Skip to Content
Skip to Content

Creating an Optimised Security Governance Strategy for Agile Business

SaaS platforms are no longer just the domain of IT. Strategic alignment, governance and collaboration across business units are essential to their success.

No longer the domain of shadow IT, Software as a Service (SaaS) platforms have become an integral component of the modern enterprise. Indeed, ‘cloud first’ is often the rallying cry of the modern CIO’s bimodal IT strategy. Nowhere is this more prevalent than in the huge growth and expanding footprint of the Salesforce portfolio of products and services. However, with great growth comes great responsibility. As with any good enterprise citizen, strict yet flexible governance should be front of mind.

Given security should underpin every decision we make in IT, DevOps might be more accurately called DevSecOps. It is the natural embodiment of good governance as it relates to developing, delivering and operating IT software and services — without a clearly defined governance strategy an effective DevSecOps approach is doomed to fail. However, good governance is lean governance and should never compromise a business’s agility or stifle innovation.

But before we can securely develop, deliver and effectively operate a service, we must assess and prioritise it. Consider the brilliantly simple yet powerful IT4IT cloud operating model. This go-to, vendor-neutral framework for managing the business of IT can be split into four service lifecycle phases:

  1. Strategy to portfolio: Align, assess and prioritise portfolio demand
  2. Requirement to deploy: Architect, design and build services
  3. Request to fulfil: Catalog, fulfil and manage service usage, delivery and expectations
  4. Detect to correct: Monitor, measure and proactively manage resolution of incidents and outages

While IT4IT is not the subject of this article, it provides a useful example for demonstrating a familiar IT operating model, allowing us to illustrate the IT value chain and frame a broader discussion around delivering successful Salesforce initiatives. Our focus then, will be on managing demand and demonstrating how solid governance and a culture of collaboration and shared responsibility can set an organisation up for success.

Properly managing a pipeline of demand is essential and enables an organisation to effectively address Salesforce programs and projects across multiple business units, dependencies and systems.

Aligning, assessing and prioritising will help in enforcing governance through quality checks, information security, standards and compliance alignment. All while cultivating and fostering a culture of shared responsibility and trust from the outset through collaboration and cooperation. These are key facets for any successful DevSecOps strategy.

Managing demand

We can consider managing demand from two perspectives: the PMO and the  ‘IT Operating’ lens. Though never mutually exclusive, this article will focus on demand management from an IT Operating perspective by exploring the following questions:

  • What are the principal stages in aligning, assessing and prioritising Salesforce IT demand? 
  • Why is DevSecOps so important in driving successful outcomes? 
  • What are the key milestones and decision points when assessing demand?

Establish a cross-functional team

Given collaboration is fundamental to success, establishing a cross functional team from the outset is crucial. Typically, business sponsors and senior stakeholders will drive the conversation while project managers, product owners, security, enterprise and application architects, testing, service delivery and change managers will contribute across their specific areas of expertise. 

Importantly, this is not to drive requirements or talk solutions, but to ensure alignment to governance and compliance standards, and formalise the roles and responsibilities of the collaborative team.

Strategic alignment

This is where we align an initiative with a business’s overall corporate vision, strategy and goals, and identify the inherent risks in developing and operating it. How does it align with other ‘inflight’ and pending programs, and how might we define and continuously measure the initiative against KPIs? 

This ensures alignment between IT and the business, as well as better utilisation of available budgets and resources. It also assists in the adoption of new services across the organisation.

Business impact and risk assessment

Next comes an assessment of the underpinning business drivers and technology makeup. Understanding and mitigation of risk is essential. This includes, but is not limited to legal and regulatory compliance, Salesforce org strategy, business continuity, privacy, security, architectural compliance, and social impact.

Regulatory compliance

This involves looking at the regulatory compliance requirements mandated by the organisation and the broader context of its ecosystem and particular geographies. At this point we look at the established repeatable strategies, processes and controls that are in place to ensure we meet and can measure compliance on an ongoing basis.


A privacy assessment identifies and records the essential components of any proposed service containing significant amounts of personal information, and establishes how the privacy risks associated with that system can be managed. 

Salesforce org strategy

Consider where this service will be implemented based on a defined Salesforce ‘org strategy’ using the following levers:

  • Organisational structure and boundaries
  • Shared processes and data access requirements across the organisation
  • Proposed user base – B2B, B2C, B2B2C
  • Agility and autonomy for DevSecOps teams, product owners, business units, domains and divisions
  • Enterprise and third-party integration requirements – are there opportunities to reuse existing technical investment?
  • Data segmentation and regulatory compliance (industry and geographic)
  • Reporting and analytics
  • Potential implications on Salesforce org-wide limits and existing tenant services

Business continuity planning

Organisations must mitigate service availability and data loss through robust data backup and recovery strategies to ensure the business can continue to operate in the event of service downtime. Furthermore, continued monitoring and measurement of service performance is essential to proactively mitigate data loss incidents and breaches.

