Salesforce, Inc. (CRM) Earnings Call Transcript & Summary

Great. Good morning, everyone. Hello, and welcome to today's session. Excited to talk to you through Future-Proofing Your Data: Strategies for Management, Recovery, and Compliance today. Before we begin, we just want to share a few quick notes about our webinar platform. So today's webinar will be available on-demand after we wrap up, and you can access it through the URL you're currently on. Please note the slides will advance automatically throughout the presentation. And you can enlarge the slide or media player tool as well. If you need any help, just click on the Help widget and we've also provided some additional resources that are accessible through the resources window where you can find the related content we'll be talking about today. And lastly, we do encourage everyone to submit their questions at any time throughout the presentation using the Ask Question widget, and we'll definitely do our best to answer as many questions as we can at the end of the presentation. And with that, thank you again for joining us. My name is Priya Kanjia. I work in Platform Product Marketing here at Salesforce. In my life prior to Salesforce, I was an IT manager at one of our Salesforce customers and managing our compliance processes for Salesforce is a big part of my job. So this topic is very near and dear to my heart and excited to dive into it with all of you today. Before we begin, just a reminder that Salesforce is a publicly traded company, so please make all of your purchasing decisions based on products that are currently available. I just want to start off by saying thank you. We appreciate all of you taking the time to join us this morning. And I'm really excited to walk you through the topics and concepts today. Hoping everyone can get at least a few takeaways out of today on how to get started and what to be thinking about when it comes to data and AI for your organization. So we're going to start off with an overview of just what's going on in the industry, what are we hearing from our customers and what as an organization you should be thinking about or could be thinking about when it comes to data management, your data recovery processes. And then we're going to get into some practical steps around considerations for our organization around how can we really get started with this and what's a good starting place for that. And then at the end, we'll take some time to answer questions before we wrap up. I'm really excited to have 2 amazing speakers from Salesforce with us today to walk us through the content. So Hamish is part of our Platform team here at Salesforce. He has worked in cybersecurity industry for over 7 years, and we're lucky to have him had come over to us at Salesforce from Own where he previously worked with customers in the region, focusing on data protection. I'm also really excited to have Kevin on as well. Kevin is a Technical Architect here at Salesforce. For the last 4 years, he was working across technical presales across APAC for Own. During that time, helped more than 600 customers in this region, take steps to improve their security posture. So with that note, we asked really great content. We have some really great speakers to walk you through everything, and I'll pass it off to Hamish to get started.

