Fortunately, one of those conversations happened back in July of this year when I traveled for the first time to Blacksburg, Va., to speak at the Virginia Cybersecurity Education Conference at Virginia Tech. It was a great event, and there are many ways that Virginia Tech and the Virginia Cyber Range are national leaders in cybersecurity.
During the event, I was able to meet Randy Marchany, who is true cyber industry star in many ways. Randy is currently the chief information security officer at Virginia Tech, and his LinkedIn profile can be found here. He is a warm, interesting, fun person to talk with, and I was delighted when he agreed to do an interview for my blog.
Dan Lohrmann (DL): You have an amazing background. Tell us about how you got into cybersecurity.
Randy Marchany (RM): In my career, I was an IBM systems programmer, Honeywell (Multics) microcomputer programmer (Intel 8008, 8080, Z80 chipset), PDP-11, LSI-11, VAX 780/785 (VMS, Ultrix), Solaris, AIX, Linux sysadmin.
One of my Solaris systems got hacked in 1991 (part of the attack described in the book At Large: The Strange Case of the World’s Biggest Internet Invasion). It took us a long time to recover from the attack. We searched for Unix security books, but there weren't any back then. The only books we could find were about cryptography. Out of the blue, I got an email from a new startup called the SANS Institute advertising a conference they were hosting in the Washington, D.C., area in 1992. The list of speakers included the authors of the few books and articles on security Unix and/or TCP/IP. I wanted to go, but my boss said there was no money for it. A couple of weeks later, SANS sent out a call for proposals with the hook that if your talk got accepted, they'd waive the registration fee. We submitted a proposal for a talk and it got accepted. It was called "Anatomy of an Incident," where we describe the attack, how we responded and what we learned from our mistakes. SANS founder Alan Paller invited us to work on some projects with them and I've been doing cybersecurity work with SANS and Virginia Tech ever since.
DL: You were one of the earliest SANS instructors. How did that happen?
RM: I'd been doing some consulting for an accounting firm in New York City where I taught auditors how to audit IT systems. Alan Paller asked if I could create a half-day class from that talk. The response was tremendous and Alan asked if I could build a one-day course. Again, participation was high. I wound up creating a two-day course on IT auditing. I did presentations on incident response as well. When SANS moved to offering weeklong classes, Hal Pomeranz, a few others and I were asked by Alan Paller to teach those courses. That's how I got to be an instructor. Alan got us involved in co-authoring a series of step-by-step guides on incident response, Solaris Security, etc. Some of the material in these booklets found themselves in current IT standards.
DL: Tell us about your role as CISO at Virginia Tech.
RM: Virginia Tech established the IT security officer position in 1998. Wayne Donald was the first CISO for the university. I joined him around 2001. In the beginning it was the two of us, and we slowly expanded since then. I took over as the CISO in 2010.
My friend Jodi Ito, CISO at the University of Hawaii, explained the CISO role as: "My job as a CISO is to balance security, privacy, compliance and accessibility and to keep everyone happy. Guess what? NOT POSSIBLE!" Our former CIO told me my job was to “run the cyber defense of the university and change the culture of the user community by making them aware of good IT security practices.” We have to be conversant with policies/standards, risk management, technical controls, public speaking skills, building teams and fostering trust. It’s a challenge for all of us in this position. We have to be able communicate at the management, technical, end user, research and instructional levels and be able to translate an idea from one level to another.
The SANS Institute has a great poster (the CISO MindMap) that describes the many hats a CISO has to wear (correctly 🙂). Some of them are 1) business enablement: The organization's business process will always trump the security process. So it's important for a CISO to understand how the business units use IT to accomplish their tasks. We've had to learn to fit our security requirements into the business role and not the other way around. We have to learn the business lingo and translate that into geek-speak. 2) Legal and regulatory compliance is playing a more important role. We have to determine how software handles and protects sensitive data. 3) Security operations is the geeky part of the job. My team is the core cyber incident response team for the university. I have to be able to understand and translate to English information about prevention (data, network, application, endpoint security), detection (log management, threat intel, etc.) and response (incident response plan, checklists, playbooks). 4) Develop good public speaking skills because CISOs need to be good communicators.
My role is a little unique here at Virginia Tech. One part of me is the CISO. The second part is the director of the IT Security Lab (ITSL). The third part is teaching as an associate professor of practice for the Electrical and Computer Engineering (ECE) Department. The Security Lab students get to work with my full-time analysts and gain some real-world, hands-on experience in addition to working on cybersecurity research projects. The ITSL has graduated 14 PhD, 18 master's students and obtained three cybersecurity patents so far. I created and taught the first hands-on cybersecurity fundamentals class in 1998 and am still teaching it today. We average about 100 students per year in that class. We were one of the first schools to have cybersecurity practitioners teach academic cybersecurity classes. Some of my staff and I teach these courses every year. Personally, it's a great way to keep my technical chops up to date.
