Secret CSO: Justin Somaini, SAP

"I honestly believe that no one in our industry has figured out real KPI’s. However, we do have some good Security Metrics that cover the business and security aspects of what we do..."

Name: Justin Somaini

Company: SAP

Job title: CSO

Time in current role: 2 years

Location: Palo Alto, CA

Education: I received a B.S. in MIS degree from Drexel University


Justin Somaini, CSO at SAPheads the SAP Global Security (SGS) unit in the board area of Products & Innovation. With more than 17 years of information security experience, he is responsible for SAP’s overall security strategy. In his role Somaini develops, implements, and manages SAP’s overall policies, standards, and guidelines in accordance with the SAP Security Strategy as well as ongoing SAP security initiatives to meet the emerging international IT and cyber security environments and data protection and privacy laws worldwide.

What was your first job? My first real job was in high school in Burger King where I learned how to make amazing fries. My first security job was with PriceWaterhouse LLP in Philadelphia where I was an entry level security auditor.

How did you get involved in cybersecurity? I first got involved in cybersecurity at my PriceWaterhouse job out of college. While I was doing a lot of security audits in support of financial audits, I ended up being the lead for most of the national attack and penetration services.

Explain your career path. Did you take any detours? If so, discuss. I’ve taken a few detours throughout my career. I love this industry of ours and to that point, I’ve focused on learning all aspects of it. The vendor community, the public policy, the investment, etc. With that, I’ve taken jobs to drive the GTM of security at Box, am an active advisor to security startups, have done angel investing in companies like Stackrox and SourceClear, and work with VC’s on their review of companies, etc. 

Was there anyone who has inspired or mentored you in your career? This is a hard one because there isn’t just one. I feel very strongly that everyone we meet has a gift to share if we are only open and engaging. So many people, in and outside of security, have opened my eyes to new ways of looking at problems and their solutions. So many have embodied what I take as critical to life such as strong moral compass, transparency, open to critical feedback, etc. I think most of all my mother has guided me the most by simply embodying the simple and consistant message throughout my life, “quit crying and get back to work”.

What do you feel is the most important aspect of your job?  Integrity. In what we do there is no more critical attribute of who we need to be. Our honesty, moral compass, or integrity is it for me.

What metrics or KPIs do you use to measure security effectiveness? I honestly believe that no one in our industry has figured out real KPI’s. However, we do have some good Security Metrics that cover the business and security aspects of what we do. Conversion rates of the kill chain is probably the best one to determine effectiveness of the layered controls. This can be exampled by a phishing situation where email inspection, endpoint protection, egress proxies, etc. are all layered in to identify and prevent the attack. Each one has a conversion rate of effectiveness that needs to be mapped and tuned over time. Aside from that, hurdle clearance rate of presales engagements, net promoter score (internal and customer) around security, and of course cost to core objects (people, services, customers) for overall management effectiveness.

Is the security skills shortage affecting your organization? What roles or skills are you finding the most difficult to fill? No, I’m not a big believer that a “skills shortage” is an external problem. As long as I’ve been in security we’ve always had a hard time hiring external people with the skills we need. To that point, it then turns into a different problem. I see it as a “we are not developing security people” problem. So hiring good technologists and having an internal development capacity is how I approach it which enables us to have much better velocity.

Cybersecurity is constantly changing – how do you keep learning? I don’t think security is constantly changing. Perhaps at a micro level if we want to track each unique 0-day. For me, it’s having a solid hold on security theory, having an understanding of the meta business and technology trends, and then proactively planning those overall strategic themes to guide the teams. 

What is the best current trend in cybersecurity? The worst? I see a deep maturity of security to create the “security services” to drive centralization of core controls across our enterprises. Identity & Auth, Crypto, Logging and Analytics, etc. While the controls aren’t new, our landscapes have dramatically changed and placed a huge need for our teams to become actual development organizations to create and deploy those capabilities vs. purchasing vendor solutions.

The worst trend, which isn’t new, is the overall destruction of our focus on actual security. This is done via security vendors trying to create a business and market for themselves when one shouldn’t really exist. Ultimately this creates confusion in the security practitioners’ minds on what to focus on and erodes their security advancement. While security vendors are a critical component to us solving our security problems, it has become a “big business” over the past.

What's the best career advice you ever received? “You have two ears and one mouth for a reason”.

What advice would you give to aspiring security leaders? “You’re in a negative unemployment industry, take a risk”.

What has been your greatest career achievement? The long-term ability to see people that have worked with me accomplish great things.

Looking back with 20:20 hindsight, what would you have done differently? I would have taken bigger risks early. Become more involved in the community early.


What conferences are on your must-attend list? RSA and Blackhat are my two core conferences but mostly to see the key people that I need to see once a year. I usually engage with people directly and have smaller groups of information sharing as opposed to going to conferences.

What is your favorite quote? “Be the change that you wish to see in the world” – Mahatma Gandhi

What are you reading now? Farenheit 451

In my spare time, I like to… Play games, movies, be with kids, and build new systems

Most people don't know that I… Am still active in penetration testing

Ask me to do anything but… Organize my schedule