Fantastic. Thank you, Priya. Welcome, everyone, and thank you for tuning in today. So today, we're actually going to deep dive into something that's truly foundational to all businesses right now, and that's having an effective data management, security and recovery strategy. So our mission really is to cut through the noise and extract some actionable insights for you to take away. As we look around the business needs, there are a number of critical business challenges for all organizations right now, not only with managing increased data volumes but also the strategies that allow you to grow with confidence and not being impacted by the likes of aged tech debt, unforeseen costs from data storage while still meeting your compliance and regulatory requirements as well. So the actual consolidation but also the harmonization piece of your data sources is really critical. So that you, first and foremost, categorize and map your data effectively. And then you can start looking into data management policy frameworks, which are really integral document to your organization. This helps you grow as a business. But the aim here is really to have the right information in the right place at the right time. As we start to look at emerging trends, there's multiple driving elements for all organizations right now, that's around managing costs that are going up. We're also seeing increased complexity around -- from an operational point of view, as you store more data on the platform. As you start to do that, you also start needing to manage your data effectively so you can be more preemptive around your system performance and making sure that it's continuously optimal as well as maintaining time to value, which is dropping because of these impacts. And then you need to start looking at your tech stack and how you can simplify the approaches there. Often, when we look at simplification, it comes from removing the manual human element and delivering scalable tech through policy-driven automation. We actually see businesses lack a formal strategy typically and the percentage is around 34% of organizations surveyed actually report having a formal data readiness strategy, which is an integral part of the business and your operating systems. This shows that there's actually a considerable gap in how businesses today are proactively managing their data. When you're looking at analytics, nearly half of analytics, but also IT leaders actually admit having partial to no visibility or view of how their data is used across the business. And because of that, there's a really a lack of -- because you have got a lack of visibility, it complicates the way that your data governance is implemented, but also how you're proactive around risk management as well. So the first step you want to take for any business is to, first and foremost, have visibility. That's number one. So then you can start classifying your sensitive data effectively, you can apply appropriate access and security controls. And then you can start building a plan and therefore, control of your data. As we start to look at the various risks an organization has on an ongoing basis, there are a number of threats and risks that are either external. So you can look at malicious bad actors. You're seeing phishing attempts, which are continuously on the rise and are becoming increasingly more sophisticated as well. You can either look at internal threats. So whether various permissions are accidentally changed or altered, you're looking at BYOD as you see a large number of employees working from home, but also you might have a lot of people working on different sites as well. So these scenarios are actually changing, evolving and constantly looking at how you can put more controls into place. Alongside that, you've also got an array of compliance risk for not potentially meeting compliance obligations. A bit of a customer story from when I was at a previous employer. So we were actually running an evaluation of our threat protection capability. This was with a large manufacturing organization. The meeting was with the Chief Information Security Officer, and we were showing near real-time visibility of how people are actually interacting with their data and where it was going. Through this live analytics dashboard, we could actually see a spike in files being shared. And as we dove into it a lot better, a lot closer, we could actually see that 4,500 sensitive files were actually being downloaded and sent to a private OneDrive, which was located outside of Australia. This actually obviously created a lot of alarm bells when we looked at the different files as well. They were price books, contracts, customer information, so highly sensitive and business-critical information as well. So as you can imagine, the Chief Information Security Officer quickly left the meeting, called a security team, made sure that they put a stop and put some preventative measures in place. But this is a bit of an example of a disgruntled employee who we luckily caught in the act, and we're able to prevent any mishaps or further malicious acts being continued there. As we start to look at percentages around the various threats, we can actually see that 2/3, around 68% of data breaches actually have nonmalicious human element involved. So that actually underscores the need to have a robust access controls, but also user training. When it comes to compliance and noncompliance is actually 2.7x costlier to be noncompliant than to comply with the certain regulations out there. This hopefully emphasizes the financial incentive of being aligned to a regulatory framework, but also you want to make sure that you can govern your data effectively as well. When we're looking at Citizens right throughout Australia, 91% of Australians actually want businesses, but also the government to apply a stronger protection for your personal information. And it's really these consumer expectations that drives legislation and business efforts to deliver on their data privacy act. As we start to look at data and how you trust data, data is really your most valuable asset across an organization. And us as a team and the platform team, we want to help you stay resilient, compliant and secure at all times. But data only creates value when it's resilient, meaning it's both reliable but also relevant. When you're looking at reliable data, that's really data that you can trust, no matter what. And therefore, you have a resiliency or a backup plan. When you're looking at relevant data, that's really meaning around -- focus around having the right information in the right place at the right time. So removing data into cold storage when necessary is also very important. Once your data is resilient, now you can start unlocking the full potential and start delivering for business initiatives and growth strategies as well. As I start to look at data access controls, particularly around PII, highly valuable, but also highly sensitive information, you need stringent management in place. So that's putting the right governance, but also guardrails like role-based access controls so that you can safeguard your critical information effectively. You also want to start thinking and looking at principles like the principle of least privilege. This basically means that you only apply just enough access for your members and employees to do their tasks effectively. Coming to a more recent story when we were working our own, this is focused around data reliability. But we're actually working with a large multinational. This business had granted over permissions to a third-party partner who had full access to the production environment, and they were running SQL on their product account. And this person mistakenly made a large number of changes in that product account. They ended up accidentally deleting 3 months' worth of development work, and this caused major panic across the business. It was affecting large projects, some had tight deadlines. And this really meant that the business was really in a state of flux at that point. Fortunately, when they gave us a call and said, you've been running evaluation of our backup and recover solution, do you have a recent backup? We luckily did. And with that, we were able to restore the organization back to the part where it was previously positioned. So that was a very fortunate