But Mr. Lawson is not your typical major city CISO. His career includes several leadership roles in cybersecurity with the U.S. Navy and a stint as the first CISO for Alaska. He holds an MBA from Utica College, as well as several certifications and credentials that demonstrate a deep business and technical acumen.
I first met Shannon when he was heading to Alaska, and it was clear that he was prepared and ready for the challenges ahead. His knowledge and confidence are clearly strong attributes that guide his decisive approach to leading security teams, and he has been recognized as a top government security leader by several organizations.
I was delighted when Shannon agreed to this interview, and I am sure that his insights can and will help many around the world in their cyberbattles.
Interview Between Shannon Lawson, Phoenix CISO, and Dan Lohrmann
Dan Lohrmann (DL): You have held several security leadership positions at the federal, state and local levels. Can you describe differences you’ve seen in different government leadership roles?
Shannon Lawson (SL): I have held positions within the federal government in both the intelligence community and the military. I have also been the CISO at the state of Alaska and with the city of Phoenix. The biggest difference that I experienced between the three is the autonomy in determining risk tolerance and follow-on activity to improve the security posture. As a member of the intelligence community at a particular agency, my role involved testing other military and federal departments' security. With SPAWAR (now NIWC), we were customers of the corporate Navy-Marine Corp Intranet. My role at SPAWAR was to help ensure the security of R&D labs, as well as help keep the security focus on various warfare programs in development. At the state of Alaska and city of Phoenix, our destiny is absolutely in our hands, limited by personnel and financial resources. Phoenix takes its security seriously and has aggressively pursued a much more forward-leaning security posture. City leadership looks to the CISO and my staff to help guide those risk-based decisions that are aligned to city goals.
DL: Tell us about a few of the top challenges you’ve faced in 2020 in Phoenix regarding technology and cybersecurity as a result of COVID-19. How did you overcome those issues?
SL: COVID-19 really presented some interesting challenges. First, the city had to work out teleworking/remote work for a significant portion of employees. Remote work was not adopted across the city as it had been in the federal government, and therefore we hit the same kinds of challenges as any other organization might when conducting such a radical shift in a condensed timeframe. However, the City Manager’s Office, HR and the Information Technology Services (ITS) Department worked together to solve those initial challenges to ensure those that could work remote were successful.
Second, many of the departments had to completely rethink how they conduct business with the citizens of the city as in-person transactions were very limited. The city coordinated with our industry partners to solve these challenges in a secure manner while keeping front-end complexity to a minimum. Not everyone has the technical aptitude or devices required to navigate unintuitive government processes. So ease of use and security were the top concerns, and the departments involved were able to solve these issues in a relatively short time.
Finally, the city of Phoenix operates a transparent government that actively encourages participation from its citizens. Due to COVID, physical attendance to the council meetings was limited. ITS, under the leadership of our CIO Matt Arvay and the City Manager’s Office, was able to offer virtual city council meetings where the public could attend and ask questions as if they were there in person. While there were the typical connection issues everyone was experiencing as the world has gone virtual, those were kept to a minimum and virtual council meetings are now the norm. I would consider this a huge success for the city.
DL: How big is the shortage of cybertalent in Arizona? Are you finding the right people to fill key vacancies?
SL: There is a severe cybertalent shortage globally, and Arizona is no different. And while municipalities do not typically offer the highest salaries, the city of Phoenix offers a very generous pension package. From a security perspective, the city is actively improving its cybersecurity posture by partnering with best-in-class cybersecurity firms as well as large organizations within the city. This gives our security personnel the ability to use cutting-edge tools to actively defend the city’s information resources and allows our elected leaders to operate the government. The city has an outstanding management team from the CIO to the city manager as well as the mayor and City Council who support our security mission. We also ensure our personnel are regularly trained. This combination of talent acquisition strategies make the city of Phoenix an attractive option for new as well as seasoned security professionals.
DL: Describe your resource situation. Is funding/budget a significant problem right now?
SL: Our resource situation is similar to everyone else’s. We do not have a bottomless bank account and have to be judicious in our allocation of resources. We cannot secure everything, and security is a journey, not an end state. Technology is changing. Tactics, techniques and procedures are also changing. We assign our resources to our critical needs and make the case to city management when we need something in particular. ITS works through these budget processes with management and, like many other organizations, decisions are made to fund this or that or to push out a project because of an emergent need.
DL: What are your top cyberproject priorities for 2021?
SL: My top initiatives for 2021 are to complete the current projects we have inflight, focus time on fine-tuning the security operations center, map the city to the security framework, and master the basics of security.
DL: How can security and technology vendors provide better help around the country in state and local governments? Where are their vendor blind spots?
SL: This is kind of a tough question because there are multiple points of view. On the one hand, I do not have time to entertain all of the vendors that contact me, especially the ones that want me to educate them on my initiatives. On the other hand, how would vendors know what my priorities are unless they spent time with me or my staff? And still, many vendors promise the world, but in reality may not be able to deliver on those promises without serious investment into their whole ecosystem.
My recommendation for government entities is to develop a cyber-based qualified vendors list (QVL) broken out by different kinds of tools, technologies, etc. that you think you may need over five years. Vendors then respond to that RFP and, if qualified, are added to the QVL. Once on the QVL and the government entity needs to procure, say, an endpoint detection and response (EDR) solution, they can then work with those vendors on the QVL under EDR. The government entity should have a detailed scoring matrix and have a consultant company such as Gartner or Forrester provide some assistance in formulating those score matrices. The government entity should really have a well-established requirements document before procurements are started. Even with all of that preliminary work done, you may find that the technology you thought would work just doesn’t. That is what the proof of concept is for, again using a well-defined requirements document and score matrix. And don’t forget to reach out to other CISOs and ask for references. Keep the vendors off of the call during the reference check. If the product or service is solid, the vendor should not be applying any undue pressure or influence. If they are, walk away. Better to start over than to be stuck for the next couple of years.
DL: Any career stories that you can share about lessons learned as a government leader?
SL: I have many, many stories. Perhaps I will say this. Some of my keys to success are the following:
- Don’t be afraid to say no. If something doesn’t sound right, don’t go along with it because the "last guy did it" or "that is the way we do things," etc. You are the leader. Lead.
- Someone has to make the decision, especially the really hard ones. You won’t always be right, but stop worrying about that. Make a well-informed decision. Listen to the troops, but in the end it is not a democracy. Make the call and move forward.
- Surround yourself with smarter people. You are not the one who has to know everything, and many times that is hard to accept in the security industry. There is this idea that CISOs need to know everything and be everywhere. Guide your people. Trust but verify. Ask questions but let them do their work.
- Allow for mistakes to happen. Creating a zero-tolerance environment may result in more problems than letting your troops know that mistakes are allowed as long as they are not being negligent and are learning from what went wrong, and those mistakes are being documented so others do not repeat them.
- Make sure to communicate bad news up the chain quickly. Do not sit on it even if you don’t have all of the information.
- Keep learning. Technology is changing all of the time.