DL: What does a typical week (or month) look like securing a top U.S. university?
RM: Depends on the time of the year. The beginning and end of semesters are the "crazy times" for all of the university business units. These tasks range from answering a policy or technical question from a departmental IT manager, responding to a request from my CIO, doing a security awareness presentation for a university group, or authorizing the disconnection of a compromised host. Our red team does internal penetration testing and security architecture consultations. The blue team monitors our IDS/IPS and other detection sensors on all of our campuses. Our green team is in the process of setting up the next round of IT risk assessments as well as reviewing vendor IT security assessments. The purple team works with our internal and external security operations centers and develops training programs such as phishing awareness and cyber incident tabletops. These teams keep me updated on any short- or long-term developments that pop up.
One of the recurring threats is email phishing attacks. We see a rash of them at the beginning of every semester. Phishing emails that offer high-paying jobs for minimal work hours (everyone's dream job, eh?) are very common. All you have to do is click on the link and give us your personal information. We switched all faculty, staff and students to multifactor authentication (MFA) in 2016. That move drastically reduced the number of compromised accounts. However, phishers have adapted and have developed some interesting ways to con the victim out of their second factor. Naturally, we've had to update our awareness programs to address these new attack vectors.
DL: You've taught, worked with and led an amazing list of cyber leaders who have gone on to amazing careers. What sets top cyber leaders apart from the others?
RM: First of all, my involvement with SANS has allowed me to learn from some amazing instructors. It also got me involved in a lot of startups (or they were back then), such as the Center for Internet Security (CIS), from the beginning. People like Tony Sager (former NSA now CIS) have been great mentors to me. Our IT Security Lab alumni have progressed in their cybersecurity careers, becoming CISOs or VPs of security of many different organizations (like major credit card, athletic wear, cybersecurity and software development companies, cyber ranges, government contractors) all over the world. Some of them are military veterans/retirees who were part of the early cyber commands. All of them are great learners as well as teachers, and I think that's one of the things that sets them apart from others. They know what they don't know and know how to find the people who do know. They volunteer to teach their skills to other professionals and students.
DL: What are the top cyber threats that your team has faced this year?
RM: Email phishing for credentials is still the stubborn threat. The shift to obtaining the second-factor credentials is forcing us to revamp our account reset procedures. Another vector is vendor software breaches. A third-party breach of customer information gives attackers additional information to try to impersonate a target to get their internal credentials. Vendors are still in the "let the buyer debug our code" mode. There is no real penalty for a vendor software flaw affecting a business because of how license agreements are structured.
DL: You've mentored many young people in cybersecurity. What do you look for in someone who wants to enter the field and be successful?
RM: Early on in my student days, I was very lucky to meet and work on a project with a professor here who was one of the original Enigma code breakers. Much later, when I found out what he did, I asked him how they selected the people who worked at Bletchley Park. His answer which has been repeated a lot, including in the movie The Imitation Game, was that they looked for people who were crossword puzzle fanatics or champions. They were persistent, didn't let go of a challenge and had the ability to extrapolate information from snippets and clues. "Clue: 11 letters, AT-------on, ah, 'attenuation.'" I tell that story to say that I look for people, regardless of their background or major, who are problem solvers and think outside the box. Those are the tool developers. People who are persistent and don't give up until they reach a conclusion are the security/data analysts. They also are the academic researchers.
Another trait I look for is to see what hobbies they have. Are they athletic club coaches? Musicians or artists? Builders? What they do outside of cybersecurity is important for them in cyber. For example, I was a coach at the Division 1 level and club level. That was some of the best management training I could have received. I played in a touring band that put out nine albums and got awards nominations and a win. That was the best public speaking training I could have received. Both taught me the discipline needed to excel at whatever I decided to do.
Cybersecurity doesn't require a CS or EE/ECE degree. The aptitude component is the key. So that's what I look for. One of my best cybersecurity students who's very successful in the field was an English major, Phi Beta Kappa, nationally ranked chess master and an indoor rock climber. He wouldn't make it past the federal government HR filters for cybersecurity jobs because his degree was in English and not CS/EE/ECE.
DL: What are your top cybersecurity priorities for the next two years at Virginia Tech?
RM: Continuing to increase cybersecurity awareness at the university and dealing with attackers armed with enough personal info obtained through external breaches to compromise our internal business checks.
DL: What is the biggest blind spot in the cyber industry today? Why? (Note: Randy answered this question before the CrowdStrike/Microsoftincident in July).
RM: Third-party software flaws. There's no good legal recourse for individuals/customers to hold vendors accountable for software flaws in their products.
One of my team leaders calls it "security by MBA." This is where accountants decide it's cheaper to accept a risk and impact a lot of people than it is to either hire the right people or actually fix the problem. This approach leads to long-term weaknesses in a company's IT security architecture.