From the Ground Up: Building a Cybersecurity Career

Randy Marchany, Chief Information Security Officer at Virginia Tech

Randy Marchany is the Chief Information Security Officer of Virginia Tech and the Director of Virginia Tech’s IT Security Laboratory. Randy is currently a senior instructor for the SANS Institute and joined SANS in 1992.  He was recently part of the team that wrote version 8 of the Center for Internet Security (CIS) Controls. He has written or co-authored over 45 papers on cybersecurity. Awards include the 2024 Capital ORBIE Finalist CISO Public Sector award, 2024 OnCON Top 10 CISO award, SANS Difference Maker Award in 2021 for his contributions to the cybersecurity field, 2016 Shirley C. Payne IT Security Advancement award, the 2000 SANS Institute’s Security Technology Leadership Award, the 2003 VA Governor’s Technology Silver Award (team), and EDUCAUSE Excellence in Information Technology Solutions (Team) Award in 2005. He is a co-holder of three cybersecurity patents.

Through this article, Randy offers a valuable perspective on the evolution of cybersecurity and the importance of early adoption and community involvement in shaping the field.

Career Growth and Preparation for Current Role

In a way, I was lucky that I got into cybersecurity when I did (1992). Since it wasn’t a “thing” back then, we had the opportunity to shape it. The biggest break I got was back in 1991-2 when I got an email from a startup called the SANS Institute. Alan Paller, SANS founder, liked a presentation we did at their second annual conference and invited us to participate in some projects he had in mind. He was a genius at finding people all over the country who wanted to participate in the creation of an industry. Let’s be clear, at the time we didn’t know we were part of a larger group that was involved in this “creation”. The SANS connection was a small part of a larger group of tool builders, practitioners and some management types.   The connections we made thru Alan wound up being a great resource for sharing and testing ideas.

Working at a university was another key factor in my career. We were using cutting edge technologies 3-5 years before the commercial world. Some of the things here at Virginia Tech that I think were cutting edge were a) Bring Your Own Device (BYOD). The university started requiring students to purchase a personal computer in 1984. b) connecting to the “internet” in the late 1980s. Universities were among the first entities to connect to the Arpanet, Bitnet, Internet and this allowed the creation of defacto standards that promoted interoperatibility across different platforms. System administrators and academic users became familiar with connecting to other resources on the internet. The Morris worm of 1988 opened our eyes to the impact of a security attack and allowed us to find out about new security teams like the CERT (Computer Emergency Response Team) at Carnegie-Mellon University.  Virginia Tech was one of the early members of the Internet Storm Center (then called the Dshield project, isc.sans.org). We provided a good portion of the intrusion detection data during its initial years.  c) the Blacksburg Electronic Village (BEV). In 1991-1993, Virginia Tech, the Town of Blacksburg, VA and Bell Atlantic (now Verizon) formed a partnership to connect the town residents and businesses to the Internet. It was an experiment to see how the public could/would use the internet. The first e-commerce transaction arguably took place here in the BEV between a customer and a local grocery store. That experiment gave us a preview of how the internet could be used by the public. This experience gave us an idea of the importance of privacy and accurate information posted on the various listservs and bulletin boards of the time.  d) System X Supercomputer (2004). A research team at Virginia Tech created System X, a supercomputer consisting of over 1100 Macintosh computers in a grid. System X was rated as the 3rd fastest supercomputer in the world that was built for a fraction of the cost of other supercomputers. e) the Virginia Cyber Range (2015-16). The Cyber Range is a platform that allows K-12, community college and higher ed institutions to create an environment for teachers to create cybersecurity exercises, labs, modules and full courses for free. Almost every K-12 school, community college and universities/colleges use the Cyber Range for cybersecurity courses.

It was initiatives like these that contributed to my overall career growth. All of these perspectives helped me in the cybersecurity world.

Current Challenges and Solutions

In the late 90s and early 2000s, the biggest challenge was figuring out how to change the culture of the university to embed cybersecurity hygiene into everyday life. It’s gotten better today but some of the root issues from 25 years ago are still present. Fortunately, the university’s executive management understood the challenge and allowed us to continue with our work. Cybersecurity is becoming an integral part of the everyday business functions of the university.

Dealing with security flaws in vendor software is another challenge for us.  Email phishing is another recurring problem that is a great example of how offense affects defense which affects offense. The phishers adapt to new defenses like MFA.

 

  ​

“Well, realize that you will make mistakes in the cybersecurity world. Learn from your mistakes. I became a cybersecurity “expert” because I got hacked a lot in the 1990s. I suppose that was fortunate for me since it wasn’t a “big deal” back then. I learned from my mistakes.”

   

 

 

Staying Ahead of Emerging Cybersecurity Threats

Virginia Tech is a member of VASCAN (www.vascan.org), a consortium of the public university, college and community colleges of Virginia. VASCAN meets on a regular basis and is an excellent source of threat intelligence. We’re also members of the REN-ISAC (ren-isac.net) and the MS-ISAC which are great resources for discovering new threats and solutions. The Federal Government cybersecurity resources like CISA are another venue for threat intelligence. Vendor resources are yet another resource. EDUCAUSE (educause.edu) is an excellent resource for the EDU community and participating in their various working groups and projects has been a great asset for my staff.

Impact of the Virginia Cyber Range on Cybersecurity Education

I think the Virginia Cyber Range and its twin, the US Cyber Range are the most influential services that allowed the explosion of cybersecurity education at all levels of education. In the K-12 arena, teachers interested in teaching cyber courses typically ran into barriers put up by their local IT staff. Local IT didn’t want “hacking” systems disrupting their daily operations.  When the Range(s) came online, teachers no longer had to create physical labs at their schools. All their students needed was a browser to access the lab environments. The course repository was filled by teachers from all levels who were funded to create the course materials and most importantly, make them available to anyone using the Range(s).  At any given point, the Range may be hosting 20,000 virtual machines for students all over the state. Dave Raymond, the Cyber Range director, has been the driving force in the Range’s success.

Guiding Principles in Cybersecurity and Decision-Making

Well, realize that you will make mistakes in the cybersecurity world. Learn from your mistakes. I became a cybersecurity “expert” because I got hacked a lot in the 1990s. I suppose that was fortunate for me since it wasn’t a “big deal” back then. I learned from my mistakes.  However, the most important phase of incident response is the last step – follow-up. This is where you review which incident response worked well, and which ones didn’t. Know when to say yes but more importantly, know when to say no. Ask questions and learn from your superiors and peers.

Advice for Cybersecurity Professionals

Submit a proposal for a presentation at a local, regional or national event. Talk about things you’re doing at your job. Volunteer to be a working group member for some external project/event like Bsides or the Center for Internet Security projects. Check out free and low-cost training venues like SANS Summits (1–2-day technical conferences), BlackHillsInfoSec’s pay-what-you-can and free training they provide. Learn 1 new thing every day whether it’s a technical thing or a work-related process.