and close shave that we supported that customer and now they're a customer of ours throughout the world. As we start to look at data security, it's vital to have monitoring of your user activity, but also the behaviors of your users as well. The ability to track and therefore also encrypt en masse sensitive data, so then you can start implementing more governance and controls to better manage access but also access of your sensitive data. Otherwise, you can find yourself at the mercy of a governing body that's forcing you to act, and that's not a position that we want you to be in. When we start to look at some of these governing bodies, for example, the Australian Privacy Act and the Australian Privacy Principles, they apply a comprehensive framework with 13 guiding principles of handling your personal information. So the focus that they have is on transparency, also security of the individual rights. When you're looking at one of the clauses there, which is around 11.2 specifically, it focuses on the de-identification. And this is actually the need to de-identify personal information in specified circumstances. For example, if an entity no longer needs personal information for any purpose for which it was collected or any purpose for which it may be disclosed, the entity must take reasonable steps to actually destroy or de-identify that information. So having the ability to classify, detect and mask or anonymize your data is actually very vital in these steps. When you're looking at the privacy access actually enforced by the OAIC, which is the Office of the Australian Information Commissioner, with noncompliance, actually potentially leading to large penalties and these penalties are serious for multiple data breaches potentially and having repeated breaches of the nature as well. These can be of a number around AUD 50 million or AUD 30 million of the -- or 30% of the adjusted turnover of your business, whichever is higher. So the legislative reform is actually expected to come into place in H2 of 2025 to align to stricter global standards as well. When we look at prior experiences and prior data breaches from a large telco, but also a health insurer, these are examples of incidents being investigated by the Privacy Act and have the potential to have penalties that falling under the protect of personal information. One of the other regulatory bodies I wanted to highlight is the Security of Critical Infrastructure, also known as SOCI. So this legislation actually aligns to organizations and critical industries. So you're thinking healthcare, food and grocery, you've got energy and utilities, financial institutions, communication, transportation and a few more. But this act really requires entities to report of cyber incidents. So as they can help the government actually take action and develop a threat picture to inform a cyber response. So it's a really critical component. When I was working at a previous employer a few years back, I was working at a marketing technology startup, we were actually acquired by a large credit bureau. And this acquisition actually happened 6 months post a significant data breach. When we were working with our colleagues, we would actually talk to them about how is the impact through your meetings and conversations. They basically expressed that above 90% of their conversations are still to the day about answering questions around -- and concerns around the data breach, making sure that they can prevent any of those occurrences from happening again and ensuring that and trying to build trust back with the customer base, but also their partner ecosystem. In instances, when they were trying to deliver and get new meetings, they wanted to leverage our brand, which is obviously new to the marketing team so that they could actually have some normal conversations and drive some meetings as per prior. So this is a bit of an example. There was obviously a huge impact to the trust and loyalty of the customers. But also when you're looking from a financial point of view, they had to pay $1.38 billion worth of fines and their share price actually dropped by 60% at one point. So hopefully, this gives you some direction on which regulations could be suitable for your organization, but also happy to take this offline and connect post the session today to give you some further guidance and talk through to ensure that you're aligned to a governing body that's most appropriate to your business today. As we start to look at disaster recovery, it's really focused around 3 categories, and that's your technology, planning and process, but also your people. As we look and talk about technology for disaster recovery, it really means keeping our digital assets safe and keeping -- making sure that your business is online as fast as possible. This means having a solid and secure backup that you regularly check, plus you want to make sure that you're keeping tabs of everything that's happening in your system to ensure that you'll keep -- you're implementing tighter user security and controls like multifactor authentication, making sure that only the right people are getting into the environment. Ultimately, we want our systems to be always available and resilient of any disruptions. So when you are looking at planning and process for disaster recovery, it's really about having a solid game plan for anything that could potentially go wrong. So that means you want to have a playbook in place, which is clear. It's a written guideline, tells everyone exactly what to do in case there was a data incident across your systems. But also in that plan, you want to meet recovery goals. Some of these, for example, could be around how fast do you need to be back online, that aligns to your recovery time objective. Also how much data can you afford to lose, which aligns to your recovery point objective. Some examples and conversations to be having when you're looking at your sensitive information, and that's done after gaining the visibility, classifying your data, then you can start having discussions around if we lose 1 hour of data, is that okay? Or can we handle 4 hours of data or 1 day? These are the questions you need to start talking amongst the business to have that direction implemented effectively. When it comes to disaster recovery and focus around your people, it's vital. And that means making sure that everyone knows the plan if something goes wrong, you want to make sure that you're practicing regular drills to ensure that people can act and preempt -- not preempt, but react effectively under pressure. So you want to look at how your teams can skill up on tools for not only providing backups, but also getting data back and the process behind that. So across the board, we want everyone smart, safe and ongoing training on security, so then people can stay vigilant. When we're looking from a data point perspective, surveys actually show that 76% of organizations have actually -- have already experienced a data loss. So this states the urgent need for a comprehensive disaster recovery plan but also that incorporates not only technology but also a clear planning for training of employees as well. As a significant majority of organizations have already experienced a critical data loss, it really goes back to the old adage of not if, but when. So before handing the reins over to Kevin, I think the one action I would suggest people to take from the discussion today as a baseline, if you're not aligned to a regulatory or compliance framework today, I would strongly suggest that you do so. So we've touched on a few examples around data privacy. So that's the Australian Privacy Act. You've got DORA, GDPR, SOCI, some security frameworks, the likes of NIST, ISO 27001 and SOC 2. And then you can also look at industry standards, for example, ISM, Essential Eight, you've got HIPAA, you've got APRA, you've got PCI-DSS. So these will fundamentally help you govern your people in security controls to help you build trust with your customers and your partners in the ecosystem so that you can be more proactive in applying a more robust approach to securing your sensitive data. You want to avoid any fines or any impact to your brand and to ensure business continuity. So with that, I'll pass it over to Kevin to guide you through some best practices for data management. Over to you, Kevin.

