Shannon Lawson – City of Phoenix, Arizona

Shannon Lawson can chat at length about ways cybercriminals breach systems and networks.

Chief information security officer and chief privacy officer for the city of Phoenix, he was trained in information warfare and cybersecurity by the U.S. Navy and National Security Agency and understands network breaches can result from simple mistakes.

Shannon Lawson | Chief Information Security Officer and Chief Privacy Officer | City of Phoenix, Arizona

He also knows how the city can protect itself and citizens—and he’s not shy about educating city leaders on why spending now will save much more down the road.

“People are not getting taken because they lack the latest vendor tool that does something,” Lawson says. “They’re getting taken or attacked, paying ransomware and having [personally identifiable information] spills because they aren’t coming back to the basics and working through the problems using best practices.”

Audit first, then act

Lawson joined city government in Phoenix in April 2019 after having served as CISO for the state of Alaska. He arrived without having big initiatives in mind, but quickly saw a need for stronger third party audits to evaluate the city’s security and privacy posture, as well as the security in place and how staff used it.

By that September, the audits had begun and, after several months, they showed Lawson the city’s networks were vulnerable to attack and that remediation was needed.

In response, Lawson worked with RSA to implement SecurID, a multi-factor authentication platform. The first phase of the implementation was completed in January 2021, requiring city employees—including  elected officials—to enter random, one-time codes sent to a registered device they use, like their phone, when they log into their Office 365 accounts.

Lawson has also added Proofpoint protection services to the email system, which shows his staff when, and from where, phishing and ransomware attacks are launched. Since installing Proofpoint, about 10,000 attempts to deliver malware have been averted before anyone receives an email, he says.

“I didn’t want weaponized email getting anywhere near our inboxes,” Lawson says. “I want a full stop prior to an employee seeing it.”

City of Phoenix CISO Shannon Lawson (L) with CIO Steen Hambric (R)

Lawson has also implemented stronger endpoint detection and response system using the CrowdStrike platform. Among other things, the system shows what attacks are happening based on near real-time system behavior, and his staff has learned more about protecting the network by working with the vendor. CrowdStrike’s 24/7 approach also means the company acts against threats and attacks during off hours.

As upgrades to cybersecurity were being implemented, city employees also began working remotely because of the COVID-19 pandemic. The shift posed an additional challenge because the secure web gateway for the network was on-premises. Implementing Netskope, a cloud-based solution, enabled remote work while eliminating web-based threats that could develop as employees work remotely or on their own devices.

Lawson also works with MixMode Inc. and its AI-powered platform for security information and event management, user and entity behavior analytics, network traffic analysis and network detection and response. With the city network processing over 14 gigabits per second, MixMode pinpoints abnormal use and system traffic in real-time.

“They find the proverbial needle in the 14 billion haystacks to see which weird event may have occurred in the traffic,” he adds. “It was easy to install and learns on its own very quickly.”

The ‘coolest thing’

Fighting cybercriminals was not what Lawson envisioned for a career—he wanted to be part of the U.S. Naval Special Warfare community. However, his eyesight wasn’t within standards, so when he enlisted in the Navy in 1997, he joined the Naval Security Group to work in cryptology.

“I didn’t really know what that was until I got there, but it was basically the coolest thing I could do with my career path,” he says.

Lawson supported those special warfare teams before getting recruited by the NSA in 2001 for its Red Team operations division. There, he was part of, and eventually led, teams that tested the readiness and security of government networks.

“It was about offensive operations showing what bad guys could do to government agencies,” Lawson recalls.

Lawson, who earned his bachelor’s degree in international studies from the University of South Carolina in 2007 before joining the Navy, has a master’s in information assurance earned from Capitol Technology University in 2007 and an MBA from Utica College in 2017 and was selected to attend the Federal Executive Institute in 2016. Lawson is currently enrolled in the executive CISO program at Carnegie Mellon University.

He’s also a certified information security manager, certified information systems security professional, certified network defense architect and CISO. In 2011, he returned to the Navy as an information warfare officer and directed cybersecurity for the Naval Information Warfare Systems Command from 2014 to 2017.

As Lawson and his team add the tools to protect the network, he and members of his privacy team are considering how to redefine the city’s privacy posture. He says privacy can be misunderstood in the public sector, but government should consider why it’s collecting personal information, how it’s used and stored, and who’s got access to it.

“We don’t want to be negligent handling this,” he says. “Data is data, [and] you’re holding a lot of sensitive information the city requires people to provide and the city is responsible.”

View this feature in the Winter I 2022 Edition here.