Advancing Beyond Boundaries

View This Article in BOSS Magazine

At Virginia Tech, information security awareness is a critical component of the educational mission

If you ask Randy Marchany about Virginia Tech’s most important technology investment, you won’t hear a syllable about software or hardware – but you’ll hear plenty about the brightest, most creative minds. As VT’s Information Technology Security Officer and the Director of the Virginia Tech IT Security Lab, he oversees the investment in people that has defined VT for 150 years.

With 30 years in cybersecurity to his credit, Marchany’s contributions to the IT industry are matched only by VT's proactive stance on information security. Not only did he teach VT’s very first hands-on cyber course in 1998, but he is also one of the founding members of the US Cyber Challenge, whose mission is to significantly reduce the shortage in the cyber workforce by serving as the premier program to identify, attract, recruit, and place the next generation of cybersecurity professionals. He also designs the curriculum for these summer camps.

Marchany’s team runs cyber defense for the university across its academic, research, and administrative business units and is responsible for the cybersecurity awareness training programs for the university’s faculty and staff. The internship pipeline he developed enables students interested in cybersecurity to work for the lab and assist its full-time analysts in solving live, real-world problems as part of the institution’s ongoing cybersecurity research. There are currently nine highly certified full-time employees and 11 students on Marchany’s staff.

At VT, cybersecurity principles and practices are woven into every major, no matter the discipline.

“Our goal is to expose students to cybersecurity and give them some hands-on experience, which makes them more marketable when they graduate.” In operation since 2003, the pipeline has delivered 14 Ph.D.s and 15 master’s degrees, and students have been granted three patents, of which Marchany is co-holder.

In 1984, Virginia Tech built their cybersecurity model on the “bring your own device (BYoD)” principle, which requires students to use the university’s network and their own hardware. While standard practice for most colleges and universities today, business and industry have worked with the approach only in the past decade or so.

“We've been in this world for a long time and so have a lot of other universities around the country, but that model really makes us an ISP. It's a different security model than what you would find in the traditional corporate world, and it helped us a lot with the shift to work from home because of the pandemic,” he said. Thanks to their long-standing use of the BYoD model, the mindset shift required to work in a world without network borders was relatively straightforward for faculty and staff to adopt even though it was a monumental task to ensure over 8,000 classes were converted to full online mode during the early lockdown days of the pandemic.

“Regardless of what sector you're in, having a reasonably accurate inventory of your high-risk data, devices, and applications is quite a challenge because things change,” he explained, noting the everyday dynamism in the technical environment. “From the cultural side of the house, it's just continuing to make people aware.”

With 37,000 students and a freshman class averaging around 5,500 to 6,000 new students every fall, cultivating that awareness is essential. For several years frosh have arrived on campus as digital wizards, but they can be naive when it comes to internet threats such as easily guessed passwords, online scams, and a lack of awareness when it comes to the terms and conditions of the tech they use.

Freshman orientation is one of the most effective ways that VT raises that awareness. All new graduate students complete a compulsory one credit class on security practices. “A lot of the graduate students are teaching assistants and we give them some background and tips on how they should handle student data,” Marchany said. They also get tips on how to protect their research and any intellectual property they may be developing.

As he sees it, device protection is only a small aspect of security. “That's not the key thing. If you lose a desktop, that's not going to kill your company. If you lose critical data that's on that desktop, that will,” he exhorted. That recognition requires a mindset shift across the corporate landscape, regardless of industry or sector, as well as across government and educational institutions. “Everybody's got a set of critical data that, if it gets exposed or destroyed and can't be recovered then it’s going to almost put us out of business.”

To a great extent, higher education is driving the importance of identifying the high-risk data that we all use, as well as finding ways to protect it wherever it exists. Marchany sees a significant shift happening on the edges of higher education that’s just beginning to take hold on commercial business and industry as well as government, especially given the amount of classified information that requires protection.

One of the first things VT’s cybersecurity classes present to the student body is a review of state and federal computer crime laws because as he puts it, “In Virginia the line between a misdemeanor and a felony is very thin.”

As one of the earliest instructors at the SANS Institute aka Escal Institute of Advanced Technologies, he helped to create fundamental cybersecurity standards and cybersecurity courses. In the early ’90s when the institute was founded, texts on computer security dealt with cryptography and didn’t address other emerging issues such as security protocols or network levels. Marchany’s involvement helped change that.

Over the years, SANS has spun off several organizations, including the Center for Internet Security. “It's been a lot of fun. I've been able to bring a lot of value back to the university in terms of our technical staff. It's been great for the institution and for the industry.”

Today, the formidable challenge he sees is not the technical aspect of infosec; it’s the human realization that so much private data is being collected and used without people’s knowledge and understanding. He encourages everyone to become keenly aware of the sensitive data they share. Equally important is the protection of email addresses, which can be incredibly easy to forget about and for criminals to steal.

“Be aware of where your data is and figure out ways to protect it, because once it's lost it's a long road to recover from that.” Ultimately, information security is in the hands of the people, where it belongs.