From the top

CSO Spotlight: Justin Somaini, SAP

Perhaps controversially, Somaini doesn't believe that cybersecurity is constantly changing. For him, all you need is all you've ever needed: a solid grasp on security theory and a comprehensive understanding of technology trends.

justin somaini sap

From the top

Show More

In his role as CSO at SAP, Somaini heads the SAP Global Security (SGS) unit in the board area of Products & Innovation. He is responsible for SAP’s overall security strategy, ensuring that SAP and its customers have a consistent and convenient security experience and establishing SAP as a recognized and trusted leader in the industry. In his role, Somaini develops, implements, and manages SAP’s overall policies, standards, and guidelines in accordance with the SAP Security Strategy and data protection and privacy laws worldwide. Here, he shares his career path and offers advice for aspiring security leaders.

What was your first job?  My first real job was in high school in Burger King where I learned how to make amazing fries. My first security job was with PriceWaterhouse LLP in Philadelphia where I was an entry level security auditor.

How did you get involved in cybersecurity? I first got involved in cybersecurity at my PriceWaterhouse job out of college. While I was doing a lot of security audits in support of financial audits, I ended up being the lead for most of the national attack and penetration services.

Tell us about your career path. I’ve taken a few detours throughout my career. I love this industry of ours and to that point, I’ve focused on learning all aspects of it. The vendor community, the public policy, the investment, etc. With that, I’ve taken jobs to drive the GTM of security at Box, am an active advisor to security startups, have done angel investing in companies like Stackrox and SourceClear, and work with VCs on their review of companies, etc.

Was there anyone who has inspired or mentored you in your career? This is a hard one because there isn’t just one. I feel very strongly that everyone we meet has a gift to share if we are only open and engaging. So many people, in and outside of security, have opened my eyes to new ways of looking at problems and their solutions. So many have embodied what I take as critical to life such as strong moral compass, transparency, open to critical feedback, etc. I think most of all my mother has guided me the most by simply embodying the simple and consistant message throughout my life, “quit crying and get back to work”.

What do you feel is the most important aspect of your job? In what we do there is no more critical attribute of who we need to be. Our honesty, moral compass, or integrity is it for me.

What metrics or KPIs do you use to measure security effectiveness? I honestly believe that no one in our industry has figured out real KPIs. However, we do have some good Security Metrics that cover the business and security aspects of what we do. Conversion rates of the kill chain is probably the best one to determine effectiveness of the layered controls. This can be exampled by a phishing situation where email inspection, endpoint protection, egress proxies, etc. are all layered in to identify and prevent the attack. Each one has a conversion rate of effectiveness that needs to be mapped and tuned over time. Aside from that, hurdle clearance rate of presales engagements, net promoter score (internal and customer) around security, and of course cost to core objects (people, services, customers) for overall management effectiveness.

Is the security skills shortage affecting your organization? What roles or skills are you finding the most difficult to fill? No, I’m not a big believer that a “skills shortage” is an external problem. As long as I’ve been in security we’ve always had a hard time hiring external people with the skills we need. To that point, it then turns into a different problem. I see it as a “we are not developing security people” problem. So hiring good technologists and having an internal development capacity is how I approach it which enables us to have much better velocity.

Cybersecurity is constantly changing – how do you keep learning? I don’t think security is constantly changing. Perhaps at a micro level if we want to track each unique 0-day. For me, it’s having a solid hold on security theory, having an understanding of the meta business and technology trends, and then proactively planning those overall strategic themes to guide the teams. 

What is the best current trend in cybersecurity? The worst? I see a deep maturity of security to create the “security services” to drive centralization of core controls across our enterprises. Identity & auth, crypto, logging and analytics, etc. While the controls aren’t new, our landscapes have dramatically changed and placed a huge need for our teams to become actual development organizations to create and deploy those capabilities vs. purchasing vendor solutions.

The worst trend, which isn’t new, is the overall destruction of our focus on actual security. This is done via security vendors trying to create a business and market for themselves when one shouldn’t really exist. Ultimately this creates confusion in the security practitioners’ minds on what to focus on and eroding their security advancement. While security vendors are a critical component to us solving our security problems, it has become a “big business” over the past.

What's the best career advice you ever received? “You have two ears and one mouth for a reason”

What advice would you give to aspiring security leaders? “You’re in a negative unemployment industry, take a risk”

What has been your greatest career achievement? The longterm ability to see people that have worked with me accomplish great things.

Looking back with 20:20 hindsight, what would you have done differently? I would have taken bigger risks early. Become more involved in the community early.

This interview is part of CSO’s regular Spotlight series, which focuses on the career paths of security leaders. If you know someone (or are someone) with a story worth telling, please contact

Copyright © 2018 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)