Not every cybersecurity leader works inside a Fortune 500. Some of the most practical, hands-on security work in Arizona happens inside managed service providers, IT consulting firms, and technology companies where the client base is broad, the resources are lean, and the security program has to work across dozens of different environments simultaneously. Some of these leaders are based in the Phoenix metro. Others work remotely from Arizona while serving clients and organizations well beyond state lines. What they share is a connection to Arizona’s growing technology ecosystem and a form of security leadership that is closer to the client than most.
Jacques Lucas — Director of GRC and Chief Information Security Officer, Avertium
Jacques Lucas has spent more than twenty-five years moving from hands-on IT operations into executive security leadership, and his current dual role at Avertium reflects how thoroughly those two tracks have merged. As both CISO and director of GRC, he leads the organization’s internal security program while simultaneously overseeing client-facing compliance and risk consulting across frameworks including HITRUST, HIPAA, ISO 27001, SOC 2, and PCI DSS. He spent nearly five years as a managing consultant before stepping into managing principal and then CISO roles, giving him an unusually clear view of what security programs look like from both the delivery and the ownership side. His certifications include CISSP, CISA, CDPSE, PCIP, and QSA. That last one matters: a qualified security assessor who also runs an internal security program has a different relationship with compliance than someone who has only ever done one or the other.
Mike Serbin — President and Chief Information Security Officer, Inertia IT Services
Mike Serbin has run Inertia IT Services for more than fifteen years, building a Phoenix-based managed IT and security practice focused on professional service firms: law practices, medical offices, engineering firms, and accounting professionals. The client profile is deliberate. These are organizations handling sensitive client data, subject to confidentiality obligations, and often without the internal resources to manage security themselves. Serbin’s dual role as president and CISO reflects the reality of running a firm at that scale, where strategic leadership and security accountability sit in the same seat. Fifteen years of continuity in a market that churns through providers says something about how the work is being done.
Steven Nasr — Chief Technology Officer and Chief Information Security Officer, LifeWork
Steven Nasr brings a technical foundation built around Microsoft environments, identity and access management, cloud security, and unified communications to his combined CTO and CISO role at LifeWork, where he has served since April 2024. Before LifeWork, he worked as a senior cloud security engineer and IAM specialist at The Bank of London and as an enterprise architect at AccountabilIT. Holding both the technology and security leadership roles simultaneously is a different kind of challenge than holding either one alone. It requires constant negotiation between what the business wants to build and what the security posture can support, and it puts the accountability for both outcomes in the same hands.
AJ Keehn — Chief Information Security Officer, CloudIT
AJ Keehn has been with CloudIT for nearly a decade, progressing from cloud migration engineer through project management, systems administration, operations management, and vCISO before stepping into the full CISO role in March 2024. That internal progression is worth noting. He has worked inside the same managed service environment at every level of its technical and security stack, which means the security program he now leads is one he helped build from the ground up. He also serves as a US Army flight operations specialist, a commitment that has run in parallel with his civilian technology career for more than two decades.
Don Silva — Vice President and Chief Information Security Officer, Raintree Systems
Don Silva leads security, cloud engineering, DevOps, AWS infrastructure, IT operations, vendor management, and third-party risk at Raintree Systems, a healthcare technology company where HIPAA, PCI, NIST, SOC 2, and CIS controls are operational requirements rather than aspirational targets. His recent focus has expanded into AI governance and risk management across both the software development lifecycle and corporate tooling, a practical acknowledgment that the risk surface at a healthcare software company now extends into how AI is being built into the product. Twenty years in cybersecurity and IT management, combined with that breadth of current responsibility, makes his a profile shaped by sustained operational accountability rather than specialization alone.
Security Leadership Where the Work Is Closest to the Customer
These leaders may not all work in the same building or serve the same market, but they are part of the same broader picture: Arizona producing security talent that operates at the practitioner level, close to real risk, and accountable to real outcomes. Whether the work is internal, consulting, or managed services, the thread is the same. The security has to actually work.
Explore more profiles of Arizona leaders shaping cybersecurity: