From the top

CSO Spotlight: Justin Somaini, SAP

Perhaps controversially, Somaini doesn't believe that cybersecurity is constantly changing. For him, all you need is all you've ever needed: a solid grasp on security theory and a comprehensive understanding of technology trends.

justin somaini sap

In his role as CSO at SAP, Somaini heads the SAP Global Security (SGS) unit in the board area of Products & Innovation. He is responsible for SAP’s overall security strategy, ensuring that SAP and its customers have a consistent and convenient security experience and establishing SAP as a recognized and trusted leader in the industry. In his role, Somaini develops, implements, and manages SAP’s overall policies, standards, and guidelines in accordance with the SAP Security Strategy and data protection and privacy laws worldwide. Here, he shares his career path and offers advice for aspiring security leaders.

What was your first job?  My first real job was in high school in Burger King where I learned how to make amazing fries. My first security job was with PriceWaterhouse LLP in Philadelphia where I was an entry level security auditor.

How did you get involved in cybersecurity? I first got involved in cybersecurity at my PriceWaterhouse job out of college. While I was doing a lot of security audits in support of financial audits, I ended up being the lead for most of the national attack and penetration services.

Tell us about your career path. I’ve taken a few detours throughout my career. I love this industry of ours and to that point, I’ve focused on learning all aspects of it. The vendor community, the public policy, the investment, etc. With that, I’ve taken jobs to drive the GTM of security at Box, am an active advisor to security startups, have done angel investing in companies like Stackrox and SourceClear, and work with VCs on their review of companies, etc.

Was there anyone who has inspired or mentored you in your career? This is a hard one because there isn’t just one. I feel very strongly that everyone we meet has a gift to share if we are only open and engaging. So many people, in and outside of security, have opened my eyes to new ways of looking at problems and their solutions. So many have embodied what I take as critical to life such as strong moral compass, transparency, open to critical feedback, etc. I think most of all my mother has guided me the most by simply embodying the simple and consistant message throughout my life, “quit crying and get back to work”.

What do you feel is the most important aspect of your job? In what we do there is no more critical attribute of who we need to be. Our honesty, moral compass, or integrity is it for me.

What metrics or KPIs do you use to measure security effectiveness? I honestly believe that no one in our industry has figured out real KPIs. However, we do have some good Security Metrics that cover the business and security aspects of what we do. Conversion rates of the kill chain is probably the best one to determine effectiveness of the layered controls. This can be exampled by a phishing situation where email inspection, endpoint protection, egress proxies, etc. are all layered in to identify and prevent the attack. Each one has a conversion rate of effectiveness that needs to be mapped and tuned over time. Aside from that, hurdle clearance rate of presales engagements, net promoter score (internal and customer) around security, and of course cost to core objects (people, services, customers) for overall management effectiveness.

To continue reading this article register now

Microsoft's very bad year for security: A timeline