This is a continuation of our discussion with Charlie Johnson from Flagstar Bank in Michigan and and Andy Max from First National Bank of Omaha, and their efforts around integrating Salesforce.com within their banks. Because we just let them talk, we ended up with about 90 minutes of gold.
This is part three where the guys talk about “the cloud”, getting along with their internal security teams and evolving as bankers.
Andy and Charlie both agree having an open and on-going conversation with your security team is essential for a smooth and useful Salesforce implementation.
You can jump back in time to catch part 1 (implementation) or part 2 (social listening) of this Salesforce master-class.
In order to do all of this, I mean, you really do need to be able to fully leverage a platform, like Salesforce or other CRM’s out there. We just happen to use Salesforce, which, I wouldn’t want any other platform than that one to work on.
In order to do so, and have a lot of your private information in a cloud environment is one issue I know, that Finserv and lots of financial institutions are going … as far as … in order to get a Radian6 and fully use it we need some NPPI (Non-public personal information) out there in the cloud. There’s lots of hesitations around that. Not so much from the business standpoint but for sure from the consumer standpoint, and putting that information outside of our firewall anymore and then being able to leverage it in the most meaningful way, we kind of have to jump that hurdle first before we can go through and fully get the full value out of two of like … Radian6 and being able to listen in the service cloud, right?
That’s one thing that we’re working through right now and we hope to jump that hurdle here yet this year. I was curious if maybe you could elaborate on your story, as far as getting some of your NPPI out there in that cloud environment.
I’m curious to hear about yourself too from the finance perspective and the background. Certainly those… many of those numbers are company PII (Personally identifiable information) and so being able to bring that into the platform… it’s in the cloud, right? If it’s in the platform it’s in the cloud and there’s … the funny thing is we invented this term or maybe Salesforce did or whatever, the industry did, of “the cloud”, right? The truth is we’ve been doing… and it’s funny because you tell people, well, it’s in the cloud and many people literally physically look up and you’re like, no. (laughter) It’s going to rain the data from above. It’s funny how people do actually look up, physically.
The reality is we’ve been doing remote server access to a remote site for 20 years. This really isn’t new. The concept of multi-tenancy in a single environment, that’s the new part, right? And how it’s delivered and the pricing methodology and the licensing and what not. That’s the real magic. Love Salesforce and love the cloud and I’ll tell you, there was a lot of concern. We’re in the finserv business, we deal with a lot of traditionally very conservative mindsets and absolutely reputational risks with data. God forbid if there’s ever a breach of any kind, even if it may be completely non-useful, if it’s first names and last names, information that is public in a phone book, a report of a breach has to be reported from a regulatory perspective and it can be disastrous to a finserv reputation, an organization’s reputation so you’ve got to be very cautious. The reality is we put Salesforce through the ringer, I’ll tell you, through the SAS 70 and SAAE 16 and SOC2 Type II, we took them through every review at every level that we could possibly get to at that time and of course every year we do a major class 1 vendor risk management review of all of our vendors and we go through all of this again.
We’ve actually went to the point of going to San Francisco. Salesforce has their entire security book and protocols book in a room in San Francisco, you’re not allowed to take anything in with you, you cannot remove the book, it’s not in a digital form of any kind. You have to sit in this sterile room and observe it and review it but we’ve gone that far, and the reality is with the amount and the vast value of data that Salesforce holds, they’re spending more on data security, truthfully, than we ever could, just because of the scale that they’re dealing with.
I wouldn’t say that they’re more secure than our internal servers but I would say that they are equally as secure, at least to the satisfaction of our CSSO (Chief Computer System Security Officer) and our internal security folks so it took some time to get them to reach a comfort level that we could take some PII into the cloud. Depending on how you define PII, again, first and last name can be defined as PII but low-level PII, right? We get up into the social security numbers and account numbers and balances and loan numbers and things like that, then you’re talking Class 3 high level PII that you really need to be concerned with. Some of our integration strategies we worked around some of the nervousness, I guess you would say, such as our integration with … well, what’s now Salesforce Marketing Cloud, or Exact Target. We’ve been on that for about seven years. Before that it was another digital marketing platform, I won’t go into who.With Salesforce Marketing Cloud we don’t make copies of our data into what’s you know classically … and I’m sorry, I’m grandfathered in … the Exact Target platform. We leave all of our data inside of Salesforce and we send to Salesforce reports from Exact Target. There was some concern that hey, we’ve crossed that bridge, we’ve crossed all the T’s and dotted all the I’s from a Salesforce perspective. Do you really need to make another copy of all data and put it in another platform which then was a separate company in a separate server farm in a separate location. Do you need to make another copy of that. We went back with ET and kind of developed a … I wouldn’t say a custom integration but a different integration than their standard to where we left all of our data on … the only data that we moved into the marketing cloud or Exact Target at that time is any data that we were using in merge fields and communications and email and we’re not going to just drop … you know, we don’t send high-level PII through email. We knew none of that was going to be part of it but merge fields like the first name or a last name or things such as that were okay.
We left all of our data inside of Salesforce and kind of changed our integration to calm some of the nerves and some of the heartburn that some of the conservatives had. That is now become part and parcel of the whole Salesforce integration. We’re just now getting ready to update our entire integration with Exact Target and we’re opening that up a bit and certainly the comfort level with the cloud and the security in the cloud is coming along. Then there’s things like Idrive hacks that occur and everybody gets all panicky again and we’ve got to go through another round of look, relax, that’s not the environment that we’re in and here’s…
Yeah, I always think when you ever talk about anyone’s health or wealth, those are the two most important things to a lot of people so being in finserv and being one of those managing their accounts just like we talked, any breach would be fairly devastating.
When you’re introducing this negative word of cloud to your security officers … from the business side we see all of the value in this tool and how cool it is and how we want to use it right away and let’s get it all in there but we do have to be secure about it. I know that that is one thing that we hope to do more in the next year is engage our security teams more than just when we need something. Let’s make sure that we’re constantly getting in front of them. Just like you said, I don’t believe that Salesforce hides anything. Making sure that we’re up to date on the latest and greatest and that they are too. They pride themselves in this and if they ever had a breach, that really ruins their business model as well.
Being a big company like they are, you know and … you and I, at least, have sat down with security officers and fully understood what’s going on there and it’s very robust and impressive. From my standpoint not being an information security officer I’m all in but I don’t understand all of that stuff real in-depth. We hope to engage them more and make sure that they’re more part of the conversation all of the time instead of just when we need them and that’s one step that we’re going through here, not quite being as evolved as Flagstar is today.
From the start, I wish we would have had this conversation started four years ago instead of just recently this year. That’s how we live and we learn and I think one piece of advice that I’d give out is that, and just to make sure that … when we looked at Salesforce we looked at it at its most basic functionality as a CRM and being able to use it as just a CRM. They get pegged that way and they’re so much more than that as you can attest to and as you’ve already shared today with Marketing Cloud and Radian6 and there’s just so much more out there. I would say make sure from the beginning that you’re thinking bigger than CRM and you’re engaged with your information security team throughout the whole process as well.
That’s one thing that I really wish we had a stronger relationship with them today to make a lot of these conversations not always in the catch-up mode. I’d always wish we were both always up to date and fully understood. What we want to do and then how they can help us get there and be confident and comfortable with getting those things done.
Absolutely. That’s an absolute key word, “comfortable”. Sometimes you can’t … if you were as secure as many of the IT security people want you to, you’d never accomplish anything, you’d never be able to integrate to anything. Everything only sits on the server downstairs… so there’s levels of compromise and there’s levels of risk and there’s acceptable levels of risk and manageable levels. As you’re saying, having that dialogue, not a conversation which is a now-and-again engagement but an ongoing dialogue with the teams that you know are going to be touched or going to be influenced with Salesforce is absolutely … and that’s one of those things that I wish we would have appreciated the value of in the beginning because it was. It felt like it was this constant, hey we need this, no you can’t have this, well, prove why you need this and then prove to me that you can handle it, and what is the risk. It became this back-and-forth reoccurring engagements and now we’ve settle into this, hey, we’ve got a rhythm and a cadence of review and compliance review and understanding and re-review and making sure that they’re all certified.
We’ve got different teams and pieces of the organization that are responsible for making sure that we’re constantly aware and current of what’s going on, that where when we make a request of hey, I need to move this data over and here’s how I’m going to use it and we’ve built that level of trust, I guess, that we’re aware of why they’re so concerned. It’s funny because I tease them, I tell them they’re all paranoid schizophrenics.
And they tell me, yeah, and you’re just a flesh-pressing, flashing teeth golf and sales guy and I’m like no, no I’m not, I’m part teeth, part salesman.
Our security folks have to be aware of not only our technology but all of the technology that’s connected to our technology and be concerned about that. I respect the position that they’re in and I have a better perspective. I guess I’ve become… I am the one who has really evolved. Now I understand the level of concern they have to have and why and that’s … as you say the planning, knowing where you’re going.
That’s some of the stuff that I… 10 years ago when we started this we used Salesforce implementation services to integrate with and so I wish I… standing today looking back then, I’m like, I could have done that. Of course, at the time it’s all new and it’s all fresh and you’re just learning and the platform itself has evolved so rapidly and so many things are so much easier now than they were before. From the new lightning connect and lightning experience, the ability to connect to different data elements and to pull data either in a… you know whether it be a resident or transient data so that you can pull data to look at it and view it and report on it and make decisions on it or take action on it but you don’t actually have to write it. It doesn’t have to land in the cloud.
Now I have the ability to reach and touch and leverage different data that, again, maybe security isn’t comfortable with moving that into the platform or it’s such a big pool of data that, hey, I only use it now and again, it’s not really efficient for me to move all that over just to do these one-time uses but now I can temporarily use data and drop it back and forth and the tools are moving so quickly. You don’t want to be overwhelmed and that’s again on the marketing strategy side that I talked it to but you don’t need to sit down and think hey, I’m going to boil the ocean from the jump here or you get overwhelmed and you kind of vapor-lock and you struggle moving forward. I guess I tell folks, hey, it’s okay to dip your foot in the pool but you need to have some concept of the size of the pool that you ultimately want to be swimming in.
Interested in more like this?
Chris Nelms, PrecisionLender’s VP Information Security, recently wrote a great white paper outlining the Seven Steps to Strengthen Your Vendor Management Process.
The post Getting Comfortable With Salesforce and Living in the Clouds appeared first on PrecisionLender.