By the end of its fiscal year last Jan. 31, Salesforce managed to convert approximately 80% of its monthly active users — about 14 million in total — to multi-factor authentication (MFA) or single sign-on (SSO) for all of its login activity.
It’s a feat that Ian Glazer, Salesforce’s SVP of identity product management, credits in part to a strong internal and external communications strategy that set clear expectations for future identity and access management adoption while building trust among involved stakeholders.
Salesforce’s previous effort to get employees to adopt more secure authorization practices was a much simpler process. The San Francisco-based customer relationship software provider was able to enroll 95% of its workers into an MFA program in less than 48 hours, said Glazer while leading a keynote presentation at CyberRisk Alliance’s Identiverse conference in Denver this past Tuesday.
But businesses know it’s a different story with customers — be they individuals or corporate clients — because they can be resistant to change, especially if it introduces friction into the user experience.
Hiring members for project team key to requiring customers to use MFA
That’s why when Salesforce’s CISO in autumn 2019 announced an ambitious plan to require customers across the company’s 10 corporate business units (aka “clouds”) to use MFA when signing into their accounts, it was going to be important for Salesforce to develop a strong internal vision for what customer IAM would look like, and then coherently articulate that vision to clientele across multiple touchpoints.
Adding the right hires to your project team can help a lot with this challenges, Glazer noted.
For instance, Glazer recommended IAM project teams bring aboard a technical writer who can translate complex concepts for individuals who aren’t savvy in technology. Ideally, this writer will craft just the right message so that users ultimately understand that the secure login process is in their own best interest.
“You hire the best tech writer you can ...” said Glazer. “Why? Because in the second and third acts, we're going to need to communicate a ton of things to people that don't normally do identity stuff. And you're going to need time for [them] to come up to speed.”
Glazer also advised hiring a data analyst who can evaluate and communicate IAM customer usage trends. “You're going to want to slice and dice your actual data. You're going want to know [things like:] ‘This region in this industry — we're not getting great adoption. We need some traction. … Or we can say, ‘Look, let's give kudos to this cloud because they've actually hit their numbers,’” Glazer explained.
Interestingly, when hiring a program team for this project, Glazer did not recruit individuals with experience in identity.
“This made me very, very nervous. I thought this is going to be a real detriment to the program. I was worried that my teams were going to spend all of their time talking about the basics of identity and MFA and SSO to the program team and not doing the real work,” said Glazer.
While Glazer was correct that the identity team would need to spend ample time getting the programmers up to speed, it turned out this was actually the perfect dress rehearsal for communicating the same concepts to members of the customer base later on.
“All of those conversations were foreshadowing the conversations we needed to have with our customers,” said Glazer. “So having a program team that is staffed with non-identity people — that's a feature, that's not a bug, to run a really successful program.”
Using its No. 1 value to get managers on board: trust
Next up was convincing the general managers of the 10 Salesforce clouds/business units to get on board with the program.
“That is not an easy message to deliver, and needless to say there was some resistance,” said Glazer. “Here's the thing, though — we had a secret weapon. Trust is our No. 1 value in Salesforce. [And] because the MFA was trust work, it basically goes to the front of the line in terms of things that have to get done.”
Once the GMs understood that this project aligned perfectly with the company’s core value of trust, they were more easily persuaded and the walls of resistance wore down.
Eventually, it was time to introduce the new policy to the Salesforce customers. Due to project delays, the company revised its initial timeframe and gave the user base an extra year to adopt — which was probably a helpful development, as customers had more time to acclimate to the idea of mandatory MFA/SSO. Still, they would need plenty of convincing, so a major communications push was necessary.
“We knew we had to get the word out everywhere and anywhere we could,” said Glazer. “Email campaigns, FAQs, microsites, videos, in-person events, virtual events. We put stuff in the apps. We even had teams of people calling … all our customers.”
These policy communications had to be clear and non-technical, without heavy identity-related jargon. “And so our writer really was the star of the show, along with the people carrying the message,” said Glazer. “Just as importantly, we listened back for the response. ... Our customer success group was meeting with customers all around the world, hearing about their concerns, taking feedback, dealing with escalations and analyzing their sentiment.”
Still, not everything went smoothly. Even successful projects hit unexpected bumps in the road, where lines of communication break down. For instance, according to Glazer, there had been some confusion over whether customers who opted to use federated SSO instead of MFA would still need to enable MFA for their identity providers. Ultimately, this was the policy the company adopted.
“[A] clarification had to be made,” said Glazer. “There was no turning back. … So we went back through all of those [communication] channels to clarify our messaging… MFA or SSO MFA.”
“From our customers’ perspective, we moved the goal posts. … We eroded trust.”
But Salesforce was able to overcome the occasional mistake and ultimately made great traction with customers, said Glazer, noting, “We've been rolling out the MFA program and we are getting feedback from CISOs who are loving it because we gave them an excuse … to go big with MFA in their organization.”
Glazer said that many of Salesforce’s larger tenants with 100 or more user accounts have been quicker to adopt, while smaller tenants have been more resistant to embracing MFA or SSO. He added that Salesforce will continue to work on getting through to these users “to slowly rise the tide, so that we can … ease them into using MFA, empathetically.”