[1:30]we're three minutes in, should we get started? I think we should. Um, let's see, I can kick us off. So welcome in everybody. Thank you for taking the time to join us today. First off, I'd like to give everyone a round of introductions for who you'll see speaking on today's call. My name is Sydney Malkahi, I'm the director of product marketing here at Flossum. I will be one of our hosts today. and I am joined by the excellent Joe Morris, vice president of solution engineering here at Flossum, as well as Mike Finnen, account manager of the federal space. So we thank you all for joining. Um this conversation will be about the trust framework for regulated industries. And this framework is a new way that we're hoping you can use to help simplify salesforce data compliance. Um today's conversation will be uh around a couple of different areas that will be of interest to you. So first and foremost, we'll talk about how Salesforce has really evolved in a um to be such a truly strategic platform and why that matters for compliance. Then we'll go through and we'll introduce the trust framework to you all, walk through what it actually means in practice, how you can use it. And from there, we'll apply a compliance lens to each of the pillars of trust for you to keep in mind, depending on your requirements, and finally, we'll wrap up by talking about how organizations are putting trust into action today. So Joe, you can go ahead and move on to the next slide. Yeah, let's uh, Mike, why don't you and I say hello really quickly uh, like Sydney mentioned, I'm Joe Morris, I lead our solution engineering team. I'm also a long-time Salesforce veteran. I've worked there at the Mothership for a good long time, over a decade and have seen this evolution over time. Uh, it's just in recent years where regulation and compliance has become front of mind, and that's why I'm thrilled to be joined by Mike Finan. Mike, do you want to take a minute and introduce yourself? Yeah, thanks Joe. Hi everyone, Mike Finan. Um, I've been working with government clients for the last 15 years. Um, at all levels of government, state, local, and federal. Um, I've seen across all breadth of types of agencies from the Department of War, to national security, to law enforcement, to citizen service agencies that you think of such as IRS. Um, so long time working with government clients on IT modernization projects, um, and digital transformation projects. Excellent, thank you, Mike, and I think this topic is timely and interesting given what we've seen happening out there in the Salesforce ecosystem this year. But let's take some time and go back in time, I guess.
[4:11]Um, we want to talk a little bit about the evolution of Salesforce and how it's become more capable and more interesting, touched more parts of any organization, whether it's in the private sector or public sector, and what that means for uh, the folks running Salesforce and the people that they meet. So, I was lucky, I joined Salesforce way back in 2009. Back in those days, it was pretty simple. We were selling it departmentally to uh facilitate enterprise sales, to facilitate enterprise customer service. Uh, you could customize it mostly to those ends, and there was a collaboration layer in it there. So it was only touching certain departments in a business. It was important and revenue impacting in those days.
[5:06]But over time, uh Salesforce customers, SIs and others in the ecosystem took that platform and did amazing things with it. They started building apps that touched parts of a business that most of Salesforce never even anticipated. So really, if you think about where we are today and the evolution of the time in between there, you now have a gigantic platform with lots of moving parts for it. Lots of starting points for industry use cases, and that includes public sector and financial services, and health and life sciences, manufacturing and a billion other capabilities. Um, there's other tools in there that give you not only starting points, but ways to integrate with other systems, ways to put agents in front of people to make decisions, ways to automate processes. Uh, engagement on multiple channels. So the Salesforce platform has only got bigger, and as part of that, uh, it really touches more parts of a business, whether it's a large business or a small business, a large Salesforce practice or a small Salesforce practice. And so Salesforce has become more and more important.
[1:00:08]It's touched more important and bespoke parts of a Salesforce of a of a customer's business. And I think what we want to think about this is of a bespoke CRM has now become the norm with Salesforce. I mean, who buys Salesforce and doesn't customize it? Who buys Salesforce and doesn't get it into every business process that they can in order to get the maximum value out of it? So in this context, uh, I think we want to think about who's using Salesforce and the departments that are using Salesforce and absolutely rely on it. In the early days, in my early days, we're 2009, if it was sales and service, that was one thing. But these days your marketing department is touching Salesforce, your business analysts and other types of analysts are touching Salesforce. Your customers are using experience cloud and Omni channel and other things to touch Salesforce. Your partners are involved with Salesforce, whether that's via direct data feed or interacting with a