Cybersecurity, by nature, has to constantly evolve. Every year, there are new threats and vulnerabilities, and not adapting means providing attackers with an entry point into orgs and orgs’ worth of sensitive data.
Salesforce, naturally, has to be aware of this – it is part of its commitment to the Shared Responsibility Model. However, the way the company has navigated its security strategy over the last year has come under scrutiny by the community, being cited as chaotic and confusing. But has this been in Salesforce’s control, and what does the community want Salesforce to know?
What’s Going On With Salesforce’s Security Strategy?
June 2026 is a busy month for Salesforce customers. The CRM giant is introducing a new wave of security controls in response to an extended string of data breaches that have impacted several high-profile Salesforce customers.
This includes MFA enforcement, restricting login IP addresses in profiles, Transaction Security Policies, and more. SF Ben author Tom Bassett has written a brilliant post summarizing all the updates to pay attention to, which you should consult if you haven’t already.
There are quite a few updates that customers have to be aware of, with Salesforce announcing them at varying times and in various ways. Without seeing them grouped in one place, it would be difficult to work out exactly what your org requires, and it can quickly become an operational nightmare. For some customers, it already has.
‘One of the Most Chaotic Things I’ve Seen Them Do’
At the end of last month, a Salesforce user took to Reddit to share their frustrations on the matter, calling Salesforce’s recent security rollout “one of the most chaotic things [they have] seen them do.”
“Mandatory MFA for all users,” they wrote. “Phishing-resistant MFA for admins. step-up auth on reports. Auto-containment of “high-risk” connections. Email domain verification, all compressed into roughly 12 weeks, April to July 2026.”
“When goalposts keep moving this fast, it’s not just a technical problem; it erodes trust in a way that takes a long time to rebuild.”
The poster highlighted that although security was obviously a top priority, they felt like the requirements kept changing mid-rollout, referencing the scenario with IP range enforcement.
“IP range enforcement was on the list, then quietly dropped, after consultants had already briefed their clients on it,” they wrote. “One MVP with a 20-year-old developer org got locked out, and Salesforce apparently couldn’t clearly explain why.”
Others in the thread quickly began agreeing with the poster’s sentiments, sharing their own frustrations and how difficult these changes had been to navigate in their orgs.
“The changing requirements mid-rollout is what really gets me,” one commenter wrote. “We had to revise our implementation plan three times because they kept adjusting what was actually required versus ‘recommended.’”
“I work for an ISV partner, and it’s been horrendous,” another wrote. “We’re having to change what we tell our customers constantly, and we’ve burned some goodwill. Or, rather, Salesforce has burned it for us.”
The scenario was perhaps best summed up by one commenter who wrote: “It feels like the decisions are being made by people who have never used Salesforce and never worked in development.”
Why the Messy Rollout?
Salesforce finds itself at the precipice of a difficult decision. On one hand, the company could’ve slowed down or taken more time to establish a robust security rollout plan, meaning that customers would not have to backtrack on any enforcements. However, this could’ve led to more time for threat actors to tap into existing vulnerabilities, which is plausible as there is no evidence that ShinyHunters have finished their extended hacking run.
It appears that Salesforce is aware of how disruptive its security rollout has been so far. Mitch Spano, the Director of Product Management at Salesforce and the man behind the urgent CI/CD updates, openly wrote on LinkedIn that he understood “how much work goes into building and maintaining your team’s CI/CD pipelines” and that he wanted to “sincerely apologize for the disruption and friction this is going to cause […] teams.”
For customers actually having to work with these enforcements, Mitch’s sentiments may not be enough. It has already led to tension between ISVs and clients, confusion within teams, and a growing sense of uncertainty around Salesforce. However, it is also worth asking at this stage, what is the best-case scenario: the friction or a potentially catastrophic data breach?
Final Thoughts
It is safe to say that Salesforce’s recent security rollout has not been as smooth as it could have been. The community is clearly aware of this and is openly speaking out, hopefully providing Salesforce with some pointers for the future.
However, it is important to remember that when vulnerabilities are present, time is of the essence. With this in mind, hopefully, Salesforce can work with its customers to ensure future rollouts are communicated further in advance, if possible, and establish a timeline that is not at risk of such sudden changes.
