Chief Information Security Officer caps remarkable 50-year journey that helped shape cybersecurity in higher education
After 50 years of dedicated service to Virginia Tech—35 of them devoted to cybersecurity and the past 15 as the university's Chief Information Security Officer—Randy Marchany will retire in July 2026, closing a chapter on one of the most distinguished careers in academic information security.
Marchany's journey at Virginia Tech began in 1975 when he started as a 22-year-old IBM systems programmer. What followed was an extraordinary career that would see him become not just a cybersecurity pioneer at the university level, but a nationally recognized leader whose influence extended far beyond Blacksburg.
Marchany's path into cybersecurity was built on a foundation of deep technical expertise across virtually every major operating system of the computing era. His hands-on experience spanned IBM VM, Multics, VAX/VMS, and Unix variants including Solaris, Ultrix, HP-UX, AIX, Ubuntu, and Red Hat, as well as Windows systems. This breadth of knowledge across diverse platforms gave him unique insights into security vulnerabilities and defense strategies that would prove invaluable throughout his career.
In the late 1970s, Marchany was part of a team that was among the first in the country to use microcomputers to automate data acquisition for researchers’ experiments—pioneering work that presaged what we now call the Internet of Things. This early experience with connected devices and automated systems gave him insights into the security challenges of networked computing long before most organizations recognized these issues.
His path into cybersecurity was born of necessity. In 1991, one of his Ultrix systems was hacked—an attack later detailed in the book "At Large: The Strange Case of the World's Biggest Internet Invasion." The incident proved transformative. Unable to find adequate resources on Unix security at the time, Marchany discovered a startup organization called the SANS Institute advertising a conference in the Washington, D.C., area in 1992.
That discovery changed everything. Marchany joined SANS that year and became one of the Institute's original instructors—a role he maintains to this day as instructor #2, making him the longest-running instructor in SANS history. Over the decades, he has taught cybersecurity courses around the world and helped shape the curriculum that has trained thousands of cybersecurity professionals.
Marchany's influence on the broader cybersecurity landscape has been profound. He was a co-author of the original SANS Top 10 Internet Threats and the SANS Top 20 Internet Threats documents, foundational resources that helped organizations understand and defend against emerging cyber threats. In 1997, he co-authored with Tom Wilson one of the earliest papers on using email attachments to install malware such as keystroke recorders—prescient work that identified a threat vector that would become one of the most common attack methods in the decades to follow. Following the devastating distributed denial-of-service attacks of 2000, he was a member of the White House Partnership for Critical Infrastructure Security working group that developed a consensus roadmap for responding to such attacks.
His involvement with the Center for Internet Security (CIS) was equally significant and pioneering. Marchany was instrumental in getting Virginia Tech to become a charter member of CIS—the first university in the country to join the organization. As a member of the CIS development team, he produced and tested the original CIS Unix and Windows 2000/XP security benchmarks and scoring tools. More recently, he served on the working group that created version 8 of the CIS Security Controls, which have become industry standards for cybersecurity defense. His 24 years of volunteer work with CIS has made him one of the organization's longest-serving community members.
In the mid 1990s, Marchany worked with Allen Lum from Ernst & Young to create a series of training programs designed to teach auditors how to perform IT (system and network) audits. He taught these seminars at various ISACA, ACUA chapters training the first generation of IT auditors. He and Lum built the first hacker lab for Ernst & Young in the early 2000s. While teaching these seminars, he gained knowledge on general auditing techniques and brought that knowledge back to the university.
As Virginia Tech's CISO since 2010 and Director of the IT Security Lab since 2003, Marchany implemented a "teaching hospital" model that has proven remarkably successful in developing cybersecurity talent. The lab provides hands-on experience for graduate and undergraduate students working alongside IT security analysts to solve real-time problems.
In addition to his administrative and research roles, Marchany has been a pioneering educator in cybersecurity. Starting in 1999, he taught one of the first hands-on university cybersecurity classes in the country—a course he has continued teaching to the present day. Over 3,000 students have taken his classes since 2000, representing one of the most sustained and impactful teaching legacies in academic cybersecurity. As an Associate Professor of Practice in the Department of Electrical and Computer Engineering, he has brought real-world cybersecurity challenges directly into the classroom, ensuring that students gain practical skills alongside theoretical knowledge.