partner portal built on experience cloud. Salesforce is also touching systems of records like ERP, payment processors, identity and access management, supply chain tools, contract tools and and a ton of other custom integrations that are facilitated by one-off integrations, pre-built integrations and platforms like MuleSoft. So what this really means is that your Salesforce has grown in its organizational reach. It's handling mission critical processes. It has potentially very sensitive and customer important and mission critical data as well as process in it. And that means it's going to get more and more attention. Uh and that means that you're going to meet more and more people is we'll talk about in a little bit. But think about it this way, if you want customer data, it's in Salesforce. If you want an agreement with a key partner, it's in Salesforce. If you want to engage in a business process, it's in Salesforce. It's just that has a ton of really interesting implications that I think we need to think about. Now, let's put that in the context of the businesses and organizations where Salesforce is being deployed. Uh, financial services was a very early, very successful vertical for Salesforce, as was healthcare. Uh both payer, provider, medical device and many others. And these are very highly regulated industries. And financial services, you'll see self-regulation in the form of FINRA, you'll see federal regulation at the SEC, Federal Reserve, CFTC and many others. There are industry standards for payments like PCI. Over in healthcare, you have a lots of relevant frameworks and by the way, this is very US-centric, we get it. But there are much, there are very much equivalents in other jurisdictions and other ideas, but healthcare in the US is governed by HIPAA, which governs patient privacy and the portability of healthcare records. The FDA may regulate medical device information, and uh it may regulate drug interactions and drug trials. There's also a thing called the High-Tech Act in Healthcare. Lots of different industry specific regulation. And Mike, in in your sector, you deal with the need for Fed ramp compliance, NIST CS SF and FISMA a lot too. And so when you get into public sector, you have your own set of regulations that apply to that industry too, right? Yeah, that's correct. I would say another one and we'll talk about this in a bit is FOIA, which is a whole another compliance and one one we'll touch on with transparency. Exactly. And that's something that you may have to do to produce things from Salesforce, which I think is timely because there are cross industry standards you have that do very similar things. So just about every industry that every organization does business in the uh in the EU has to comply with GDPR. California has a very similar regulation and what's similar there is that similar to FOIA, under GDPR or the California Privacy Act, you can, you've have to fulfill requests to produce and request to forget and request to delete information for consumers who demand it. Uh, lots of things that'll govern across industries. Everybody in the US is thinking about SOC 2 as well. The great financial crisis taught us the importance of uh regulating and monitoring and creating resilience in the systems that underpin a business because of some of the things that happened in the uh great financial crisis with uh Enron, Arthur Anderson and other organizations like that. Uh, there's also socks compliance, which is really organizational resistance. So compliance is a multi-faceted thing that can be very industry specific, can be jurisdictional specific, can be cross industry, I have a whole lot of others. And I think our European folks on the call will probably give me about 15 other logos here that uh that we could put on there. It's complex. And so if we think about that as it applies to Salesforce, a lot of times if you start with Salesforce departmentally, let's say as a sales tool or customer service tool, you don't always have to think about those things. But as Salesforce grows in importance, as the regulatory footprint grows, you're going to meet new people. You're going to meet people like legal. You're going to meet people like compliance, you're going to meet others, and you're going to have to start treating Salesforce a little bit differently. Both from a protection perspective, a deployment perspective, an auditability perspective, and several other ways. So, you know, at the end of the day, you need to start thinking about these things from the minute of your deployment with Salesforce now, and that creates additional complexity. So I I think we'll step back to Dr. Gonzo and uh, Raul Duke here and as your attorney, we advise you to keep records of everything you do in Salesforce and make sure it's all protected and get to know the folks in compliance, legal and other departments, right? Yeah, absolutely. So this idea of of compliance, it's much more than the tooling that you bring on. It's really the shift in mindset. It's really this operating model. And what that entails is this ongoing collaboration between everyone in your org. So your Salesforce teams, security, compliance, legal, leadership, the tools, they they matter, but without shared practices, and without clear ownership, alignment, the tools alone might create the sense of false confidence. And this idea of sustainable compliance really requires alignment. That's the bottom