Maximizing Cyber Non-Profits

For months, a group of us has been working on a side project, and we went public today – nonprofitcyber.org

It’s the work of a group of friends (old and new) and friends of friends, dozens of us who work for a special group of cyber non-profits. We create guidance, standards, and best practices, conduct research, educate individuals and businesses, build and share great tools, and operate essential infrastructure. While we have different missions and business models, we all view our work as service in the public interest. We are centers-of-gravity for volunteerism and collaboration. And collectively, we are essential resources improving cyber defense for every enterprise, in every dimension, and for the ecosystem as a whole.

I spent the first 35 years of my career working in cyberdefense at the National Security Agency. I retired in 2012 and soon settled into my second professional home at the Center for Internet Security. From here, I was struck by the great work at CIS and other “kindred spirit” cyber non-profits, something I knew about but never fully appreciated while serving in the “ultimate non-profit” (the Federal government). And while there are many friends, colleagues, and partnerships in the cyber non-profit community, I started thinking about how much we might accomplish if there was a way to self-organize and actively align work, products, roadmaps, etc. I even put in (unsuccessful) RSA proposals on the topic.

And like everything else in my career, I quickly found friends and colleagues who were already thinking about the same thing. Over the last few months, these conversations turned into commitments, and so here we are.

Special thanks to Phil Reitinger of the Global Cyber Alliance, who did the heavy lifting to get this going, and to the team at the Cloud Security Alliance, who did amazing work creating our web presence. Many others chipped in with great ideas, sample documents to get us started, and more.

There’s already some positive press and commentary out there. But the proof will be in the action, not the good intentions, so let’s get to it!

P.S. RSA did accept my latest proposal on this topic, so maybe this is an idea whose time has finally come. Below is the long-form abstract, written with my co-speaker Kiersten Todt (currently Chief of Staff at CISA, formerly with the non-profit Cyber Readiness Institute). Join us there!

TITLE: Maximizing Our Cyber Non-Profits

Description (max 2500 characters):

It’s tempting to think of cybersecurity as driven primarily by technology, governments, and the commercial marketplace. These are all essential, but there’s an underappreciated engine that drives a lot of vital activity. Cybersecurity non-profit organizations are essential resources improving cyber defense for every enterprise, in every dimension, and for the ecosystem as a whole. We create guidance, standards, and best practices, conduct research, educate individuals and businesses, build and share great tools, and operate important infrastructure. Non-profits are often natural “integration engines”, bringing together great people and ideas across technical disciplines, the public and private sectors, industry sectors, and even across national borders. And non-profits can also be the place where individuals or small enterprises can have impact equal to the largest enterprises.

While we have different missions, and operate using a wide variety of business models (e.g., company sponsorship, grants, licensing, individual and enterprise membership), many of us share key attributes: we view our work as service in the public interest; we are centers-of-gravity for volunteerism, gathering incredible technical depth, diversity, and energy towards collective action; and we each empower and represent a large base of individual, enterprise, and industry adopters.

It’s not actually correct to call the community of cyber non-profits an engine; it’s more like hundreds of engines covering the entire cyber ecosystem. While this community includes lots of friends and former colleagues, and plenty of examples of cooperative (mostly bilateral) work, there isn’t really a mechanism for ongoing sharing or alignment of priorities and output. Yet the collective resources and energy of this community, aligned in a common direction, where it makes sense, would be an incredible resource for good.

In this session, we’ll take a broad look at the community of cybersecurity non-profits and their missions. We will highlight several, focusing on those dedicated to service in the public interest, and that serve essential or unique roles industry-wide. We’ll also discuss how these non-profits interact with industry, government, and with each other. Finally, we’ll describe efforts to build cooperation and organize this community as a whole – how to define and execute collective action, and align with national and broader priorities, while staying true to our individual missions.