IT Security Office named a Top 50 Information Security Team

Virginia Tech’s IT Security Office has been named a Top 50 Information Security Team for 2025 as part of the OnCon Icon Awards.

The OnCon Icon Awards celebrate outstanding achievements of worldwide organizations and teams. Winners are selected by their peers in the community, who vote based on the team’s impact within their organizations and the broader industry, contributions to their professional communities through ideas and innovation, and demonstration of exceptional leadership. As a Top 50 Information Security Team, the IT Security Office joins a list that includes internationally recognized companies including Amazon Web Services, Cisco Systems, and the U.S. Army. 

“The Top 50 award is a testament to the expertise, teamwork, and dedication of our team, who is actively keeping Virginia Tech’s systems, infrastructure, and community safe from cyberattacks,” said Randy Marchany, the university's information security officer who has led the IT Security Office since 2010.

The IT Security Office consists of 11 full-time faculty and staff, plus graduate assistants and undergraduate student workers who support the team's work while building their own cybersecurity skills. The office has nearly doubled in size over the last few years and is organized into four teams that work together to protect the university's information security from all angles. 

The Red Team includes Brad Tilley, TingTing Jiang, and Caeland Garner and protects the university’s data and IT assets by testing systems for vulnerabilities — think of them as playing offense.

The Blue Team includes Jeff Lang, Beth Lancaster, Paul Mather, and Shane Mullins and is the defense squad,  on the front lines for incident response, monitoring network traffic, and conducting forensics to identify and stop threats.

The Green Team, made up of Mary Stewart and Michael Surratt, offers risk and compliance expertise, conducting regular risk assessments of university systems and ensuring compliance with laws or regulations.

The Purple Team, made up Zach Mitcham, monitors the 24/7 Security Operations Centers and manages the overall IT security awareness program. 

In the last year, the IT Security Office (ITSO) has: 

• Launched a new annual IT security training course that allows employees to complete their state-required annual training in less than 15 minutes — increasing compliance from under 10 percent to over 97 percent
• Hosted two cybersecurity table top exercises for university IT staff to practice and provide feedback on incident response
• Performed 494 vulnerability scans for university departments
• Conducted 96 penetration tests to identify potential security problems
• Detected and recovered 196 compromised user accounts 
• Created customized dashboards that provide increased visibility for departments into the status of their cybersecurity profiles, empowering leadership and IT personnel to be proactive in protecting their assets
• Continued the Bug Bounty program, where faculty, staff, and students can report critical security flaws in university programs and receive an award if the flaw is verified

“The ITSO teams have over 120 years of combined experience in cybersecurity and average three to six industry certifications each such as the CISSP, GIACs, CISA. They have contributed a number of tools, standards, checklists, articles, seminars, presentations  to national and international conferences and the internet cyber security community,” said Marchany. “Virginia Tech is extremely lucky to have these individuals working to ensure the university operates in a cyber safe environment. They are truly one of the best teams in the higher education community. Am I proud of them and their accomplishments? You bet.”