Marchany played a crucial role in helping Virginia Tech obtain prestigious recognition from the National Security Agency as a Center for Academic Excellence in Cyber Defense (CAE-CD), Cybersecurity Research (CAE-R), and Cybersecurity Operations (CAE-CO). These designations—representing excellence in education, research, and operational cybersecurity—place Virginia Tech among an elite group of institutions recognized by the NSA for their comprehensive cybersecurity programs. The achievement of all three CAE designations demonstrates the breadth and depth of Virginia Tech's cybersecurity capabilities, which Marchany helped build and sustain over decades.
The results speak for themselves. Alumni of the IT Security Lab have gone on to become CISOs and VPs of security at major organizations worldwide—from credit card companies and athletic wear manufacturers to government contractors and cyber ranges. Many alumni are military veterans and retirees who while in active duty, became commanders of units in the US Cyber Command. For a period, the majority of cyber instructors at the West Point Military Academy were graduates of Marchany's lab—a testament to the quality and rigor of the training provided. Marchany has mentored 14 PhD students and 13 master's students, and is a co-holder of three cybersecurity patents with graduates from the lab.
His commitment to developing the next generation extended well beyond Virginia Tech. Marchany was one of the founding members of the US Cyber Challenge (uscyberchallenge.org), a national program with the mission to significantly reduce the shortage in the cyber workforce by identifying, attracting, recruiting, and placing the next generation of cybersecurity professionals. Working alongside leaders like Karen Evans (USCC national director and former chief information officer for the federal government) and Allan Paller of SANS, Marchany didn't just participate—he took over the curriculum development.
According to Paller, Marchany was the ideal candidate for this role because he brought a unique combination of skills: cybersecurity expert and USA Volleyball Association volleyball coach. "This industry is very similar to a sport," Paller explained. "There are few teachers who teach this. What we needed were coaches and a competitive atmosphere in which to push these kids. Randy was instrumental in creating that atmosphere. He didn't just get involved, he took over."
Marchany designed intensely challenging courses for the USCC summer camps that exceeded the skill levels of even the most talented young cyber defenders. He created a unique methodology to help train the camp instructors and established a competitive atmosphere that brought out the best in participants. His approach to developing cybersecurity talent—combining rigorous technical training with the motivational and team-building techniques he learned from coaching—proved transformative. Karen Evans noted, "Randy was instrumental. He created a unique methodology to help train the teachers that few others could have developed."
Marchany understood early that cybersecurity challenges required collaborative solutions that transcended institutional boundaries. This vision led him to co-found two critical Virginia cybersecurity organizations.
In the early 2000s, Marchany was one of the founders of the Virginia Alliance for Secure Computing and Networking (VASCAN, www.vascan.org), a consortium that brought together security practitioners and researchers from Virginia's major universities including Virginia Tech, University of Virginia, James Madison University, and George Mason University. VASCAN created a unique forum for sharing threat intelligence, best practices, and collaborative research across the Commonwealth's higher education institutions, strengthening cybersecurity defenses for all participating schools. The innovative collaborative model proved so successful that VASCAN won the 2005 EDUCAUSE Excellence in Information Technology Solutions Award, recognizing it as a groundbreaking approach to addressing cybersecurity challenges in higher education.
Building on this collaborative model, Marchany also played a founding role in establishing the Virginia Cyber Range (virginiacyberrange.org), serving on its executive committee. The Virginia Cyber Range provides an innovative platform for cybersecurity education, training, and workforce development across Virginia, offering hands-on experience in realistic cyber defense scenarios. The initiative has been recognized with significant honors, including the 2017 Virginia Governor's Technology Award for innovative use of technology in education.
These collaborative ventures reflected Marchany's understanding that the cybersecurity threats facing higher education required collective action and shared expertise. By fostering partnerships across Virginia's academic institutions and creating platforms for training the next generation of cyber defenders, he helped establish Virginia as a leader in cybersecurity education and innovation.
Within the higher education community, Marchany became a trusted voice on cybersecurity issues. He was a member of the EDUCAUSE security task force focusing on risk assessment and security metrics, served on the Higher Education Information Security Council (HEISC), and co-authored the EDUCAUSE "Computer and Network Security in Higher Education" booklet. His expertise has been featured in numerous articles in The Chronicle of Higher Education on security issues at university campuses.
Throughout his career, Marchany has written or co-authored over 40 papers and articles on cybersecurity, contributing to the academic literature on topics ranging from moving target defenses and IPv6 security to intrusion detection systems and crisis alert optimization. His research publications have garnered hundreds of citations in Google Scholar, demonstrating the impact and influence of his work on the broader cybersecurity research community. His publications span peer-reviewed journals, conference proceedings, and practitioner-focused guides, bridging the gap between academic research and practical implementation.