line, not just technology. Yeah, thanks, Sydney. I think that's absolutely critical. And and when we surveyed our customers and came up with this realization, we realized it mirrors something that we see in our customer's DevOps operations. Because DevOps itself and DevSecOps is very much about process and culture and process and relationships, having an operating model, right? And when we came up with kind of the common patterns that we saw, um, that's where we came up with this idea of the trust framework. And Sydney, I'm going to leave it to you to kind of define the trust framework and Mike for you to make some commentary on that, and I'll chime in as we go. Amazing. Thanks, Joe. Um, you can flip to the next slide, and we'll talk about what regulated enterprises actually need. So this idea of of trust comes from um regulated organizations not needing another checklist, right? We we're busy, there's lots of uh regulatory, um, you know, hurdles to to overcome. And the last thing we need is something else on our plate. They don't need another point solution, we don't need another to-do. What we need in the regulatory industry is is a framework. And again, this goes back to the idea of alignment, a framework that is aligning people, process, and technology. And what we have uh designed here in Flosum is this idea of of trust, um, a framework that can give you the starting point for that framework that you can then use to align the rest of your team on. And Joe, you can flip to the next slide, and we'll show you the trust framework at a glance here. So, what we've done is broken this framework out into five pillars, one for each of the letters in trust. And trust overall is what we like to think of is a practical starting point for salesforce data compliance. It, the goal of it really is to help organizations understand where they are before deciding how to go deeper. So again, this is kind of just this idea of dipping your toes in the water, figuring out where the gaps are in your existing process, and then deciding where you need to fill those gaps. Uh where you need to build more of a comprehensive data strategy plan going forward. So the five pillars that you'll see here on the screen are transparency, resilience, unified governance, safeguards, and technology, and all five of these pillars operate within a layer of privacy and compliance, which we will talk about um pillar by pillar. You're welcome to go on, Joe, and we'll talk about transparency first. Um, these next couple slides will be diving into each one of the pillars in a little bit more detail, and most importantly, how you can use them today. This idea of transparency is about knowing where your salesforce data and metadata live, how they change, and who touches them, at all times. Now, without visibility, leaders can't manage risk. They can't see. Audits start to slow down, incident response becomes reactive instead of proactive, and confidence grows across teams. And you can't put a price on something like that. Now, here's a simple test that I'll pose to the group. If you were asked to explain your Salesforce security posture to an executive tomorrow, could you do that? You'll see up on the screen, we have a couple of other quick check questions that you can ask yourself around this idea of transparency, as it relates to your data compliance strategy. But I wanted to pass this off to Mike now because he can talk about transparency through a compliance lens. There are a very specific set of of of questions of requirements that compliance will require for your organization. And I want to pass this now over to Mike to talk about transparency from um from that lens, from that point of view. Thanks, Sydney. Yeah, uh, I mean transparency, I would say, with data being the lifeblood of any enterprise or government agency, from where I see, um, is critically important. And one thing we show here in these slides is internal transparency, knowing where your data is, who's using it, how they're using it. But you also have to have external transparency, and that's critically important if you think about what government agencies do. They are providing citizen services that need to be trusted. And if they can't explain how the data is being captured, collected, guarded, and used, it's hard to get citizens to adopt those services putting the whole project and investment at risk. So transparency transparency is key, um, within the federal agency and is a great foundation for this trust framework. And Joe, anything you'd like to add here? You know, I think we can put it in terms that the average Salesforce practice understands. Um, there are things that you don't know you'll need to get out of many times. You want to spend your time building things that matter to your users. I guess you could say that we Salesforce Devs are Tron pill. We fight for the user, to use an old reference. But at the same time, in order to keep doing that, we have to stay ahead of these things. And so this is really a proactive way to handle those things and handle those relationships to free us up to realize value. The opportunity cost is real in this. And so we wanted to spend time with our customers and Flosum, understand how they think about uh regulatory compliance, protecting their systems, creating redundancy, and doing other pieces. And I think Sydney, the key insight we came to is that really compliance is really about collaboration, having an