Thank you, Hamish, and hello, everybody. I'm delighted to take you through probably the next 15 minutes or so of Content before we move into Q&A. But what I'd like to do is I'd like to take you through some practical strategies for data management, data protection and compliance. Now some of you may be wondering why doesn't Salesforce just make all of their solutions secure and compliant for everybody. Trust me, we do everything we can do, trust is our #1 value and has been for over 25 years now. But the reality is we can't do it all without you. And it's important actually that we don't try to. Every one of your businesses is unique and it's critical that we put the controls for the data and these things in your hands. And we call that the shared responsibility model and we often use a unit block analogy we have done for many years, and it's a great way to visualize the shared responsibility. So if you imagine Salesforce was a unit block you would want Salesforce to make sure the electricity is working, the plumbing is connected, the door buzzes are in the right door and they open the right gates and so on. But what you do within your unit, what you do with your furniture and your belongings that should absolutely [ be working ]. And we wouldn't be assuming that you want your [indiscernible]. But having said that, I am quite happy to take you through some opinions, taken as Kevin's opinions, if you like, on what you could do and here are 5 of them. And Hamish spoke to you about some of the benefits in the -- one of the imperatives to hold the data that you do on your customers. But then he talked about the risks and the obligations and compliance requirements that surround that. And so it's through those 2 lenses, that I'd like to take you through these 5 business steps, ultimately leveraging tools and controls that land on your side of the shared responsibility model, look to manage risk and meet the compliance obligations of those things like ISM, the Australian Privacy Act and SOCI. So let's get started with understanding your data footprint and particularly with a platform like Salesforce it's more than a CRM, right? It's a fully-fledged application platform that holds customer records, history, e-mail communications, financial agreements, even health data, right? It's dynamic, it's configurable, constantly evolving and changing. So if you're not regularly mapping and monitoring what data is being stored, where it's growing, who has access, then you're creating blind spots with the compliance for shared groups. Now both the APA and the ISM both emphasize the importance of data visibility and governance. And the APA requires organizations to demonstrate accountability for personal data processing. So that means you need to know exactly what data you're holding, how long you're planning to store it for, who can access it and how it's protected. Similarly, the ISM mandate controls around things like audit control and it goes further into -- sorry, audit logging and access control, meaning particularly with sensitive or security classified data, those things are under a heightened level of scrutiny. That's why having a data readiness strategy is so important. It's not just about preparing for breaches. Certainly, it prepares you for audits, but it's about building a proper culture and infrastructure that ensures your data is always in a known, governed and recoverable state. And this brings us then to the active classification, and whether its identifying sensitive personal data under APA or protected level under the ISM. You need to have a clear classification model inside of sales for this and the model should go far beyond just standard objects. It should consider custom objects and custom field because you have things in this environment, they can look up new data containers [indiscernible] constantly changing the actual data model. Now classification, if anyone has actually gone through it is actually -- or it used to be quite a painful task if you have gone through the process. There's a lot of back and forth between IT and the business and confirming proposed classifications. It almost always involves the use of spreadsheets that's done outside of the Salesforce. And the fact that the hope is seeing ongoing development and customization means that often when you finish, that's already become outdated and needs to be revisited. And for that reason, most people when they do complete the classification, they tend to maintain it in those spreadsheets outside of the Salesforce. But don't worry, with the introduction of some of the solutions from the acquisition of Own, Salesforce Security Center has had a serious uplift in this area. It's actually got tooling that can rapidly progress through classification of data model and alert you to new data model that might yet need to be classified. Most customers when they're going through will actually get to 70%, 80% very, very quickly. If you think about it, it's a lot of [indiscernible] massive detail relationships, things like that, very quick to get to that kind of point. But then you get into the good stuff, the actual sensitive data in identifying particular compliance categories and things across the base model. And for that, even again, there's now a guided classification flow within security center. So you can very quickly find candidates of a certain nature for mass classification. So now once we classify that data inside of Salesforce, the next step would be actually assessing the security posture of the environment itself. The question we'll ask is who can access the data and how well is that data protected in a closer detail. You probably start with field level security. It's one of the most powerful and overlook controls inside of Salesforce. So you might have a record type that know surface level looks benign. But now that you've classified the data model, actually under the hood through classification, you found things like storing credit card or health data or sensitive personal information. Now I'm not saying that you shouldn't hold that data. What I'm saying is that those fields should be visible and editable by users who absolutely need that access. So you need to go further and audit things like roles and profiles and commission sets, sharing rules, object level overrides, it's detailed work, but it really is what protects your most valuable data from accidental exposure or misuse. Then you look at access control and authentication. Are you enforcing multifactor authentication? Are there inactive users lingering in the org that have access to sensitive records? What are your external users being privy to like your community users or your partners. Access control hygiene really is foundational to complying with the likes of ISM and SOCI, which both require strict least privilege access, identity assurance and importantly, audibility. So beyond users, you'd also then start to think like integration. Salesforce is really in isolation, it is usually connected to multiple things like marketing, and billing tools, data warehouses. Each one is a potential pathway for data to both lead and be delivered to your Salesforce. So are these connections secure? Are there the right scope and commissions applied to that integration for the thing that it's meant to be doing? And are you monitoring what data is being extracted and inserted through those APIs. So essential questions, especially when starting to consider things like data loss prevention. And speaking of DLP, it's no longer just about stopping large downloads. It's about understanding how data could unintentionally flow out of Salesforce. Yes, integrations, but it could also be things like reports or e-mail experts or kickboard activity. And DLP in a SaaS context means putting guardrails in place that align with your now classified data model but now prevent high-risk data when we shared -- transferred without oversight. So to sum up, classifying was your first step as the foundation. But then once you've got that as your kind of -- as your guide, as your North Star, you can then start to understand your unique appetite for risk and you can start to identify desired hardening needs for your environment that are specific to you and another great use case of security center, which allows you to meaningfully score and understand that security posture, and begin to make decisions about what you might choose to do about that. So what might you do? Now you're probably going to have a long laundry list of things that you could potentially address, it's actually one thing that we used to see with customers or we used to take through security reviews and Own backup. Often, you have a massive list of things to do that you don't know where to start, could be as simple as enforcing 2FA or establishing a single sign-on or implementing customer managed keys for your encryption at rest. But like I said, each of you will find your list of priorities and you'll be looking for where you might start first, and the personal favorite of mine, of course, is to ensure that you have