For Salesforce’s head of security, it’s all about trust
Share!
Salesforce chief trust officer Brad Arkin has been a security executive for over a decade with stints as chief security officer at Adobe and chief security and trust officer at Cisco before joining Salesforce at the end of 2023. Arkin has seen the security role evolve along with his title. At Salesforce, it’s about creating an atmosphere of trust both internally and externally, hence the title.
But Arkin says that regardless of what you call it, the job scope has been nearly identical across the three companies where he’s worked. That includes basic IT security, such as ensuring employee laptops are protected. It also means safeguarding the products they sell and the data stored within them to the extent possible. In addition, there’s a focus on governance, risk, and compliance. Finally, the role encompasses detection and response — monitoring for attacks on both the company’s systems and its products.
“Sometimes when [company CEO] Marc Benioff introduces me to someone, he'll refer to me as ‘the CISO,’ and so that's definitely within the scope of what I'm working on,” he said.
Regardless, Arkin certainly has a comprehensive set of responsibilities at a company that has a market cap of almost $275 billion, generated over $37 billion in revenue last year and employs 76,000 people around the world. But it takes more than pure technical chops to be a security executive. It takes the ability to communicate to a broad set of constituents that includes stakeholders inside of Salesforce, partners and customers.
Arkin says that his ability to communicate with everyone is a key part of his job. He has to tell the stories, good and bad and let people know what’s going on. “This is where trust comes in. If I did an amazing job at delivering security, but the outside world knew nothing about it, I wouldn't have succeeded because security plus awareness and understanding is what makes you feel safe,” he said.
Policing AgentForce
Arkin was at the company just eight months when it introduced its agentic AI platform called AgentForce (agents are software capable of taking a series of autonomous actions). Like his Salesforce colleague, CIO Juan Perez, whom we interviewed last year, Arkin has to work with folks inside Salesforce along with customers.
“I have a dual responsibility at Salesforce: one is that I have to push for Salesforce and the Salesforce platform, and I have to make sure that I take my responsibility as ‘customer zero’ very seriously,” Perez told FastForward.
Similarly, Arkin’s team is working with the product teams to make sure they are architecting AI solutions in a way that’s secure. “My team partners with engineering to make sure we're building agentic technology in a way that's going to allow customers to succeed with the security outcomes that they need to feel confident rolling out AgentForce solutions,” he said.
He said that could involve building the agents in such a way to foil any of the myriad of possible AI security problems such as data poisoning, prompt injection attacks, privilege escalation, malicious code generation and data leaks.
As Salesforce employees start playing with communications protocols like MCP (model context protocol) to help agents communicate with APIs, he needs to be sure when they are downloading MCP servers, they are safe, but it doesn’t end there.
Putting agents to work at Salesforce
Like Perez, his CIO colleague, Arkin likes to put Salesforce tools to work to help make his staff more productive. He used the example of an incident response agent, which provides Arkin with the information he needs to understand the scope of an incident. Instead of interrupting busy analysts for updates, he now asks the agent, which reviews the case notes, builds timelines and summarizes progress.
“It’s like talking to somebody who’s sitting in the SOC (security operations center), who's working on the case, except me interacting with the agent isn’t distracting my staff from something they should be doing.”
My team partners with engineering to make sure we're building agentic technology in a way that's going to allow customers to succeed with the security outcomes that they need to feel confident rolling out AgentForce solutions,
He said prior to this, when he first came on the job, he would ask his team for an update on any incidents that happened overnight, and they would stop working to pull the information together for him. “They would stop everything to schedule a meeting. They would do a prep meeting to get ready for the meeting, all just to give me a routine update,” Arkin said.
It’s a good example of how querying a large language model, rather than interrupting his team, can improve the flow of work inside a company.
How startups fit in Salesforce’s approach to security
As we’ve learned, to a large extent, AI security is being developed on the fly, and that means companies like Salesforce, working with large enterprise companies, must look to external vendors to help them stay free from harm. Sometimes those vendors will be startups. Arkin indicated that while his company works with startups, they have a very deliberate review process, especially when it comes to security.
“With any vendor, whether they're small or big, we look at their problem definition, and is this a compelling problem for something that we're dealing with? And then what is their proposed solution? Does it fit together and make sense? And do we think it might work,” he said.
If the answer to all those questions is yes, then they might begin a pilot phase with startups where they start by using it in a controlled lab environment. If it passes that stage, it will move into a proof of value, proof of concept project, and they’ll see how it does in a more real-world context.
“At any point, if it fizzles, then we give up and provide them with feedback like come back in a year or we're done talking. But if it keeps doing well, then we might go from a pilot to becoming a paying customer,” he said.
For a company as large and influential as Salesforce, AI is not just an operational imperative, it is central to the company’s product strategy and future growth. In his role as chief trust officer, Arkin's job is to ensure that every aspect of this process is safe, secure and worthy of trust.
Featured photo courtesy of Salesforce
