As the CISO role evolves in the cybersecurity discipline, organizations of all kinds are being pressed to reconsider what they want from their CISO and their place within the organization. And, in every enterprise, aligning the needs and goals of the business with those of the cybersecurity group is becoming a critical focus.

The City of Phoenix is one such enterprise. The fifth largest city in the nation is reshaping their approach to cybersecurity as part of their mandate to provide secure, responsible, sustainable, and flexible IT services, solutions, and governance. At present, the city has 35 departments, four of which are critical infrastructure: public safety, aviation, elections, and facilities.

When Shannon Lawson became CISO in 2019, the city was doing its absolute best to maintain cybersecurity. Lawson, a Navy veteran, had held information security leadership roles in the military and intelligence community and in state and local governments. Despite the municipality's best efforts, its information security team was in need of a great deal of strategic and tactical help - and Lawson's expertise fit the bill.

"The security architecture and engineering team functioned as a single team with two kinds of people," he explained. Typically, security engineers deploy and maintain the security tools and the architecture team works towards a specific goal of ensuring the system or network is securely designed. That was the case for the city, but Lawson found the implementation to be disjointed as there was no security architecture team. "Just to be clear, these guys were trying to stop the bleed, if you will, and applying tourniquets all over the place."

The network security team existed primarily to meet Payment Card Industry Data Security Standard (PCI DSS) compliance requirements and ensure basic security services like VPN, firewalls, and web security were maintained.