a sound data recovery solution in place of your data. Now you'll notice I did not use the term data backup there. If I did, if I use the word backup, I could tell you that there are many, many options for backup. Backup is easy, and if compliance meant as it used to, that you simply have an external copy of your data, then everyone in this call be compliant and you'd probably be doing so by using a weekly export or something like that. But compliance requirements on this topic have grown up big time. You need to be able to apply privacy principles to those backups, right? So such as a means to handle a customers right we forgotten that also needs to be honored into the backup of those customers data. You need to implement order ability to meet things like stocking in the ISM and ultimately needed be able to actually restore that data when you need to with progressive recovery time objectives, like that just makes business sense and not just the compliance since -- in that year. And at that point, the list of meaningful candidates for data backup and recovery actually quite a few. A lot of backup solutions out there, but very few actual meaningful store solutions certainly ones that comply with these types of data license we see in Australia. And the reason for that is the complexities that are introduced by any relational database make restoration quite difficult. But I'm pleased to report that at the end of last year, through the Salesforce acquisition of Own, Salesforce acquired the #1 data protection solution in this space. OwnBackup by any measure, chose your measure, the number of customers, the volume of data that they were holding, the number of app exchange reviews, all sorts of things. They're incredibly well credentialed to be providing this protection for Salesforce customers of any size. Now directly available from Salesforce as Salesforce's backup and recovery solution. So to summarize this slide, if there was any one thing I'd recommend you to secure your data, and there will be multiple. But if there was any one thing, it would be in a solution like this to at least prepare for that worst case scenario. So now that we've classified our sensitive data, we've assessed it using security center and we've put in some steps to improve our security posture. Hopefully, we all purchased Salesforce backup and recovery. But the next piece of the puzzle is monitoring because security isn't just about setting controls. It's about continuously watching for threats, anomalies and misuse. So from a compliance perspective, it's actually a key expectation of both the ISM and the Security of the Critical Infrastructure Act, SOCI. The ISM calls for continuous monitoring and user activity and particularly around sensitive or security classified data. SOCI, meanwhile, it places a heightened duty of care on the critical infrastructure operators and the need to detect and respond to cyber threats in the real time. One very interesting element with this framework Hamish touched on it is the need to be able to prove the scope of the breach across all the applications used. So even in the event that Salesforce was not the target when -- of some sort of attack, those under scrutiny for compliance would still need to be able to prove that the Salesforce org was left unscathed during that incident. So it's almost a guilty until proven not guilty situation where a lot of customers without proper monitoring would not actually be able to know access to those assets and those audit trails to support this kind of evidence collection. So monitoring is essential, essential for demonstrating accountability. Even when it's things like detecting policy violations or identifying data extraction attempts showing that the audit trail after an incident, it's super, super important. So this is where Salesforce event monitoring comes into the mix, and hopefully leaves you without flying blind in these types of situations. If you consider Salesforce as an event monitoring, it gives you access to about or actually more than 50 different types of events. So things like log-ins, log-outs, field-level changes, API calls, even user clicks are considered. So this is the type of telemetry that you need to detect suspicious behavior, like it might not necessarily be an event, but it should be something that you might want to investigate like a user downloading a large number of records, accessing sensitive fields that they might normally access, logging in from unusual IP addresses. It actually goes further and it automatically blocks alerts and challenges users in some cases using transaction security policies, it's probably the coolest part of the application. So it's not just monitoring, but it's actually in real time, prohibiting users from doing things and checking, taking through those checks and balances. So lastly, we'll touch on consent and preference management. And in Australia, privacy is -- it isn't just a legal requirement. It's a major driver of custom brand loyalty, and yet there's a disconnect. You can see it on the slide here between what businesses collect and what customers are comfortable sharing. Research shows that 56% of Australians feel they've been asked to provide more personal information than necessary to sign up for a service. Even more telling is the 35% on the right who chose not to buy a product or service because they were not comfortable giving the personal information that was being collected. And I actually experienced that this last night. So we've just moved house. I was shopping around looking for options for gas. We've never had gas before. And I was putting in -- like a mail to redirect with Australia Post from old address to new address. And I was doing all of this watching the second half of origin, so a little bit distracted. But it was one of those situations where once you see it, you can't unsee it. All sorts of kind of questions and the providers were asking for inputs that were not relevant to what I was looking to purchase. And we actually found myself discounting and moving away and ignoring some of the cheaper options simply because of the information that was asked me to put in and it's like I said, it's once you see, you can't unsee it. So these aren't just statistics. They are actually kind of signals, signals that privacy expectations are shifting, and they're certainly shifting in my house. And under the APA, organizations are actually obligated to collect personal informations only when it's necessary and with the proper consent. So building a robust privacy and compliance program inside your SaaS environment is super important. And it's not enough just to bolt it on after the fact it has to be embedded in your business process as early as possible, to be honest. Privacy Center allows you to centralize consent and management. It's perfectly placed within Salesforce. And you can give customers a unified interface so they can view and manage how their personal data is being used, whether it's the marketing communications, data sharing with third parties or even analytics. So you can configure data protection policies, collection policies and ensure you're only capturing the data you need and aligned with the purpose of use. You can also build workflows for the data access and deletion request. It's also the flip side so you can start one of those types of data subject requests when people ask for their data or for their data to be destroyed. What's powerful here is it isn't just a check box exercise. If you think about my example, it's a real opportunity to build trust by giving customers the tools and the transparency they expect and by showing -- you're treating that data with the seriousness that it deserves. So to wrap all of this up, protecting sensitive data in Salesforce really isn't optional. It's a business legal and in this case reputational imperative now. So first things you need to do is understand the footprint of your data, know what data you hold, where it lives, and what's sensitive. With that now as the North Star, you can then begin to understand and assess your security posture with security center and then take actions to secure that environment. Like I said, if you're going to choose anything to remedy first, I think being prepared for the worst is not a bad place to start. So having a robust data restoration solution in place and ready. I really encourage you to check out Salesforce's new backup and restore solution. I also recommend the implementation of continuous monitoring with tools like Salesforce event monitoring and their transaction security policies so you can detect and stop threats in real time. And then lastly, Australian customers are more privacy conscious than ever. I saw the ISM last night, and they're voting with their wallets. So by implementing strong privacy controls and consent management, you're not just complying with the APA and the ISM, you're also strengthening trust, loyalty and gaining a competitive advantage now in privacy first. So thank you very much, and back to you, Priya, for some Q&A, I believe.

