Data breaches reached an all-time high in 2023, affecting more than 234 million individuals, and there’s no sign of the trend slowing down. At the center of this challenge is how organizations allocate resources to safeguard customer data. One of the most critical systems for managing this data is CRM platforms like Salesforce, used by over 150,000 U.S. businesses. However, security blind spots within Salesforce continue to pose significant risks. To address these concerns, the National Institute of Standards and Technology (NIST) offers a strategic framework for Salesforce security teams.
In February 2024, NIST released Version 2.0 of its Cybersecurity Framework (CSF), marking the first major update in a decade. Key improvements include the introduction of a new “Govern” function, streamlining of categories to simplify usability, and updates to the “Respond” function to enhance incident management. This framework now applies across all industries, not just critical infrastructure.
For Salesforce security leaders, these changes will significantly affect how they manage security, from aligning Salesforce practices with enterprise risk strategies to strengthening oversight of third-party apps. Here’s how these updates will influence Salesforce security going forward.
What is the NIST Cybersecurity Framework 2.0?
The NIST Cybersecurity Framework, first launched in 2014, was developed after an executive order by President Obama, aiming to provide a standardized set of guidelines to improve cybersecurity across critical infrastructure.
The framework’s objectives include:
- Improving cybersecurity risk management: Assisting organizations in understanding, prioritizing, and communicating their cybersecurity efforts.
- Providing a common language: Facilitating cross-industry communication on cybersecurity risks and mitigation.
- Enhancing resilience: Ensuring organizations can respond effectively to cyber incidents and restore operations swiftly.
- Supporting flexibility: Enabling organizations to adapt the framework to fit their unique risks, sectors, and technologies.
The newly updated NIST CSF 2.0, released in 2024, expands on the original framework, providing organizations with structured, yet flexible, guidance for managing cybersecurity risks. It revolves around three core components: the CSF Core, CSF Profiles, and CSF Tiers.
Key Components of NIST Cybersecurity Framework 2.0
These components help organizations understand, assess, and improve their cybersecurity posture, forming the basis for risk-informed strategies that align with organizational needs and the evolving threat landscape.
- CSF Core
The CSF Core outlines high-level cybersecurity outcomes, organized into six key Functions:- Govern: Establishes roles, responsibilities, and policies for cybersecurity management.
- Identify: Focuses on recognizing the organization’s assets and risks.
- Protect: Implements safeguards to secure critical assets.
- Detect: Facilitates timely detection of cybersecurity events.
- Respond: Ensures effective incident management when breaches occur.
- Recover: Supports the quick restoration of operations post-incident.
- CSF Profiles
These offer a customized way to assess and communicate cybersecurity posture, tailoring the framework to specific organizational needs. Profiles can be applied across single organizations or communities of organizations with shared cybersecurity goals. - CSF Tiers
The tier system evaluates the maturity of an organization’s cybersecurity practices, ranging from Tier 1 (Partial) to Tier 4 (Adaptive). This system helps organizations assess their current state and set improvement goals.
Key Updates in the NIST Cybersecurity Framework 2.0 and Their Impact on Salesforce Security
The 2024 updates to NIST CSF offer insights that Salesforce security leaders can use to align their strategies with evolving cybersecurity risks.
- Introduction of the “Govern” function
The new Govern function highlights the integration of cybersecurity with overall enterprise risk management. For Salesforce leaders, this underscores the importance of aligning Salesforce security with broader organizational risk strategies, ensuring that roles, responsibilities, and policies for Salesforce security are well-defined and regularly monitored. - Expanded focus on supply chain risk management
The updated CSF 2.0 emphasizes the management of third-party risks, a crucial point for Salesforce environments, which often rely on various third-party apps. Security teams must actively assess and mitigate risks posed by these vendors to protect Salesforce environments. - Broader applicability across sectors and technologies
CSF 2.0 expands its applicability to emerging technologies like cloud computing and AI. Salesforce security leaders can apply this guidance to manage risks associated with Salesforce’s growing AI capabilities and integrations. - More actionable resources
NIST has introduced new online resources, including Quick Start Guides and Implementation Examples, to help organizations implement the CSF. Salesforce teams can use these tools to map their specific security controls to the broader framework, simplifying alignment with the organization’s cybersecurity posture. - Improved integration with other risk management programs
The framework now better aligns with enterprise risk management strategies, ensuring cybersecurity risks are viewed within the broader organizational risk landscape. For Salesforce, this alignment means incorporating security risks into larger organizational discussions, facilitating executive buy-in and resource allocation. - Refined profile and tier structures
Updates to the profile and tier structures provide clearer guidance for assessing and improving cybersecurity maturity. Salesforce security leaders can use this structure to benchmark their security efforts and create a roadmap for continuous improvement. - Enhanced focus on continuous improvement
Recognizing the dynamic nature of cybersecurity threats, CSF 2.0 encourages organizations to continually assess and improve their security posture. For Salesforce, this means regularly updating security practices to keep pace with new technologies and evolving threats.
Implementation Strategies for Salesforce Security Leaders
To incorporate CSF 2.0 into Salesforce security operations, leaders should:
- Integrate the Govern function into Salesforce governance, defining clear roles and responsibilities.
- Strengthen supply chain risk management, especially for third-party apps integrated with Salesforce.
- Leverage NIST resources for practical guidance on mapping Salesforce-specific security controls.
- Align Salesforce security with enterprise risk management, ensuring a cohesive approach to risk.
- Assess Salesforce security maturity using the CSF Tiers, aiming for continuous improvement.
- Promote regular assessments and incident response readiness, focusing on Salesforce-specific risks.
Conclusion: Embracing NIST CSF 2.0 to Strengthen Salesforce Security
The 2024 NIST Cybersecurity Framework updates offer crucial insights for Salesforce security leaders. By adopting these practices, organizations can enhance data protection, strengthen incident response capabilities, and ensure business continuity—critical for those relying on Salesforce for managing sensitive customer data.