Randy Marchany

Randy is the Chief Information Security Officer of Virginia Tech and the Director of Virginia Tech's IT Security Laboratory and has 25 years experience as a systems administrator, IT auditor, and security specialist. He is a co-author of the original SANS Top 10 Internet Threats, the SANS Top 20 Internet Threats, the SANS Consensus Roadmap for Defeating DDoS Attacks, and the SANS Incident Response: Step-by-Step guides. Randy is currently a senior instructor for the SANS Institute and has taught a wide variety of courses over the years. Currently, he can be found teaching SEC566: Implementing and Auditing the Critical Security Controls on a regular basis.

More About Randy


Randy holds the unique position of being the longest running SANS Instructor on the planet. After one of his Solaris systems got hacked in 1991 (part of the attack described in the book @Large: The Strange Case of the World’s Biggest Internet Invasion), he submitted a proposal for a talk to a startup called the SANS Institute in 1992. Alan Paller invited him to work on some projects with them and he’s been doing cybersecurity work with SANS and in his professional career ever since.

Having always liked computers, Randy has been in IT for 45 years, starting as an IBM Systems Programmer. He then moved to writing data acquisition software for lab experiments using Intel 808x processors (now called IoT), was a VAX sysadmin for 10 years, a Unix (DEC Ultrix, Solaris, IBM-AIX, HP-UX, Centos, Ubuntu) and a sysadmin for 14 years. Working in a university gave him access to cutting edge technology that was almost always 3-5 years ahead of the "real world". He was involved in the efforts to connect the university and the town it resides in to “the Net” – the first in the country to do so. They built the 3rd fastest supercomputer in 2004 using 1300 Mac G5 in a grid and were one of the first EDUs to teach practical cybersecurity courses starting in 1998. Randy has mentored 14 PhD, 13 Masters students, countless SANS instructors coming up through the pipeline, and co-holds 3 cybersecurity patents with graduates of the VA Tech lab.

As a consultant for Ernst & Young for about a decade in the late 90’s and early 2000’s, he trained the 1st wave of IT auditors in that industry. Alongside one of the associate partners, he built the first hacker lab for E&Y in their NY office. He trained auditors in IT security while they trained him in audit strategies. He has experience in a wide variety of technologies and industries and this experience is one of the things that makes him uniquely qualified to teach a wide variety of topics at SANS.

Randy’s teaching philosophy is to push the students and ask them questions. Rather than reading slides, he provides them real world examples of what is explained in the slides, which show his students how the "book" knowledge converts to actual things. He challenges his students to fail – repeatedly – as this is where the learning occurs. In his own words, Randy did not become a cybersecurity expert by reading a book, but because he got hacked a LOT of times. He learned from each incident and gathered more experience to help prevent future incidents. As a teacher in a professional and academic environment, it's his job to inspire his students. Seeing something "click" with a student is the thing he always hopes to see.

Randy is one of the founding members of the US Cyber Challenge (USCC). The USCC mission is to significantly reduce the shortage in the cyber workforce by serving as the premier program to identify, attract, recruit and place the next generation of cybersecurity professionals. Top scorers in national CTF competitions are invited to obtain intensive cybersecurity training at week-long camps around the US. He also designs the curriculum for these summer camps.

He was a member of the Center for Internet Security development team that produced and tested the original CIS Solaris, HPUX, AIX, Linux and Windows2000/XP security benchmarks and scoring tools. He was a member of the White House Partnership for Critical Infrastructure Security working group that developed a Consensus Roadmap for responding to the DDOS attacks of 2000. He has written or co-authored over 40 papers and articles on cybersecurity. Randy is a former member of the REN-ISAC (Research, Education, Networking Information Sharing and Analysis Center) board. He is a member of the EDUCAUSE security task force focusing on risk assessment and security metrics and a member of its Higher Education Information Security Council (HEISC). He is an executive committee member of the Virginia Cyber Range (www.virginiacyberrange.org). Randy is one of the founders of the Virginia Alliance for Secure Computing and Networking (www.vascan.org), a consortium of security practitioners and researchers from the major universities in Virginia.
Randy was a recipient of the 2016 Shirley C. Payne IT Security Advancement award, the 2000 SANS Institute's Security Technology Leadership Award, the 2003 VA Governor's Technology Silver Award, a member of the team that won the EDUCAUSE Excellence in Information Technology Solutions Award in 2005 and a member of the Virginia Cyber Range team that won the 2017 Virginia Governor’s Technology Award for innovative use of technology in education. He is also a faculty member of the SANS Technology Institute, an NSA Center of Academic Excellence in Cyber Defense and multiple winner of the National Cyber League competition.
Randy lives out his belief that one must do something other than computers, as cross-training is good for the mind. He is acknowledged as one of the North American masters of the hammer dulcimer and is the author of the original theme song of National Public Radio's nationally syndicated radio program, "World Cafe". His band, "No Strings Attached" was nominated for or won "Indie" awards (independent record label's version of the Grammy) for Best Album (String Music) category in 1984, 1985, 1986, 1988, 1990. Playing in this band for nearly 30 years helped teach Randy how to relate to an audience. He has been a college level volleyball coach, rides bicycles and motorcycles, and loves reading history books and visiting any museum he can.

Listen in to Randy teaching about the 20 Critical Security Controls in this SANS webcast.



What's New with the CIS Controls v8, June 2021

What's New with the CIS Controls v8?, RSA 2021, May 2021

Cleaning Up Our Cyber Hygiene, August 2020

Making and Keeping Work at Home Operations Safe and Productive, May 2020

SANS @MIC Talk - Secure Video Conferencing - What to Train Your Workforce On, April 2020

The 20 Critical Security Controls: From Framework to Operational to Implementation, June 2019

For more webcasts with Randy, please refer to the SANS Webcast Archive.