Great. Thanks, Kevin. I think a great overview of just like how to get started and some practical advice for organizations for or if you're thinking about this for the first time or if you already kind of got started on this. We are going to now jump into some Q&A. We've had a couple of questions come through the chat. So please submit your questions if you haven't yet, and we'll try to get through as many of them as we can. To kick things off, Kevin, I think this is a good question for you. What are your thoughts on full org restore test using backup? So it's going to depend on how much sensitive data they have in the org, but curious to hear your thoughts or advice on this.

Full or restore using backup. It's quite a rare scenario. I've actually probably count on one hand the number of customers that actually needed to do a full restore because when the right tooling is in place, restoration will be quite specific and can be quite granular and precision so that you're not needing to roll back the whole business, you're just rolling back that, which has been actually being affected. But the reality is if you're creating a DRP, you should absolutely have a plan in place for that scenario. And you should have items in your DRP for each of the different disasters that you might potentially want to solve for. So absolutely, it should be a test that you do once a year, twice a year when you're testing your DRP. And in the case of Salesforce is back up and recover, it actually allows you to restore data to a different environment to that which it was extracted from. So you could identify legitimate events within your production org. For the purpose of the evaluation, you can consider them an illegitimate event and then you can deliver the restoration to a sandbox if you wanted to do so, so that you can view the results, check that the plan goes as it was expected to be. So yes, highly encourage it. But like I said, it's quite a rare scenario, but it is a scenario that you want to have documented in the DRP.

