In most industries with gender disparities, it's no surprise that cybersecurity is one of them. Males have always dominated the profession, and they continue to do so now.
According to recent statistics, only 24% of the global cybersecurity workforce comprises women.
Despite these numbers, many women have worked hard in recent years to break the glass ceiling in cybersecurity and move the gender needle closer to equal representation.
Meet Katie Moussouris, the woman who beat all the odds to become the creator and CEO of Luta Security. This company enhances vulnerability coordination on overall security.
Katie grew up in Boston, Massachusetts then lived in San Francisco. Her mother, Anuncia Donecia Songsong Manglona, was a single mother from the Mariana island of Luta.
Katie identifies herself with the Chamorro indigenous people of Mariana Island. She grew up seeing the Chamorros firmly base their culture and norms on inheritance and knowing their origin.
When her mother worked as a Native Pacific Islander scientist as a Vitro fertilization and stem cell researcher, she faced gender and racial discrimination. This happened despite having a job that included training other doctors.
Early Interest in Computers
Katie Moussouris’ early interest in computers began when she was eight years in third grade when her mum bought her a Commodore 64, an 8-Bit home computer that was a massive hit on the market those days.
She got bored and requested her mum to buy her another game. Because there was not enough money to buy another one, her mum gave her the manual, a programming book.
Katie started copying some programs from the book, learned about syntax errors, and discovered that punctuation was critical in programming. She already knew a lot of the basics of computer programming before getting to high school. She was the first girl in her school to take AP Computer Science.
Katie went to study for an undergraduate course at Simmons College. Simmons University was great at its progressive educational philosophy. It is one of only a few private colleges that did not impose admission quotas on Jewish students during the 1900s.
Despite her passion for computer science, she enrolled in a molecular biology and mathematics course. She worked part-time in an MIT Whitehead Institute Lab for the Human Genome Project while studying.
The Human Genome Initiative was an international scientific research project that aimed to discover the base pairs that make up human DNA and identify, map, and sequence all the human genome’s genes, both physically and functionally. It is still the most significant collaborative biological effort in the world.
Katie got a side hustle as a lab assistant at Whitehead Institute for biomedical research- an independent entity of MIT. After three years, she got a promotion to systems administrator for the MIT Department of Aeronautics and Astronautics. She helped design a computer system for a new lab set in 2000.
Katie also worked as a systems administrator at the Harvard School of engineering and applied sciences.
After working for Harvard, Katie moved to California to work for Turbolinux as a Linux software developer. TurboLinux company provides Linux-based software solutions for the internet and businesses.
Katie Moussouris was active in the West Coast hacker community and joined @stake as a penetration tester in 2002 at Chris Wysopal’s invitation.
ATstake, Inc. was a Cambridge, Massachusetts-based computer security professional services firm that came into effect in 1999. Dan Geer and the Cambridge Technology Partners east coast security team were among the early core team of technologists.
Work at Symantec
Symantec is a consumer software corporation in the United States that develops software to protect computers from viruses, trojans, hackers, and other malicious software.
When Symantec bought @stake in October 2004, Katie Moussouris joined the company. In 2004, she established and led Symantec researchers to develop the first program that allowed Symantec researchers to publish vulnerability research.
Career at Microsoft
Katie Moussouris left Symantec in May 2007 to work for Microsoft.
She was the Senior Security Strategist Lead at Microsoft from September 2010 to May 2014. During that time, she led the Security Community Outreach and Strategy team as part of the Microsoft Security Response Center (MSRC) team.
Katie had the privilege of attending BlackHat 2008 in London, an event that brought together great minds in the cybersecurity field to talk about the future of the security landscape.
During this event, she announced the Microsoft Vulnerability Research (MSVR) program, which she came up with. This program aimed to analyze software vulnerabilities, exploit methods, track new vectors, and discover novel techniques and approaches to software security.
Also, at Microsoft, she came up with the Microsoft BlueHat Prize incentive to motivate the community to collaborate with researchers in the security industry.
The ultimate prize of $200,000 was the greatest cash reward provided by a software manufacturer.
During her time at Microsoft, she also established the company’s first bug bounty program, which paid out over $253,000 and discovered 18 vulnerabilities.
What’s a Bug Bounty Program?
A bug bounty program is a sponsored, organized effort that compensates security researchers for discovering and reporting previously unknown network and software security vulnerabilities. The bug bounty allows digitally connected businesses to manage and reduce their cybersecurity risks.
In 2015, Katie filed a discrimination class-action complaint against Microsoft in federal court in Seattle after leaving the company a year before.
Katie claimed that Microsoft’s hiring policies perpetuated sex discrimination against women in technical and engineering professions. It was not only in terms of compensation but also promotions and other employment circumstances.
