Arizona has quietly developed one of the more diverse concentrations of private-sector cybersecurity leadership in the country. The leaders in this feature are protecting a used car marketplace, a digital personal finance platform, a global hotel franchisor, a copper mining giant, a fleet management technology company, and an accounting firm. The through-line is not sector. It is the scale and complexity of what they are each responsible for, and the depth of experience they bring to it.
Dina Mathers — Chief Information Security Officer, Carvana
Dina Mathers built her security career across three institutions that collectively represent a broad cross-section of financial and consumer risk: American Express, where she ultimately managed their global 24/7 Security Operations Center; NortonLifeLock, where she led the cybersecurity program for a company whose entire value proposition is consumer protection; and Carvana, where she now leads security for one of the fastest-growing automotive retailers in US history. She holds a Bachelor of Science in Accountancy from Arizona State University and an Advanced Cybersecurity Graduate Certificate from Stanford. The accounting background is not incidental. It shapes how she thinks about risk quantification, audit readiness, and communicating security posture to business leadership.
Jean Shapiro — Chief Security Officer, Achieve
Before joining Achieve, Jean Shapiro spent six months as interim CISO at CommonSpirit Health during what she describes as the largest healthcare integration and a global pandemic happening simultaneously. In that window, she developed a three-year integration roadmap for two cybersecurity organizations, secured $80 million in funding for a multi-year unified identity strategy across an environment with 90 domains and six identity systems, and led the cyber organization through rapid Covid-19 response. She then spent three years as senior director of cybersecurity at Banner Health before moving into financial services at Achieve. That healthcare background informs everything about how she approaches security in a digital personal finance environment where customer data protection and regulatory compliance are equally non-negotiable.
Jason Stead — Chief Information Security Officer, Choice Hotels International
Jason Stead oversees enterprise security, privacy, technology compliance, risk management, and service management functions at Choice Hotels International, one of the world’s largest hotel franchisors. His career has moved through three distinctly different regulated environments: financial services at First National Bank of Arizona, insurance at Nationwide, and advisory work at Ernst and Young before moving into hospitality. He holds CISSP, CISM, and CISA certifications and an MBA from Arizona State University. He currently serves on industry advisory boards for Boise State University and Grand Canyon University. The breadth of his sector experience gives him a risk management perspective that isn’t anchored to any single industry’s assumptions.
Keith Stocks — Vice President, Global Third-Party Cyber Risk Management, State Street
Keith Stocks retired from the US Air Force as a Master Sergeant after a career as a security policeman, then spent years building vendor security programs at Washington Mutual, consulting on enterprise risk assessments at Jefferson Wells, leading information security at Blue Cross Blue Shield of Arizona, and standing up the information risk management function at MUFG Union Bank before joining State Street. He is now a founding member of the FS-ISAC. At State Street, he leads a global team of fourteen cybersecurity professionals responsible for third-party cyber risk governance, assessments, and incident response, with a program aligned to NIST CSF 2.0, NIST 800-53, ISO 27002, and DORA. Few people in third-party risk have logged as many miles across as many sectors getting to that seat.
James Costello — Chief Information Security Officer, Freeport-McMoRan
The list of organizations James Costello has led security for reads like a cross-sector tour of American enterprise: Microsoft, Honeywell, Salt River Project, Charles Schwab, WageWorks, and HealthEquity, before arriving at Freeport-McMoRan, one of the world’s largest copper mining companies, in December 2020. He started his career in the US Navy in communications, spent five years in Big Four consulting, and has held director and vice president level security roles continuously since. That kind of career range, across financial services, energy, technology, and natural resources, produces a risk perspective that is difficult to develop any other way. At Freeport, he is applying it to an environment where operational technology security and physical infrastructure protection sit alongside traditional enterprise risk.
Dave Lesser — Chief Information Security Officer, GPS Insight
Dave Lesser came to the CISO role from the opposite direction of most security leaders. His background is in software engineering, product management, DevOps, and cloud computing, and he spent several years as VP of engineering and technology at GPS Insight before stepping into the CISO seat in March 2024. That progression matters. He understands how the systems he is now responsible for protecting were built, what tradeoffs were made, and where the technical debt sits. Before GPS Insight, he led innovation and public sector operations at STChealth, where he spearheaded a 500-server AWS cloud computing and DevOps strategy and delivered two of the company’s largest product launches. Security leaders who have built things tend to approach risk differently from those who have only assessed it.
Lock Langdon — Vice President and Chief Information Security Officer, Aprio
Lock Langdon joined Aprio in late 2022 with a mandate to build its security program from scratch, a task he took on at the director level before being elevated to VP and CISO in 2024 and then to VP of enterprise technology and CISO in early 2026. His current remit has expanded to include global IT operations, cloud services, service desk management, and M&A integration, reflecting the kind of trust that comes from delivering on the original mandate. He holds a bachelor’s degree in electronic engineering from DeVry University and a master’s in information management from ASU’s W.P. Carey School of Business, and he is an active member of FBI InfraGard. For an accounting and advisory firm where client data protection is foundational to the business relationship, having a CISO who built the program and then earned broader organizational trust is not a small thing.
Program Builders in a State That Rewards It
Look at this group and one pattern surfaces repeatedly: several of these leaders were brought in to build something that did not yet exist, or to take on a scope that extended well beyond a traditional security remit. That is not coincidental. It reflects something real about the organizations attracting security talent in Arizona and the kind of leaders who are drawn to that work. The programs they have built are not inherited. They are earned.
Explore more profiles of the leaders shaping cybersecurity across numerous industries in our CISOs to Watch collection.