Good advice. Thanks for the thorough answer too, I think. Next question. So a question for both of you. I think interested to hear your thoughts considering you both are working with so many different customers like locally and globally. What are there any emerging trends you're seeing around data management for organizations in the industry? Curious what you're both hearing around this topic and anything that's new or anything that's persisted over time?

Yes, I'm happy to take that, Kevin. What I'm seeing is actually when we're speaking to CIOs, there's more of an urgent need around data readiness, therefore, the importance of the session today, especially as they start having conversations around adopting AI because I think when you're looking at Board members to CIOs, like everyone is wanting to take on AI, so there's added pressures from the executive level to ensure that they are starting to formulate approaches and how they start to adopt that. But when you're -- what we're seeing as well is like are we ready? Like do we have our foundations in place? Do we have full visibility and control? And a lot of businesses are trying to get into that, I guess, that position. So then they can start going, okay, well, now we start leveraging AI, how -- what are some initial steps and how do we do so in a secure and robust manner. So I think that's a priority for a lot of CIOs at the moment is getting the foundations around data management in place. So then the pressures from above can be answered and you can actually start going back to the Board to showcase as your business is starting to innovate and adopt new strategies, you're starting to implement AI capabilities to enhance the way that you approach that fundamentally across your industry.

I've got a bit of a take on this as well. We didn't talk much about archival today or record life cycle management. But for many years, the #1 use case for an archive solution has been simply to manage storage limits within the SaaS applications. It starts to take up data that you don't need. But then over years, we start to run into other use cases like one allow me to make data immutable for a certain stage of its life cycle. Then kind of in recent years, it moved into risk mitigation. Like if I actually take some of my data out and I put it somewhere else, it's now 2 different risk services, so not one single point of breach. But what's really interesting in the last year is as customers are starting to consider Agentforce, it's now a tool that you can take no longer relevant data outside of the CRM, still accessible, still accessible when you need it to be, but it's now no longer inputs to Agentforce. And the logic is I've got 10 years of case data, but my business is totally different to how it used to operate 10 years ago. So by taking out the less relevant data, what you're doing is you're making the Agentforce inputs now more relevant to how you actually run your business today. So starting to see that kind of taking over as one of the drivers for things like record life cycle management and archival.

Yes. That makes sense. And I think it's interesting because it's very agnostic, right? I think now this conversation is happening regardless of like what industry you're working in, what type of company you are. Maybe it was only more relevant or more top of mind if you're in a regulated industry, but I think it's very clear, it's important for across the board. So this relates to the next question that came in. What are the products around recovery and compliance? I think, Kevin, you just kind of started talking about archive, but anything you both would add just around considerations when customers are thinking about recovery and compliance and those processes?

Yes. So from a trusted services side within the Salesforce, obviously, we talked about Salesforce backup and recover today. We've also looked at the Salesforce -- I just touched on the Salesforce archive solution, which is a record life cycle management application to start to handle data in different ways as it moves through the different stages of its life cycle. But another one that jumps to mind would be things like Data Mask and Seed. So if you're seeding data into other sandboxes, all you're doing is you're creating other risk surfaces, other points of breach, right? Other -- and potentially, you're creating other assets that you're then giving out to external parties and partners and other people outside of your business that don't typically have access to that production data. So Data Mask is an important piece because you can then desensitize these other risk surfaces, but they're not risk surfaces at all. I would say that would be an important one.

This is an interesting one. Do backup and restore... [Technical Difficulty]

That was that interesting...

That was magic. We'll see if we can bring her back.

I see we have access to the questions here as well. So should we just work through them in Priya's absence?

I'm back. Thanks for that. Minor technical issue. Let me get back to the question at hand. So I left everyone on a cliff hanger saying it was an interesting question. But the question is, do backup and restore solutions usually go hand in hand. What if an organization already has a backup solution in place and they're now looking at recovery? I'm curious, how do you usually see this being implemented in the industry? Are customers starting with one or the other? Like what's the best practice around this?

So I'd say most customers start in a position where those solutions are separate. If you take the example of the weekly export, right, that's your backup mechanism. It's you in queuing a request for your data, you're then downloading that and storing it somewhere locally and you're holding it for some period of time until you might need to use it. So backup, one separate mechanism. But then restore is you handling CSV files so large that they're difficult to handle at all and using things like disparate solution. And that's probably a starting point for those customers for their relationship with Salesforce. But very quickly in that you realize that to restore, you have to have visibility of what it was. And I don't just mean the data. What I mean is the way the data is connected to other things. So when you're restoring, you're actually not just putting in a particular record, you're putting all of the relationships back that, that record have with other things in the org. So a solution when it's restoring needs to be able to see what the org was before from more than just a record perspective, needs to be able to look at all the record IDs and know the rules and figure out the correct blend of inset and update operations to solve for the thing you call your data event. And those types of solutions, they're not separate solutions. They're ones that provide both of those functions. So you have the ability to put back but also the view of what it was before in a single UI that is actually usable for that fashion. So yes, it's probably a starting point for most, but it's not a meaningful restored solution until you have one that does both.

And I think also that's a good point, Kevin. I know we've spoken a lot of customers who have a complex data model. But as you start to leverage your data more effectively and start to doing a lot of, I guess, large projects, which are aligned to your sales force environment, having the ability to, I guess, do a quick backup before you start introducing new data into your production environment. That's when we see a lot of mishaps occurring. And so it's a fundamental best practice to just implement that sort of process before you start doing large pushes into production. So there's multiple different use cases, but that's one we've seen more effective and one that's used across the board with our customer base more regularly.

Yes. I think good advice from both of you. understandable, I think people might have to start somewhere, start with step 1, but good to be thinking about it holistically and as part of the bigger picture when you're thinking about the process and what it's going to look like for your company longer term. When we're talking about archiving, should we bleed our archived backup data to align with the data policy, the guidance and best practices around this one?