Although she had recognition, she felt that the women that she left behind would continue to suffer. She wanted Microsoft to change its attitude toward women, and many women admired her boldness.
Katie attributes the case’s denial of Class Action status to the legislative climate’s unfriendly toward many individuals, not just women and underrepresented minorities.
Katie Moussouris was appointed Chief Policy Officer of HackerOne, in May 2014. Hackers and security leaders passionate about making the Internet safer founded the HackerOne, a vulnerability disclosure company.
Moussouris was in charge of the company’s vulnerability disclosure strategy and promoting and legitimizing security research among organizations, legislators, and policymakers.
While still at Microsoft, Katie began negotiating a bug bounty program with the federal government. She maintained these discussions when she joined HackerOne.
Many websites, organizations, and software companies provide bug bounty programs in which individuals can gain recognition and compensation for reporting bugs, particularly security exploits and vulnerabilities.
These systems help developers find and fix bugs before they are discovered by the broader public, preventing widespread exploitation. Mozilla, Facebook, Yahoo!, Google, Reddit Square, Microsoft, and the Internet bug bounty are just a few companies that introduced bug bounty programs.
Companies are now using bug bounty programs outside of the technology industry, including typically conservative entities like the US Department of Defense.
Hack the Pentagon
The Hack the Pentagon pilot, the United States Government’s first-ever bug bounty, began on April 18, 2016, and ended on May 12, 2016
Being the chief policy officer at HackerOne, Katie assisted the Defense Department in launching the Hack-the-Pentagon initiative. The initiative came as the first federal bug bounty program that promises to compensate hackers who find vulnerabilities in the Department of Defense’s public-facing website.
It gave hackers legal permission to perform specific hacking techniques against Department of Defense (DoD) websites, with financial rewards for successfully submitting vulnerability reports. The pilot produced impressive results that far exceeded expectations.
The Pentagon uses bug bounty programs as part of a shift in policy that has seen various US government agencies shift from threatening white hat hackers with legal action to inviting them to engage as part of a whole vulnerability disclosure framework or policy.
The program’s goal was to encourage the next generation of hackers to come forward and assist the government without fear of legal repercussions or incarceration.
An example is Dworken, an 18-year-old boy who hacked the Pentagon during the Hack the Pentagon initiative. He was one of 1,400 people chosen to participate in the Hack the Pentagon beta program.
During the 24-day pilot of Hack the Pentagon, they fixed 138 vulnerabilities bug bounty challenges for DoD assets, demonstrating its efficacy.
Hack the Airforce
Hack the Air Force was Moussouris’ response to the Pentagon’s effort. On October 20, 2016, the Department of Defense announced a three-year deal with HackerOne to spread these initiatives to other agencies.
Secretary of the Army Eric Fanning spearheaded the first of these programs- Hack the Army -which remains the most ambitious Government Bug Bounty Program.
Shortly after the launch of Hack the Army, the US Department of Defense (DoD) published the Vulnerability Disclosure Policy (VDP) on HackerOne, laying out a legal path for any hacker to submit vulnerabilities in any DoD public-facing systems. This policy is a first for the United States government.
Currently, Katie is a member of the Cyber Safety Review Board, the Information Security and Privacy Advisory Board, and the Information Systems Technical Advisory Committee for the United States government. She advises the government on the benefits of security research and hacking to keep the internet safe.
The Luta Security
Moussouris created Luta Security in April 2016. The name has its origin in Northern Marianas island, where her mother was born. Luta Security uses a holistic strategy to help governments and companies improve their security maturity.
They assist firms in maturing their vulnerability management and enhancing the ROI on their security investments by identifying and addressing gaps in people, process, and technology.
Luta Security guides enterprises at every stage of vulnerability coordination. Whether your company is just starting with vulnerability disclosure or has already implemented a bug bounty program,
The current and former clients Of Luta are National Cyber Security Centre (NCSC), Facebook, and Zoom.
1. Co-Editor of ISO vulnerability Disclosure Standard
Katie is known for spearheading responsible security research and vulnerability disclosure. She has helped edit the title 'Responsible Vulnerability Disclosure' to ISO/IEC 29147 vulnerability disclosure document since around 2008.
International standard organization (IS0) is a set of recommendations for disclosing suspected security flaws in products and internet services. It outlines the approaches a vendor should take to deal with vulnerability disclosure issues.
One of the major setbacks of the ISO standard was that vendors who wanted to follow it had to pay for it. Following a request from Katie Moussouris and the CERT Coordination Center’s ArtManion, ISO made the standard freely available for download without charge.
Katie Moussouris is still the subject matter expert as the co-author and co-editor of ISO 30111 vulnerability handling processes and ISO 27034 secure development.