As a frequent speaker at national and international conferences including EDUCAUSE, SANS, IEEE, NIST, and RSA, Marchany shared Virginia Tech's pioneering approaches to cybersecurity. The university was among the first to offer practical cybersecurity courses starting in 1998, and under Marchany's leadership, has remained at the forefront of cybersecurity education and research.
His expertise and leadership have been recognized beyond academia as well. Marchany was invited to join the CyberEd Board Community (cyberedboard.io), an organization focused on advancing cybersecurity education and governance. He also serves on the VigiTrust Global Advisory Board (https://vigitrust.com/advisory-board/), where he provides strategic guidance on cybersecurity and privacy solutions to organizations worldwide. These advisory roles reflect the high regard in which he is held by both the cybersecurity education community and the private sector.
Throughout his career, Marchany has been generous in sharing his knowledge and experiences through numerous video interviews and webcasts. Virginia Tech documented his remarkable journey in a series of video interviews as part of its IT history project, where he discusses topics ranging from how a 1991 hack led him into cybersecurity, to the evolution of Virginia Tech's networks, to the achievements in cybersecurity education at the university.
His YouTube presence includes webcasts on critical topics such as "Zero Trust Networks: The Future is Now" at the 2019 SANS Blue Team Summit, "The 20 Critical Security Controls: From Framework to Operational to Implementation," and timely presentations during the COVID-19 pandemic on "Making and Keeping Work at Home Operations Safe and Productive" and "Secure Video Conferencing." These interviews and presentations showcase not only his technical expertise but also his ability to communicate complex cybersecurity concepts in accessible ways, demonstrating the teaching skills that have made him such an effective educator.
In recent interviews, including features in BOSS Magazine and on the Government Technology blog "Lohrmann on Cybersecurity," Marchany has shared his philosophy on cybersecurity education and leadership, often emphasizing his pragmatic approach: "I didn't become a cybersecurity expert by reading a book, but because I got hacked a LOT of times. I learned from each incident." This authenticity and willingness to share both successes and failures has made him a respected voice in the cybersecurity community.
What makes Marchany truly unique is his parallel career as an accomplished musician. For nearly 40 years, he performed with the band No Strings Attached (www.enessay.com), playing the hammered dulcimer—an instrument he took up in 1978. Acknowledged as one of the North American masters of the hammered dulcimer, Marchany composed the original theme song for National Public Radio's nationally syndicated program "World Café."
No Strings Attached, which recently retired, was nominated for or won multiple "Indie" awards (the independent record label's equivalent of the Grammy) for Best Album in the string music category in 1984, 1985, 1986, 1988, and 1990. The band toured throughout the United States, UK, and Europe, opening for artists including Béla Fleck and the Flecktones, the Dixie Chicks, and Doc Watson. Their music continues to air on National Public Radio.
The connection between music and cybersecurity might seem unlikely, but Marchany found parallels between the two. Leading a band required many of the same skills needed in cybersecurity leadership: public speaking, practice, planning, execution, teamwork, and the ability to make complex tasks look effortless. As he once explained, audiences would approach the band after concerts and say they sounded like one unit and made it look easy—but that ease came from tremendous work and coordination.
Marchany's diverse interests also included athletics. In the 1980s, he served as the first graduate assistant coach for the Virginia Tech women's volleyball team and coached club volleyball. The experience proved invaluable, teaching him management skills and political techniques that would serve him well throughout his career as CISO. As he reflected, he never realized at the time how those coaching skills—working with players and navigating relationships with parents—would translate to his cybersecurity leadership role.
His involvement with the Virginia Cyber Range as an executive committee member represented another way he combined his interests in education, technology, and competitive excellence.
Throughout his career, Marchany accumulated an impressive array of honors. He received the 2021 SANS Difference Maker Award, the 2016 Shirley C. Payne IT Security Advancement Award now known as the VASCAN Founders Award, and the 2000 SANS Institute's Security Technology Leadership Award. As a member of the VASCAN team, he shared in the 2005 EDUCAUSE Excellence in Information Technology Solutions Award for this pioneering collaborative cybersecurity initiative. He was also part of the Virginia Cyber Range team that won the 2017 Virginia Governor's Technology Award. In 2024, he was named a Capital ORBIE CISO Public Sector finalist and won an OnCon Top 10 CISO award.