operating model, just as much as it is about process and tools, right? Do you want to talk a little bit about that? Absolutely. So, ultimately, there's got to be constant attention paid to these systems and how they're used. Do you have enough safeguards? Are you putting laser focus safeguards in place for what you need? Uh, but to get there, maybe you need to ask yourself a few key questions. And I wanted to put this in three columns and I want to welcome Mike and Sydney to comment on these. Uh, first things first, data protection, are you backing up your Salesforce data and that means more than just your weekly export. Do you really have the ability to recover that Salesforce data? So, what recovery point can you achieve? If if if some rogue integration or uh or user action killed data in Salesforce. How far back could you go? How granular could you get in restoring that data? Can you get, you have to go a month back when the problem happened a day ago? That's really what an recovery point is. Do you have data sitting in Salesforce that really shouldn't be there? Either from a piece of PCI, personal information or protected health information perspective, or stuff that's just sitting there that could create a risk for you either through civil litigation or through outdated customer information. Give a way to remove that. And ultimately, have you practiced putting data back into Salesforce or recovering from a data corruption event or data loss event? Have you run that drill? Have you run the simulation? Do your people know how to do it? Do your people know the steps to take? Um, when it comes to Salesforce releases, I mean, measure your mean time to change, I mean, what is your mean time to change? Can you measure it today? If somebody puts in a ticket for something new and it goes through and people build it and put it out there and it gets security reviewed, how long does that take? If you make a deployment that doesn't work, well, how long does it take you to get that service back to where it was before you did the deployment? Do you have to roll the whole deployment back or can you just roll the weird parts of it back? And how long does that take you? And related to that is how frequently are you deploying to Salesforce? Are you doing a bunch of small changes at once or one big change at a time? Neither of those is right or wrong, but they do have implications for how you recover from something with the Salesforce when a Salesforce release goes along. And lastly, I think I should probably should have put this first. Can you prove to the auditors what you deployed to Salesforce when? Because that's potentially discoverable in civil litigation, regulatory situations and others. And then finally, let's talk about the proactive piece of this, your security posture. Have you defined what you think is secure in Salesforce? We've all seen things with profiles, permission sets, connected apps and other pieces. What's dangerous? What should it be? What's your ideal state? And as you do your DevOps, is that changing your posture related to that ideal state? Uh, some of the ways you can measure that are vulnerabilities reported and fixed, but that's only capturing what you know about. And so expanding that footprint of what you know about by defining your security posture and monitoring is a critical piece of that. And then ultimately, I'd ask where were the vulnerabilities caught. And by this, I mean, were they caught in your sandbox or did you catch them in production when they were already in front of your users and potentially your end customers, right, with the sensitive data of it. Uh, so I like to be provocative. I'd like to make people think about these things. And these are three areas of this, but Mike, I'm curious how this aligns with what you've seen over there in the public sector. Yeah, and I would just want to kind of reinforce something you said, Joe, and harp on this a little bit is to drill your team when talking about data protection, is to drill your teams under different scenarios when you have a data loss event. Um, a plan is only as good as it can be executed, and if your team doesn't know what to do when the time comes, you're just going to add to the chaos, add to the negative impact of the event and add to the overall cost. So being able to drill your teams, be prepared for when that oh shoot moment happens, um is critically important. So I just wanted to to hammer home that a little bit. That's just it. Like I think if we take a military analogy for there, no plans survive first contact with the enemy, and the enemy here is bad changes and data corruption. And so being drilled in that, you'll be used to the routine, and your organization will have the bandwidth and mental fortitude or mental preparedness to deal with the unexpected when that happens, because the unexpected does happen. Yep. All right, Sydney, you wanted to cover some key takeaways here. Absolutely. So, ultimately, the key takeaway is this. Trust transforms compliance from a blocker into confidence. So, framework before tools, continuous, operational compliance, alignment across teams, and technology that reinforces your strategy and doesn't build it. We don't want to to build that foundation off of the technology, because as we know, um things are always shifting, the industry is always advancing, um and and we never know what tomorrow or or next week will bring in the way of technology. So, by