Now kind of going from the user perspective over to the leadership perspective. So admins are often required to work with IT teams or technology leadership to implement these larger changes to their org. What advice would you give to an admin who’s trying to get buy in from leadership in order to implement MFA?
Kerry: The first step I would say, would be to educate yourself as an admin. There’s a great Trailhead module called user authentication, that provides a lot of information on the background of why MFA is so important. And it also gives admins the hands on opportunity to implement MFA in a Trailhead playground or a developer org. And then I would say to leverage the amazing trailblazer community, connect with other individuals who have experience with implementing MFA, get their feedback. There’s a great community group called MFA getting started, that has linked to a lot of excellent resources. There’s an implementation video and admin setup guide ebook. And then after you reviewed these resources, you can evaluate the implementation options within MFA, think about really what makes sense for your organization.
So this could be based on your number of users, your number of geographic locations, or if you’re already using tools like single sign on at your organization. So yes, you’ll definitely want to coordinate with your leadership, with your IT department to determine the best approach. And of course, finally, you’ll want to make sure that you communicate that plan to your users, preferably in multiple methods, whether it’s a job aid or email communication during staff meetings or creating short videos, you want to make sure your users are informed about the changes so that they can make simple the processes simple for them as possible.
Laura Pelkey: Yeah, that’s really good to point that out. Communication is key. So I think you also mentioned earlier doing a phased approach when rolling out MFA, and I think that’s super important as well. We look often at who would account have the highest level of privilege or access you can think of. Who has the most access at your company inside of Salesforce? And that would most likely be a Salesforce admin or the equivalent of an admin and an executive probably. So I think getting buy in from executives and also having them be part of your pilot group is a great way to do that. Just demonstrating how important it is to secure their access and the accounts that have very high access is a good thing to point out.
And we do have some resources. Salesforce has created a bunch of resources to kind of help walk you through how to have these conversations and the change management that is involved with this kind of a rollout. So we’ll be creating some of these and releasing some of them soon to help admins who are maybe interested in rolling out MFA, but aren’t sure how to handle the change management aspect.
So Kerry, last question for you. If someone listening is considering implementing MFA, what would be one piece of advice you would give them?
Kerry: So I would say to educate yourself as an admin, that way you can have all the tools in your arsenal, then be prepared to have those conversations with your leadership, be prepared to have those conversations with your users. Tap into the Ohana, get in touch with people who have already rolled out MFA. The Ohana, as we all know, lots of help. So post your questions to that MFA getting started group. There’s also the Salesforce trust website. That’s at trust.salesforce.com. It has a lot of great tools and resources for admins. So I would start there.
Laura Pelkey: Awesome. Yes, we are here to help. There are resources that are out there and also don’t feel afraid to contact your success manager or post questions in the trailblazer community. We’re here to answer your questions and to help with this process.
So Kerry, thank you so much for joining us. I really loved chatting with you about your experience rolling out MFA and with security. And I appreciate you coming on the podcast.
Kerry: Thanks for having me, Laura. It’s been a lot of fun.
Laura Pelkey: Yeah. So I will hand it back over to Gillian and Mike.
Mike Gerholdt: So it is great to meet Kerry, and I’m so thankful that Laura could jump in and be our guest interviewer this week. I do think everybody who enjoyed this podcast should tweet Laura, ask her to come back, we’re always happy to have a guest host, especially when we’re talking about really fun things like security.
So, let’s get into the three things that I learned and I’m sure you learned as well from our discussion with Laura and Kerry. So first MFA is an important layer of security and can be implemented without code. That second part super important, I think, because it’s very empowering to know you can implement a layer of security without code. Making change is easy for users to understand the benefits and always think about what’s in it for them. So a lot of change can be very difficult but always think of that benefit for, what’s in it for them.
And of course, if you didn’t get from the interview, Laura and Kerry loved to have fun with security. Make it fun for your users, keep it simple, reduce user frustration with a lot of communications. I think Gillian, we say that a lot in all of our presentations for admins, it’s all about communication, communication, communication. And think about a phased approach. Maybe gamify it with a friendly composite competition. I’m always a fan of doing that. It’s a good reason for you to put out a chatter post every now and then.
Now if you want to learn more about all things, Salesforce admin go to admin.salesforce.com to find more resources. And as a reminder, you love what you hear, be sure to pop on over to iTunes, give us a review. That helps other admins find us when they’re looking for something to listen to. So, you’re helping other admins by giving us a review, I promise. And you can stay up to date with us on social for all things, Salesforce admins, we are @SalesforceAdmns on Twitter. You can find our guest hosts, Laura Pelkey on Twitter, she is @Laurapelkey1. Of course, I’m @MikeGerholdt on Twitter. And Gillian is @Gilliankbruce.
So that, stay safe, stay awesome, and stay tuned for the next episode. We’ll see you in the cloud.
Gillian Bruce: Tadaa. Yeah, I’ll take a drink of water too. It sounds good.
Mike Gerholdt: Oh, it’s coffee.
Gillian Bruce: Yeah. I could tell by the way you sipped it. Because there’s like with coffee, you always do a little bit of like a Slurpee thing. Because it’s still a little hot.
Mike Gerholdt: Even if It’s not hot, I think you have to do the Slurpee thing.
Gillian Bruce: It’s just the way you drink coffee.
Mike Gerholdt: Yeah.
Gillian Bruce: I wouldn’t know. I don’t drink coffee because God knows what that would look like. Hi, my name is Gillian and I love coffee.
Mike Gerholdt: I know. There would be no periods in your sentence and exclamation points in between every word.
Gillian Bruce: Yeah, it would make transcribing a podcast very difficult.