His recognition continued into his final years of service, with the 2025 OnCon Top 10 CISO Award, the CISO Connect Top 10 CISO Award 2025, and the CISO Connect Top 100 CISO Award 2026—testament to his sustained excellence and ongoing contributions to the cybersecurity field even as his retirement approached.
In an era of frequent job changes, Marchany represents something increasingly rare: a complete career spent at a single institution. From student to systems programmer, from Unix administrator to internationally recognized CISO, from graduate assistant volleyball coach to Associate Professor of Practice in the Electrical and Computer Engineering department, his 50-year journey at Virginia Tech exemplifies dedication, continuous learning, and transformative leadership.
His work helped protect Virginia Tech's digital infrastructure, educated generations of cybersecurity professionals, influenced national security standards, and demonstrated that one could maintain excellence in multiple disciplines—cybersecurity, teaching, research, and even Celtic music.
As Marchany steps into retirement, he leaves behind a transformed landscape. Virginia Tech's IT Security Office, which began in 1998 with just two people, now includes 12 full-time analysts, four graduate research assistants, and several undergraduate student workers.
Under Marchany's leadership, the office developed an innovative organizational model that went beyond traditional cybersecurity team structures. In addition to the conventional Red team (offensive penetration testing), Blue team (cyber defense), and Purple team (security operations and security awareness), Marchany created a Green team focused specifically on IT risk management. This forward-thinking approach to organizing cybersecurity operations recognized that risk management required dedicated focus and expertise.
The effectiveness of this model has been recognized at the highest levels. In 2025, Marchany's team was named one of the OnCon Top 50 Information Security teams in the entire world (https://www.onconferences.com/25-team-winners-infosec)—a remarkable achievement that places Virginia Tech's IT Security Office among the elite cybersecurity teams globally, and a fitting capstone to Marchany's leadership.
The university he helped wire to the internet in the early 1990s through the pioneering Blacksburg Electronic Village project has been running a full IPv6 network since 2005 and continues to be at the forefront of cybersecurity innovation.
His influence extends through the more than 3,000 students who have taken his hands-on cybersecurity courses since 2000, the hundreds more he taught at SANS, the countless cybersecurity professionals who have learned from the documents and standards he helped create, and the institutions across higher education that have benefited from his leadership and example.
Randy Marchany's 50-year career at Virginia Tech is more than a story of individual achievement. It's a chronicle of the evolution of computing and cybersecurity in higher education, told through the work of someone who was not just present for that evolution, but actively shaped it. From IBM mainframes to IPv6 networks, from the first internet-connected town to sophisticated cyber ranges, from the earliest SANS courses to modern cybersecurity education—Marchany has been there, contributing, innovating, and leading the way.
As he often noted, his father told him that careers in life are like a river—they're going to go all over the place, but eventually they'll hit the sea. After 50 years of remarkable service, Randy Marchany has earned his place among the pioneers who helped navigate the digital revolution and make it safer for everyone.
Note: Randy Marchany will retire from Virginia Tech in July 2026 after 50 years of service, with 35 years dedicated to cybersecurity work and 15 years as Chief Information Security Officer. He was a founding member of the US Cyber Challenge (uscyberchallenge.org) and developer of its intensive camp curriculum. He co-founded VASCAN (Virginia Alliance for Secure Computing and Networking, www.vascan.org) and played a founding role in the Virginia Cyber Range (virginiacyberrange.org). His band, No Strings Attached, retired after nearly 40 years of performances, though their music remains available at www.enessay.com.
ADDITIONAL CONTRIBUTIONS BY RANDY MARCHANY
WEBCASTS:
Cleaning Up Our Cyber Hygiene, August 2020
Making and Keeping Work at Home Operations Safe and Productive, May 2020
SANS @MIC Talk - Secure Video Conferencing - What to Train Your Workforce On, April 2020
The 20 Critical Security Controls: From Framework to Operational to Implementation, June 2019
https://www.youtube.com/watch?v=EF_0dr8WkX8 SANS Blue Team Summit 2019, "Zero Trust Networks: The Future is Now"
https://www.youtube.com/watch?v=sm_u-ILqymQ&t=11s , IQPC Interview, Zero Trust Networks, 2019
For more webcasts with Randy, please refer to the SANS Webcast Archive.
WHITEPAPERS:
https://scholar.google.com/scholar?hl=en&as_sdt=0%2C47&q=randy+marchany&oq=
BLOG/Substack:
http://randymarchany.blogspot.com https://vtrandy.substack.com/publish/posts/published
Powered by GoDaddy Website Builder