North Dakota State University CISO Discusses What Makes A Successful Leader

With a shortage of skilled IT security workers, there is plentiful room for aspiring cybersecurity professionals to take on leadership roles within the industry.

Having a Chief Information Security Officer (CISO) or the equivalent function in an organization has become a standard in business, government and non-profit sectors. With more than 80 percent of large organizations employing a CISO, we wanted to interview CISOs across a wide-array of institutions, with varying certifications and backgrounds. This month’s featured CISO is Theresa Semmens of North Dakota State University (NDSU).

Theresa Semmens CISO North Dakota State University Silverbull
Photo Courtesy of Theresa Semmens

Theresa Semmens has worked at NDSU since 2003 and has worked in information security for over 14 years. During her career, Semmens served five years on SANS’ Higher Education Board and has been an active member of EDUCAUSE, a nonprofit dedicated to the advancement of higher education through information technology. Aside from being involved in various infosec committees, Semmens has given countless lectures and presentations on various topics about the industry.

Apart from her strong interest in computer information systems, what drew Semmens to a career in information security was her interest in human behavior.

“Without the human element, there would be no need for information security,” Semmens notes.

By pairing her two interests, Semmens found a career she finds “challenging, invigorating, rewarding and frustrating at times,” but enjoys the fact that no two days on-the-job are ever the same.

For Semmens, one of the accomplishments that she is the most proud of is employing NDSU student security analysts to assist with the day-to-day IT security functions around the office while preparing the students for successful careers in cybersecurity.

“Two of the four individuals that we have hired, have been hired into full-time information security positions with well-known companies. The companies have been impressed with the student’s knowledge and experience,” Semmens notes.

For professionals looking to advance their careers in the cybersecurity industry, Semmens offers the following advice on what it takes to be a successful leader and how to develop the necessary skills to be an effective leader.

How do I know if I would enjoy managing vs. doing?

You need to determine within yourself if you like to guide, encourage, coach and direct, or if you would “rather do it yourself.”  Are you a visionary? Do you have a broad overall picture that you can contribute to the company? Know who you are and what your preferences are. If you are not comfortable providing guidance and direction and dealing with the bigger vision of the department or division, you may not be suited to leadership.

My advice to those looking to become leaders is to develop a vision – determine and visualize where you want to be in the next two years, next five years, and next ten years. Develop a plan of action that is strategic – determine what you will need to do and accomplish to reach those milestones. Be willing to adapt and detour – life will throw up barriers! Those detours and barriers will be your best life experiences to learn from.

How do I know if I would make a good IT manager or if I am more ideally suited for coding, UI and technical work?

  1. Do you like working with people?
  2. Do you like to teach others skills?
  3. Are you often asked to be a lead on teams?
  4. Are you comfortable being in front of and speaking to groups of people?
  5. Are you comfortable with scrutiny, contention and conflict?
  6. Are you good at resolving personality differences?
  7. Are you forward thinking and a visionary?
  8. Do you see the big picture and not just the details?
  9. Do you have an ethical mindset that is critical for a successful CISO?

If so, you may have the talent and skill set to serve as a manager. On the other hand, if you don’t like doing a lot of the items mentioned above, you might be better suited to a technical profession where you don’t have to deal with “people” issues. If you are good with organizational behavior, you will most likely be well suited for management.

What does it take to be a successful IT manager?

To be successful in leadership, you have to have a genuine interest in the human factor. Leadership integrates the “technical” with the human and social aspects of technology. It is the nexus between your workforce and executive leadership. It is how you meld your vision and forward direction into what fits and blends with the business vision, mission and objectives of the company. It is about creating the best environment possible for your staff to be productive and effective.

To do this, you need to be genuinely interested and concerned about people, who they are, how they work and what their expectations are as well as yours. It is relationship behavior and the soft skills needed to lead. Often managers focus on the personality and not the problem! Great managers and leaders lead by example and inspiration. They give credit and recognition to those who have earned it. They coach and guide those with potential to build up confidence and self-esteem to create a sense of worth and high morale in their teams and staff.

How do I develop the skills I need to be an effective leader?

