A quiet crisis is haunting the Salesforce ecosystem. The ShinyHunters hacking campaign of last year saw a swathe of big-name Salesforce customers falling prey to voice phishing attacks, and a critical severity vulnerability chain in Agentforce, known as ‘ForcedLeak’, was discovered.
These events highlighted how security should be at the forefront of every admin’s mind. But the SF Ben Admin Survey 2026 has revealed a startling statistic: among our respondents, 42% rated ‘security management’ as the skill they were least confident in.
Security was the clear frontrunner. The figure for the second most popular answer, ‘designer’s mindset’, was 27.5%. Note: Respondents could choose multiple options.
The findings highlight a powerful challenge to the Salesforce ecosystem: security is a board-level concern, but many professionals responsible for ensuring it are feeling underprepared – at a time when it’s never been so important.
However, the silver lining here is that admins who are confident in security skills may have a keen competitive edge in the job market. If a skill is both important and uncommon, it becomes a differentiator. Let’s take a look at why security skills could be this year’s hottest pick in the Salesforce job market.
It’s Not Like Learning a New Feature
New Salesforce features can be grasped through experimentation, trial and error, and practice. Everybody makes mistakes during their careers, and some degree of not getting it right is simply part of the learning experience.
Security is different, though. Mistakes have severe, immediate, and oftentimes irreversible consequences. And when something goes wrong – even if it’s something which is the collective responsibility of the whole business – someone has to take the blame for it.
The learning curve can feel intimidating, especially when we consider how Salesforce security has become increasingly sophisticated over time. Salesforce is 27 years old now, and admins need to keep up with the latest developments constantly.
To highlight the point, Salesforce recently sent out “action required” security emails explaining that multi-factor authentication (MFA) was becoming mandatory for all users, with enforcement beginning in June 2026.
Additionally, Salesforce is now requiring a higher bar for anyone with a System Administrator profile or equivalent permission set – a phishing-resistant MFA.
Modern admins are expected to know so much more, and for many of those who entered the ecosystem through declarative development, rather than a cybersecurity background, this can feel intimidating. So what is to be done?
How Security Can Make You Stand Out
When nearly half of your profession identifies security as a weak point, admins with genuine expertise immediately stand out. Automation, AI, and Agentforce are at the forefront of everything Salesforce at the moment, and the ecosystem is getting to grips with these areas, which, Salesforce assures us, are the future.
But security concerns will never go away. If anything, with AI becoming more embedded in people’s daily workflows – and personal lives – this could present new attack vectors for malicious actors.
Salesforce orgs are becoming larger, more interconnected, and more dependent on data. So too does AI introduce some interesting questions around security and possible new threats to businesses.
In September last year, a vulnerability in Agentforce, which could let external attackers exfiltrate sensitive CRM data, was exposed by Israeli cybersecurity startup Noma Security. They announced on September 25 that they had discovered a “critical severity vulnerability chain” in Salesforce’s AI product.
The vulnerability took advantage of ‘indirect prompt injection’, when an attacker embeds malicious instructions in data that will later be processed by the AI when legitimate users interact with it. Salesforce was notified of the vulnerability, and the CRM giant acted immediately to investigate – and later released patches that prevent output in Agentforce agents from being sent to untrusted URLs.
AI skills are in demand, so security skills should benefit from a rising tide effect. For hiring managers, a candidate with confidence around governance, permission architecture, MFA enforcement, and security reviews brings something valuable and, according to our data, rare.
As Salesforce environments become larger and more integrated with other applications, businesses will need professionals who can make sure the solutions being built are secure.
So, Where Should Salesforce Admins Start?
I spoke to Salesforce MVP and SF Ben Technical Content Lead, Christine Marshall, to get her advice for Salesforce Admins looking to strengthen their security posture. She highlighted three key areas that every Admin should focus on when building strong security foundations:
“If you’re looking to build your Salesforce security skills, it really helps to start with three foundational concepts that everything else tends to build on.
“The first is Salesforce’s Shared Responsibility Model. It’s easy to assume security is something ‘Salesforce handles,’ but that’s only part of the picture. Understanding where Salesforce’s responsibility ends and where yours begins is key to making better, safer configuration decisions day to day.
“From there, the Principle of Least Privilege is essential. In practice, this means users should only ever have the access they genuinely need to do their job, and nothing more. It sounds simple, but in reality, it’s one of the most common areas where orgs drift over time, often unintentionally, and end up with the dreaded “permission creep”.
“And finally, there’s Zero Trust. Rather than assuming anything or anyone should be trusted by default, Zero Trust is about continuously verifying access and tightening controls wherever possible. It’s a mindset shift as much as a technical one, but it’s becoming increasingly important as orgs grow in complexity.
“If you focus on those three areas – Shared Responsibility, Least Privilege, and Zero Trust – you’ll build a much stronger baseline for Salesforce security, and you’ll be in a far better position to spot risks before they become problems.”
Christine also emphasised that Salesforce already provides built-in tools that can help admins quickly assess their org’s current security posture and identify quick wins to improve security straight away:
“Salesforce Health Check is one of the quickest and most practical ways Admins can get a clear view of their organisation’s security posture. It helps you move beyond assumptions and instantly highlights areas where your org is falling short of best practice. More importantly, it gives you a set of actionable quick wins, so you can start tightening security straight away, rather than waiting for a major audit or incident to expose the gaps.”
Resources:
- Salesforce Shared Responsibility Model: What It Means for Salesforce Admins
- Salesforce Admins: How to Implement the Principle of Least Privilege
- A Practical Guide to Implement Zero Trust for Salesforce Admins
- Is Your Salesforce Org Actually Secure? Use Health Check to Find Out
Final Thoughts: Fill the Confidence Gap
Are admins lacking security skills, or just confidence? We might consider for a moment that, as knowledge increases, confidence in security might actually drop. There’s a well-known pop psychology phenomenon known as the Dunning-Kruger effect, where people with limited knowledge of a topic overestimate their own skills.
It’s a curious thought experiment, but in any case, not knowing enough about security and feeling like you don’t know enough about security because of just how much danger exists are similar crises. And when admins are not showing confidence in a certain area, that means the admin who can confidently discuss these topics and display them on their resume will stand out.
