Q&A: SAP Chief Security Officer On The Evolving Role Of The CISO And Changing Security Buying Patterns
The Evolving Role Of The CISO
Justin Somaini has led the security practices as chief security officer and chief trust officer at a variety of top tech companies, including Box, Yahoo, Symantec, Verisign and Charles Schwab. Now, Somaini is leading SAP's security strategy as CSO, including security for the company's products, physical security and internal security. In an interview with CRN, Somaini spoke about the evolving role of the chief information security officer in today's security landscape. Take a look at what he had to say about the changing role and what it means for how the company engages with the channel.
How have you seen the role of the CISO changing throughout your career?
In the early days of security [it was about the] technical administration of firewalls and vulnerability management, and things along those lines. The [compliance regulations] really came into play and drove a huge compliance arm. These are the main trends, with varying degrees of time frames for companies. … We also had a threat landscape shift about eight years ago which dramatically forced a shift on security teams on how we engage law enforcement, how do we do more operational takedowns of malicious individuals inside of companies, etc. Then we saw the whole Snowden effect, which … [pushed] the security topic from our vantage point up into the board and CEO level. … That really changed the conversation and tonality of the security topic inside of companies and really empowered a lot of us to move the needle of our security posture and stance across the deck. It is incredibly complex when you look at public policy, law enforcement, privacy, to dealing with the threat landscape from nation states to organized crime. [Add those to] the legacy issues of insider threats and malware. It has just blossomed and exploded in complexity year over year, and more exponentially than anything else. The skill set has had to expand quite rapidly.
Is the job of a CISO easier or harder than it used to be?
Some things stayed the same. I think in security there is always a technical aspect to it that will always be there in regards to the technologies you have and what you need to do. But probably one of the biggest challenges that a CISO, CSO or leader of security really is tasked [with] is driving culture change in the company to ensure that security is deeply embedded into the DNA of each and every employee and anyone that works in the company.
Historically, that has been hard and difficult, but nowadays it's a lot easier when you have board members, CEOs, and the executive leader team asking questions, being curious, and engaged. Obviously, everyone says it's important but when you ask for something, that's when the real rubber meets the road. Nowadays because it's top of mind they are jumping in with both feet and absolutely engaging with those resources that they expect to be provided. It’s a lot easier in those regards to drive culture change, but cultural change unto itself is challenging and difficult.
Do you see more budget being allocated to security than in years past?
[Security spending percentages are] probably fairly healthy when you look at it. There's a lot of shades of gray for each and every company. … I think budgets are more readily available nowadays than they were 10 years ago and especially before that. The real question is: Where is that money going? That gets into the maturity of the security practitioner that is looking to spend things: Are they just spending money on what just came across their desk that week, or is that a really good, mature security program that is risk-based and identifying the threats, issues, and adding a deep analytics approach or critical thought around the technologies? … I think that, while budgets are freed up, the security maturity is slowly progressing as well. But I think that is something that we continuously struggle [with] in the industry. But we're getting much, much better than we were before.
What keeps you up the most at night as a CISO?
Nothing really keeps me up at night, quite honestly. The biggest things that really keep me up are if I feel at any point that the company isn't taking this seriously. I'm pretty darn confident that whatever the challenge that comes and whatever issues – or God forbid there is a significant incident – we can get through those, manage it, and come out the other end better, wiser and more mature. If the company itself, each and every employee, quite honestly starts to think that security isn't important, that becomes a significant challenge.
Of course, there are other things, too, in regard to the adversaries who are more mature and understanding and more damaging than we know. … Those things are incredibly stressful for all of us, which is why we have a significant amount of focus around IoT security, our applications that support health-care systems, or some of the other critical infrastructure and critical customers and how they apply SAP to those solutions and the businesses that they have. … How our systems could be maliciously used is something that is incredibly top of mind for us.
Is product security a key concern for you since SAP is so broadly used by enterprises?
Absolutely. We do a lot of things and when you look at my entire team, the vast majority of people … are focused on product security. Quite honestly out of a lot of companies I've seen in my career before coming to SAP, they have probably hands down the most mature application security program that I have ever seen. That was great to see. We use nearly every tool under the sun, every product, and a risk management approach, but really it comes down to the people in this regard and every engineer. I have been very impressed. That doesn't mean we are perfect and obviously there are a lot of things that any company needs to do and continue to improve, but we have a very solid, good base to handle any challenge that comes across. … There is no question: If we didn't feel like we had a target on our back, we probably should not have this job. We should not be doing this job. There is no doubt that this is how any security person feels, but definitely for me and my team it keeps us motivated and keeps our eye on the ball and not be complacent.