having this internal alignment with your team, by having this framework that you can really, uh, feel confident around this this very transparent, this aligned way of thinking, it doesn't matter really what technology you use, in the grand scheme of things. It's about setting that groundwork for that technology to to enhance what you're doing. Anything else to add, uh, gentlemen, on that before we move on? No, I just think it's dead on, Sydney. I mean, the technology is a tool. You need the technology, because it it increases the manpower, human power and lets you look at more. Amazing. So we do have some next steps that we'll talk about here, um, after you are are done watching this webinar, or um after you've passed this along to your teammates. So first, like I mentioned, try to use trust to assess your current posture. These five pillars, if you ask questions relating to each of the pillars, they'll help you to identify some of these gaps early before they matter the most before you're forced to ask the questions. And then from there, you can start exploring some solutions that align with that framework, whether it is in taking small steps today, or in having a more comprehensive conversation with someone who can help you get there. We have also included a white paper if you'd like to go deeper. I'll drop the link in the chat and you can also find it on our website under our white paper repository. And this white paper goes over all the concepts that we discussed today, and it's a really great piece of collateral to share if you're working on building a business case with other team members for a stronger data compliance strategy. So we highly recommend you download that. If you have questions on that, certainly reach out, but that will just highlight all of the important concepts that we talked about today. Anything else to add, uh, gentlemen, on that before we move on? No, I just think it's dead on, Sydney. I mean, the technology is a tool. You need the technology, because it it increases the manpower, human power and lets you look at more. Amazing. So we do have some next steps that we'll talk about here, um, after you are are done watching this webinar, or um after you've passed this along to your teammates. So first, like I mentioned, try to use trust to assess your current posture. These five pillars, if you ask questions relating to each of the pillars, they'll help you to identify some of these gaps early before they matter the most before you're forced to ask the questions. And then from there, you can start exploring some solutions that align with that framework, whether it is in taking small steps today, or in having a more comprehensive conversation with someone who can help you get there. We have also included a white paper if you'd like to go deeper. I'll drop the link in the chat and you can also find it on our website under our white paper repository. And this white paper goes over all the concepts that we discussed today, and it's a really great piece of collateral to share if you're working on building a business case with other team members for a stronger data compliance strategy. So we highly recommend you download that. If you have questions on that, certainly reach out, but that will just highlight all of the important concepts that we talked about today. Anything else to add, uh, gentlemen, on that before we move on? No, I just think it's dead on, Sydney. I mean, the technology is a tool. You need the technology, because it it increases the manpower, human power and lets you look at more. Amazing. So we do have some next steps that we'll talk about here, um, after you are are done watching this webinar, or um after you've passed this along to your teammates. So first, like I mentioned, try to use trust to assess your current posture. These five pillars, if you ask questions relating to each of the pillars, they'll help you to identify some of these gaps early before they matter the most before you're forced to ask the questions. And then from there, you can start exploring some solutions that align with that framework, whether it is in taking small steps today, or in having a more comprehensive conversation with someone who can help you get there. We have also included a white paper if you'd like to go deeper. I'll drop the link in the chat and you can also find it on our website under our white paper repository. And this white paper goes over all the concepts that we discussed today, and it's a really great piece of collateral to share if you're working on building a business case with other team members for a stronger data compliance strategy. So we highly recommend you download that. If you have questions on that, certainly reach out, but that will just highlight all of the important concepts that we talked about today. Anything else to add, uh, gentlemen, on that before we move on? No, I just think it's dead on, Sydney. I mean, the technology is a tool. You need the technology, because it it increases the manpower, human power and lets you look at more. Absolutely. Well, thank you all for joining. Joe and Mike, thank you very much for your time. Great conversation today. And um, like we said, please do reach out if you have any further questions, but we will call that, um, the end of our webinar today. Thank you very much, you'll receive your recording via email, and as always, any questions, please do reach out. Thanks all very much. Take care.