Architectural compliance

The service must comply with the guiding architectural principles. Often tradeoffs must be made when implementing systems due to time, resource and budget constraints. The following pillars taken as a subset of the AWS Well Architected framework are an excellent template for all modern cloud services:

  • Operational excellence
    • Perform operations as code
    • Annotate documentation
    • Make frequent, small, reversible changes
    • Refine operations procedures frequently
    • Anticipate failure
    • Learn from all operational failures
  • Security
    • Implement a strong identity foundation
    • Enable traceability
    • Apply security at all layers
    • Automate security best practices
    • Protect data in transit and at rest
    • Prepare for security events
  • Reliability
    • Test recovery procedures
    • Automatically recover from failure
    • Manage change in automation
  • Performance efficiency
    • Democratise advanced technologies
    • Experiment more often

Shared services / service delivery

How does the service leverage enterprise-wide shared service infrastructure? Consider the following:

  • Networking and infrastructure
    • Assess the potential network requirements and/or additional infrastructure requirements for our service, firewalls, SSL certificates/compute/storage etc. 
  • Identity federation/authentication
    • How will users access the system and will it be deployed within an identity federation?
    • Are we exposing services to our customers, how will they authenticate?
    • What are the privacy implications for customer identity management?
    • Are we publishing or consuming third-party services? How will they authorise?
  • Reporting and analytics
    • We must ensure that data is collected and mined and can be joined with disparate sources for deeper and richer enterprise-wide analytics.
  • Security incident event management SIEM
    • How do we monitor, report and prevent data loss breaches, and other security-related events?
  • Monitoring and incident support
    • Can we integrate our service into our enterprise-wide monitoring and incident management infrastructure? What constitutes an exceptional condition and how might we proactively remediate or mitigate incidents and issues? Do we have a Salesforce application strategy for application/business process level event monitoring?
  • On-boarding and off-boarding
    • Do we have complex on-boarding and off-boarding processes and will they be impacted by the introduction of the new service?

Human impact

Machine learning and artificial intelligence are increasingly integrated into commodity cloud services, and the more sophisticated and ubiquitous AI becomes, the more impact it will have. Salesforce offers its Einstein service in multiple flavours and its technology is extremely and increasingly versatile and powerful. As such, an assessment of the potential impact of AI becomes an important step in assessing overall demand.

Automated systems making intelligent decisions have major societal, legal and moral implications. Organisations must recognise this and consider unsupervised AI decision making in the context of human interactions and privacy.

Indeed, in time, we may need to broaden the DevSecOps portmanteau to DevSecPsyOps and introduce the requisite roles and disciplines across our service lifecycles. Consider how an intelligent agent interacts with a human, for example — should it have been trained in culturally appropriate interaction so as not to cause offence? 

Consider an HR system making the decision to fire an employee or a recruitment management system assessing suitability for a job application. We’ve already seen examples of biased intelligent candidate screening – these are just a handful of examples that on the surface embrace AI for efficiency gains but may result in unintended consequences.


Organisations will have differing priorities, assessment strategies and business drivers depending on the size and scope of an initiative. Once approval to proceed has been given, budgets have been allocated and resources are available, an organisation has a much better handle on the size and shape of the delivery. 

Transitioning to the Requirement to Deploy phase can allow the DevSecOps mantras of ‘people, process and tools’ to truly shine through. The iterative design, development, testing and release of quality software artefacts, where compliance is reinforced through predefined manual and automated assurance gates, can then begin with confidence.

Watch this space — up next we’ll discuss the Request to Fulfil and Detect to Correct phases of the overall service lifecycle, and how the DevSecOps approach ensures a smooth transition to ongoing service management and support.

To learn how Salesforce Architects can help you achieve your vision, download the ‘Transforming Business through Strategic and Technical Guidance’ ebook.

Download our free e-book on Transforming Business Through Strategic and Technical Guidance
Salesforce Staff

The 360 Blog from Salesforce teaches readers how to improve work outcomes and professional relationships. Our content explores the mindset shifts, organizational hurdles, and people behind business evolution. We also cover the tactics, ethics, products, and thought leadership that make growth a meaningful and positive experience.

More by Salesforce

Get the latest articles in your inbox.