2. The New American Fellow
Katie Moussouris worked as a Cybersecurity Fellow in New America in the United States from 2015 to 2016.
New America Foundation is a think tank based in the United States established in 1999. The fellowship brings together a diverse and select group of academics, technologists, practitioners, and others for a one-year company designed to elevate voices that would otherwise go unheard in critical policy circles
3. MIT Sloan School
Moussouris is occasionally a visiting scholar at the MIT Sloan School of Management, researching the economy's vulnerability and exploiting the market.
In 2017, she co-wrote a book chapter on the first system dynamics model of the vulnerability economy and exploited market, published by MIT Press.
4. Harvard Belfer Affiliate
Katie’s also an affiliate researcher at the Harvard Belfer Center for Science and International Affairs, where she conducts labor market economic research for security bugs.
They formed it to analyze arms control and the reduction of nuclear threats. The Belfer Center serves as the focal point for Harvard Kennedy School research.
5. CFP Review Board for RSA
Katie serves on the CFP review board for RSA, O’Reilly Security Conference, Shakacon.
The Certified Financial Planner Board of Standards, Inc. (CFP Board) is a non-profit organization that promotes professional standards in personal financial planning in the public interest.
The CFP Board establishes and enforces the standards for CFP certification, which is the recognized gold standard for personal financial planning. The CFP Board headquarters is in Washington, DC.
6. The Center for Democracy and Technology
Katie works as an advisor to the Center for Democracy and Technology. The Center for Democracy & Technology (CDT) is a non-profit organization based in Washington, DC.
It preserves the Internet’s unique nature, improves global freedom of expression, protects fundamental privacy rights, and strengthens legal controls on government surveillance by finding practical and innovative solutions to public policy challenges while protecting civil liberties.
Wassenaar Arrangement Amendment
Ms. Moussouris is one of two private industry official US technical experts working with a group of representatives to renegotiate the Wassenaar Arrangement. She effectively clarified exemptions for vulnerability disclosure and incident response in export restrictions.
The Wassenaar Arrangement is a 41-nation export control framework that encourages transparency in national export control regimes for conventional weapons and dual-use commodities and technologies.
It was designed to protect citizens from human rights violations. However, the legislation got revised in 2013 to cover intrusion software which had the potential to devastate the cyber security community.
She wrote an open letter to Wired magazine criticizing the move as harmful to the vulnerability disclosure industry because of the overly broad definition. She invited fellow security experts to submit comments to help regulators understand how to implement the changes.
Because of this, she got an invitation as a technical expert to assist in the Wassenaar Arrangement negotiations in the United States. She helped rewrite the amendment to adopt end-use decontrol exemptions based on the user's intent.
Women in IT Security List
The SC Magazine named Moussouris to its Women in IT Security list. The SC Media Women in IT Security program honors leaders who have faced security challenges and positively affected the advancement of cybersecurity in government or the private sector.
America’s Top 50 Women In Tech recognition by Forbes
In 2018, they featured her in Forbes’ The World's Top 50 Women in Tech and America.
The Top 50 Women In Tech is ranked technologists divided into five categories: Moguls, Founders, Innovators, Engineers, and Warriors. The list shows the breadth and depth of female entrepreneurs changing the world.
The Pay Equity Now Foundation
Moussouris has forged a better path for herself, rising through the ranks of Microsoft, Symantec, HackerOne, working for the government, establishing herself as a pioneer of the bug bounty model, and showing her own company, Luta Security.
But, despite her success in cybersecurity, she has never forgotten her mother’s experience of discrimination.
As a result, she established the PEN Foundation in 2020.
The foundation’s goal is to encourage businesses to conduct audits and take action independently. If they do not, the law center will advocate for new laws and legal precedents that will allow employees to hold them accountable in court.
Anuncia Donecia Songsong Manglona Lab
Moussouris donated $1 million to Penn State Law in 2021 to establish the Anuncia Donecia Songsong Manglona Lab for Gender and Economic Equity, named after her mother. She wanted to honor the memories of her late mother through her Pay Equity Now Foundation.
The lab conducts and translates research on key technology policy issues to inform policymakers and drive technology business models toward sustainability and ethical behavior.
The Key Takeaway
As a female entrepreneur in a male-dominated profession, Katie Moussouris faced societal biases. Despite her disappointments, Katie pursued her dreams and built what she believed in, becoming the world’s top cybersecurity expert.
Many industries still felt her immense contribution to cybersecurity. Businesses leverage security systems to protect themselves from cybercrimes that could lose a company’s sensitive information.
Katie proved that gender shouldn’t be a hindrance to success in any industry. Her example is one of believing in oneself and achieving success.