A lot of solution providers talk about the challenge of the security talent shortage – do you see that challenge as well?
I've been doing security my entire career. I don't think I've ever had a point where there's enough people. Sure, we can make the statement that there is a talent shortage. I don't think there will ever be a time in history where that statement wouldn’t be made.
The real question is: What are you doing about it? For us, and my focus for at least 10 to 12 years is: How do we take in people with the right components? Components are they need to have a strong moral compass, they need to have a good technical base, they need to be deeply curious as a characteristic. Bring them in, and I can teach them security, but they have to have those three things. I need to be able to trust you because our customers and our employees do the same. They need to not settle for an answer that is just given to you on the screen -- you need to constantly investigate and second guess yourself on things. … You look for personality traits that really are successful in what we do. A second layer of understanding business models and having the ability to relate, have empathy and communication skills is absolutely key.
Do you have any examples of where you've built security talent successfully?
There are internships that we do pretty consistently to identify good, solid talent. Usually there [are individuals who are] one to two years out of university, where they have some working experience, and then [we pull] them in and [send] them through a year-and-a-half rotation team. We have physical security, we have a governance risk and orchestration organization, incident response, product security, infrastructure security. We send them through rotations to learn all the different characteristics and some of their personal interests might lie in one area versus another. We are trying to hit that match by exposing them to what security really is. We are looking to find what is deeply interesting to them and then unleashing them onto the problem working with the team. … If you're able to have the right people working with each other, it's probably one of the most powerful retention tools that you have because people are working with other people that are deeply passionate about it as well, and it just builds from there.
How do you balance between your own internal security capabilities and outsourcing it to a solution provider or MSSP?
I think there are multiple components where outsourcing can occur. Generally, as a rule we need to be thoughtful about what we're doing before we do it … [and] if we feel it will better our security model or is it just us shoving something off for financial benefit. … To that point, there are a lot of things that we feel because of our complexity and our size and our customer base, it becomes a big challenge for a third party to come into this when they're managing a lot of other customers or clients. That's probably one of the main hurdles. … There is one area where we will outsource basic functional execution specifically to an outsourcer who has deep understanding of SAP just because of overall company-to-company relationships. We gained that comfort of their understanding our environment, their orchestration, and our behavior as a company. … Generally, it's not just outsourcing a function. It's about making us better, not just financially. Financially is usually a third benefit or a third question after how is this better and how does this benefit our employees from a security standpoint.
Where do you see your role of CISO transforming to in five years?
Probably the best indication that we see out of [the finance industry], where they kind of broke apart into a chief risk officer role and a CISO, a technical security role. … It's not as much limiting anything out of the CISO role, but it's really about how do we take security and mature the risk management components of it to truly where it needs to be. One of the biggest things we struggle with in the industry that everyone struggles with is everyone talks about risk management but it's still very poorly done. … I do see that being one of the future hurdles we need to overcome for our maturity.
I do also see more pronounced relationships, understanding and involvement around the globe, whether it's Europol, Interpol or domestically with the FBI. ... That is another continuous progression that we will see and it must include practitioners of the CISOs.
How much further do you see the industry having to come from a maturity perspective?
I've been doing security for a long time and as an industry we have grown rapidly, but we're only about 20 years old. … Any of the industries, whether you look at legal, medical, political, have long, long histories of maturity and growth as an industry. I think we're in the very beginning stages of cybersecurity. While we have grown very rapidly, we have a lot more maturity to go through as new challenges come up and new integrations of systems and technologies and politics [emerge]. We see that with privacy. … That's a very fluid landscape and I would definitely put that into the cybersecurity bucket as to how data is protected, whether it's for privacy reasons or for data protection reasons. And, the maturity of the customer. There is a long way to go, but I couldn’t be happier to be in an industry that is probably having one of the most significant impacts on one of the most significant risks that we have in our generation. It's very exciting to me, and I'm excited to see where we go from here.