For those who are interested in moving into a leadership/management role, you have to demonstrate that you are interested and willing to serve in those roles. Seek out opportunities within your department or division where you can highlight your leadership skills. Some suggestions include:

  • Volunteering to lead a small team that is serving on a section of a large project. While serving as a lead on that team, do you naturally encourage and support your team members to be innovative and creative? Do you offer constructive praise and criticism?  Are you diverse and ensure that all members have the same opportunities or encourage them to take all opportunities afforded to them?
  • Work with an intern to help grow them in the skills they are trying to acquire for their chosen vocation. This is actually a great way to learn about management, because in this role you are serving as a guide, coach, teacher, leader, confidant and mentor. You will be working not only with teaching the intern the skills they need, but also how to learn and navigate the environment, culture and climate of the company.
  • Take professional development courses or college courses on leadership and management.
  • Visit with your director – let them know your intentions.  A good director will work with you to help point out what you need to do to take the next steps into a leadership role. Advanced degrees and certification can be beneficial in obtaining your goals towards leadership. Both help to demonstrate that you are a continuous learner and want to further your knowledge and expertise.
  • Don’t be afraid to search for opportunities outside of your workplace. If you belong to professional organizations, volunteer to serve on committees and work groups. This gives you the ability to network with others within your field, which will provide you opportunities for growth and development. I have been involved with EDUCAUSE, a nonprofit association for IT leaders and professionals committed to advancing higher education, for the past several years. Through my involvement with EDUCAUSE, I have been able to lead workgroups, serve and co-lead a program committee.
  • Handling crucial conversations and conversations involving contention and disagreement is a required skill. Crucial conversations can include anything from campaigning for new needs that require an increased or additional budget to handling a dispute between two key talented staff members. Those conversations need to be multi-lingual. You have to learn to speak the varied languages within the business – accounting, marketing, sales, etc. Talk to them in their language, terms, or a story they can understand and assimilate. Most importantly, learn how to deliver a message that might have negative connotations in a positive format and tone.


Interested in learning the in-and-outs of the cybersecurity industry from senior level professionals? Then check back for our next CISO feature article coming soon.

Last month’s featured CISO: Virginia Tech’s CISO shares how the main threats and dangers universities face from hackers.

A Day in the Life of Virginia Tech’s CISO

According to Educause’s “2016 Top 10 IT Issues,” Information security is the No. 1 issue facing college and university IT departments. Learn how Virginia Tech’s CISO deals with the constant threats of being hacked.

Randy Marchany Virginia Tech CISO
(Photo Courtesy of Randy Marchany)

Having a Chief Information Security Officer (CISO) or the equivalent function in an organization has become a standard in business, government and non-profit sectors. With more than 80 percent of large organizations employing a CISO, we thought it would be interesting to interview CISOs across a wide-array of institutions, with varying certifications and backgrounds. Our first CISO featured in our new A Day in the Life of a CISO series is Randy Marchany.


Randy Marchany is Virginia Tech’s Information Technology Security Officer and the Director of the Virginia Tech IT Security Lab. He’s been involved in the computer industry since 1972, before the terms CISO, cyber threat and firewall existed. Randy is a co-author of the FBI/SANS Institute’s “Top 10/20 Internet Security Vulnerabilities” document which has become a standard for most computer security and auditing software.

As Virginia Tech’s IT security officer, how would you describe your role?

We are responsible for the data protection and security of a “small city” comprised of various business operations. Our campus includes retail outlets such as bookstores and dining facilities (credit card data), research centers (patents and intellectual property), HR functions (payroll), law enforcement, power and energy systems, plus day-to-day financial transactions (accounts receivable, purchase orders) in addition to responding to general cyber attacks and probes directed at university computer systems.

On top of the wide array of business centers, universities function as a commercial ISP to thousands of students and professors who use their own electronic devices over our network. Students can download anything to their computers over our network. Professors conduct online research and upload proprietary data to our servers. University staff needs to be able to freely connect with domestic and international students and businesses. As a result, my team’s role necessitates a cyber strategy that protects data and privacy across multiple channels and allows students and staff to conduct day-to-day functions.

What are the main threats and dangers universities face?

The biggest threats are IP theft and sensitive data breaches. Historically, hackers tried to gain access to university computers and use those computers to attack other websites. They used to follow a hit-and-run strategy. Today, hackers seek to maintain a presence on our network and gather sensitive information. We also see more attacks coming from other countries and these attacks are much more systematic and persistent.