That's a good question. The reason I say that is you should, but they should be at separate stages. So if you think about archive, what you're doing is you're taking one last copy of the data and then you're destroying the source and you're preserving that one last copy externally immutably with an audit trail for some sort of period of time until it needs to be destroyed. And you'd want the backup and restore solution to be part of that picture. So if anything went wrong, if you created a policy incorrectly, if you accidentally set the retention so low that it extracted and destroyed immediately, you have some sort of mechanism to undo your illegitimate archive operation. So you definitely want the backup to be in place as a safety net, but then there would be a retention policy on the backups itself so that they are then cleaning themselves out over time. And you would want the backup purge to be well after the archive purge. So you've got that buffer, that safety net should anything be identified as illegitimately extracted and purged. Great question.

Agreed. We have time for a few more. Do you both have any advice on balancing data accessibility with data security? How do you balance both?

Yes, I can jump in there. That's a good question. I think when you're looking at data security, data protection, but also security, it's not one or the other. It's both. But I think when you're looking at them together as a business function, you also want to try and make them as an enabler to the business, meaning when I was speaking earlier around role-based access controls or the principle of least privilege, you want to enable your employees to do as much as they can, but you don't want to over permit. So for example, different orgs, they might not even get access to certain orgs, which might have sensitive data. So you want to start categorizing it really effectively because the way that you operate internally, as we see from a lot of the risks around data incidents can happen from not only a third party having access, but also your internal employees. So you want to limit that impact as much as possible. But fundamentally, when you're looking at data security, this is something that you need to adopt and implement more broadly because there's an increased number of like different threats across the world where you want to have stricter like tighter controls, whether that's encrypting your data down to the field level across the different systems, you want to make sure like you said as well, Kevin, you want to start implementing more masking of your data as well. So these are processes that you want to start formulating and embedding together instead of doing one or the other. Kevin, whether you've got any further thoughts around that as well.

My gut reaction is that one is much easier to test than the other. So it would be easier to test the need for accessibility than it would be to test the need for security. But you're right, it's a trade-off, and it's a conversation with the business. And it's probably a conversation with the business that becomes easier when the business is in those regions where people have to put themselves at stake for the business. You literally would go to jail for the decisions you made for that business, that type of them. But yes, its easier to test the businesses need for accessibility than it would be to test your need for security. So I would start with testing the business' real need for accessibility first.

Yes. And exactly is like as you have more critical information sensitive information in your orgs, like it means you just -- you need -- it's not a maybe, it's a must-have. So then you start utilizing, your system becomes a critical part of the operation of your business. So then you treat it with urgent care. Yes.

Yes. And I think we have time for one more before we wrap. A question for both of you. Any advice on how to get started making a data recovery plan? So any thoughts on just key components, checks and balances to be thinking about as someone is kind of starting this off?

Yes. I can take that, Hamish. So we go through a lot of kind of information security reviews and RFPs and tender responses and things like that. And how we fit into a business' DRP from a backup and restore perspective, let's say, is always front and center. There's always a question about what's your RTO? What's your RPO? And it's because they're trying to fit a solution into some already constructed disaster recovery plans objectives. But the reality is there's so much more that goes into a response to a disaster than simply hitting a restore button, right? So you should be -- and maybe you're considering DRP and you're looking to refresh yours or you're creating for the first time. You shouldn't focus on just these hard metrics like RTO or RPO, recovery time objective, recovery point objective. What you should be doing is considering every element of how a suspected data event gets all the way through to resolve data event. So do you have mechanisms like smart alerts, I know we've got smart alerts in our solutions that could give you indications of suspected data events. So now your timer is not starting at the button. Your time is actually starting before the event being picked up by the front line potentially. You're proactively investigating events before their events. It should then consider, well, how do you then notify the right people? Is that a case queue? Is it some sort of triaging system? You then need to put into your plan like, okay, when we triage, how do we triage it into one of these different disaster scenarios? Is it follow? Or is it single record? Or is there a cascade effect we solve for? So there's multiple steps before you get to hitting the restore button, meaning that the recovery time objective that everybody wants to put in their SaaS recovery plan is actually just one piece right at the end. That's how fast can the data be thrown back at the org. You need to consider all the other elements of your operation from identifying, suspecting, diagnosing, triaging before you even get to resolution. So think bigger, think bigger when you're building a DRP because it's so much more than just the speed at which data can be injected back into an org.

I think good advice and a good place to get started. With that, I think we're out of time for today. So a big thank you. Thank you, Kevin and Hamish for walking us through the concepts. I think great conversation and great advice for people to think about and get started with. If you're interested in what we talked about today, please take a scan of our white paper in the middle. This is a conversation specific to the ANZ market around how to get started when you're thinking about privacy and compliance. If you are in Melbourne or Melbourne-based or have team members in Melbourne, we're going to be continuing this conversation at our Agent Force World Tour coming up next week. We'd love to see you there. This is a free event for anyone to attend. And if you're not Melbourne-based, please reach out to your Salesforce account executive. We're always hosting events, conversations, workshops around topics like this in many of our cities where we have offices. So I would love to see all of you there in person. And with that, thank you for joining us today and looking forward to our next conversation.

Thank you. Thank you, everyone.