Government , Industry Specific , Video

Profiles in Leadership: Shannon Lawson

Phoenix CISO on Navigating the Public Sector Security Landscape
Shannon Lawson, CISO and ACIO, city of Phoenix

Governance issues for public sector CISOs tend to focus more on shifting culture rather than maximizing efficiency for shareholders, as is expected from private sector security leaders.

See Also: Post-Transformation: Building a Culture of Security

The heightened visibility of an incident means municipal CISOs must ensure due diligence around procurement and deployment, so they can effectively explain their processes and answer questions from the city council in the event of a security incident, according to city of Phoenix CISO Shannon Lawson. He says effective security leaders can translate technical protection requirements into business terms that someone with an MBA can understand (see: Atlanta's Reported Ransomware Bill: Up to $17 Million).

"I've seen other CISOs try to pretend they know things that they don't," Lawson says. "One thing that distinguishes me from other security leaders is that I know where my technical limitation is, and I'll ask other members of the security department to explain something to me, walk me through it. And they appreciate that, and I appreciate them."

In an interview with Information Security Media Group as part of the CyberEdBoard's ongoing Profiles in Leadership series, Lawson talks about:

  • How to translate security requirements into business terms;
  • The areas of cybersecurity he's most passionate about;
  • Advice for aspiring CISOs or those entering the profession.

Lawson is responsible for the information security and privacy programs for the fifth-largest city in the United States, which contains more than 30 city departments that service the needs of 1.7 million residents. Prior to coming to Phoenix, as the inaugural CISO for the state of Alaska, he was chosen to prepare and lead an aggressive security modernization program to help the state improve its information security posture. Lawson's previous positions include director of cybersecurity at the Naval Information Warfare Systems Command, command information assurance manager for Naval Information Warfare Center Pacific, roles at Asugar Technologies and SAIC, and membership on the National Security Agency's Red Team. He also served in the U.S. Navy as a cryptologic technician and an information warfare officer.

CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.

Join the Community - CyberEdBoard.io.

Apply for membership


About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.