Professors and graduate students are continuously conducting proprietary research, some of which is protected by government regulations. Each year, the federal government grants billions of dollars for research and development (R&D) to universities across the country. We strive to protect all of our university research and IP but fiscally funded R&D requires additional security measures. Some of these measures include physical security, increased security for email relating to research projects and compliance with federal security requirements such as NIST 800-53 and NIST 800-171 (Controlled Unclassified Information).

Student data and educational records are also protected by law. The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records. FERPA defines what type of data is classified as “directory” information. This includes data such as email address, house address, phone number and student class status. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA gives parents certain rights with respect to their children’s education records. However, these rights transfer to the student when he or she reaches the age of 18 which can be frustrating to some parents whose child denies them the right to access.

How are universities handling the uptake in campus hacks?

The strategy of trying to prevent hackers from successfully gaining access to internal systems and networks across industry categories has failed. Years ago we introduced firewalls to protect our borders and hackers figured out how to break through. Now we operate a continuous monitoring strategy which assumes someone has already hacked our network and we use network security and monitoring tools and processes to hunt down compromised systems inside our network.

Since we have a BYOD (bring your own device policy), the university acts as an ISP to thousands of individual devices (e.g. tablets, phones, computers, etc.)   Therefore, we have moved from the strategy of protecting the devices to protecting the data stored on the devices. In the “old days”, the network border or firewall was a clearly defined entity. However, with wireless networks, the protective border is now the individual machine.

Our strategy also focuses on monitoring outbound network traffic and using external threat intelligence services to determine if this traffic is headed to suspicious sites on the Internet.   Traditional network monitoring focused more on inbound traffic. Hackers started using techniques such as phishing where the user receives an email asking them to click on a link inside the email, or infecting ads that are displayed on commercial web sites.

What skills does one need to be successful in cybersecurity or as a CISO?

There are at least three critical skills you need to be a successful CISO:

  • Communication skills or what we call, “geeks who can speak.” As the CISO of Virginia Tech I give many presentations inside and outside the university. I need to be able to talk about complicated information and tech topics to low tech audiences as well as high tech audiences. I also need to formulate and communicate strong business arguments to convince upper management to spend money on technology and security initiatives.
  • A technical background is critical. You need to be able to talk to your tech team and understand what they are facing in the trenches. If you don’t understand the technical aspects as to why your team is unable to solve a problem or why your team needs more time and resources then you and your team will not be effective.
  • A basic understanding of business operations is also important. Knowing how corporate finances are calculated and how to prepare a budget can go a long way. Plus, no matter what type of company you work for, you need to understand the business process first in order to create an effective Information Technology security program.

What advice would you give to people starting their cybersecurity careers?

  • Find a good mentor. I was very lucky. My boss was my first mentor and he was a terrific manager. If you can’t find a mentor on your team or within your company, reach out to organizations such as Educause which offers a mentor program.
  • Don’t be afraid to fail. You are up against highly skilled elite hackers from nation states. You are going to lose a couple of battles so learn from your mistakes and ask yourself, “What did I learn from this hit that will help me prevent another hit in the future?”
  • Learn the business processes of your company. Understand how the various departments function and interact plus why processes operate the way they do. Companies are in business to make money. And often security is viewed as impediment to making money. CISOs need to work around the business model and incorporate security practices into the business process.
  • Build a network of key players in your organization. Establish relationships with colleagues higher up on the organizational chart who get things done and are well-respected.

How do you see the CISO role evolving over the next 5 years?

  • The CISO position needs to be elevated to the management team. The scope of the CISO’s authority in organizations is wide and needs to be higher up. In my job, I report to the university CIO who reports to President of the university.
  • The skill set required to succeed as a CISO will become more balanced in terms of policy development skills, communication skills and tech skills. Currently, I believe CISO’s are more skilled in policy making vs. technology. I came up through the tech ranks and then I started writing university policy 10 to 15 years ago. I think it’s easier to start acquiring tech skills and then learn how to write policies and make management presentations.

This interview is part of our monthly “A Day in the Life of a CISO” series.