Women in IT Security, Advocates

Katie Moussouris: building around core values, labor rights principles

Katie Moussouris, CEO of Luta Security, at a military event. Moussouris launched the DoD’s “Hack the Pentagon” vulnerability disclosure program while chief policy officer at HackerOne.
Katie Moussouris, CEO of Luta Security, at a military event. Moussouris launched the DoD’s “Hack the Pentagon” vulnerability disclosure program while chief policy officer at HackerOne.

Katie Moussouris says it took starting her own business before she was actually paid her true worth as a top vulnerability disclosure expert.

Now, as one of a handful of women who founded their own cybersecurity companies, she’s instituting corporate policies that respect labor, and ensures inclusivity, fairness and equal pay.

Click here for complete coverage of SC Media's 2020 Women in IT Security

“There's certainly a lot that I'm learning about leading while female. It's not a path that there are necessarily a lot of blueprints for me to follow,” said Moussouris, CEO of Luta Security, a company designed to help governments and complex organizations create results-driven vulnerability disclosure and bug bounty programs that also justly reward hackers for their work, rather than exploiting them.

“Luta Security is built on some core values and principles around labor rights and labor mobility that I find to be personally important,” Moussouris explained. For instance, when Luta Security hires a new employee at a certain salary, the company will also raise the salaries of any preexisting employees who have equivalent job responsibilities.

Moussouris sees her leadership position as an opportunity to create meaningful change. “Sure, it's nice to have more women who are at the table in terms of influence, decision-making and at the heads of companies,” she said. “But I think that if we're just creating more companies in the mold of sort of these patriarchal and white supremacist systems that we all grew up in, then we're missing an opportunity here to change what fundamentally companies do with its workers, and how companies take charge and accountability and proactively maintain fair pay.”

A true bug bounty trailblazer, Moussouris created Microsoft’s first-ever bug bounty program, and launched the Department of Defense's “Hack the Pentagon” vulnerability disclosure program while chief policy officer at HackerOne. She also developed industry's first vulnerability coordination maturity model for companies to self-assess their bug reporting and mitigation processes.

But not everything is a fond memory: In 2015 Moussouris sued Microsoft for alleged gender discrimination against female employees – a charge the company reportedly denies. A federal judge would not grant the lawsuit class-action status, however, after agreeing with Microsoft that there were no specific internal policies that showed the software giant was intentionally underpaying women or passing them over for promotions.

For this reason, Moussouris is founding a new university-based law center – named after her late mother – that will look specifically at these types of cases. “The law center is going to focus on examining the state and federal laws… that have to do with gender and racial pay issues, and especially the laws that govern certifying class-action lawsuits,” in hopes that labor-unfriendly ones get overturned, she said.

Additionally, Moussouris is set to launch a new foundation with a mission to ensure equal pay in cybersecurity “within our lifetimes.”

The not-yet-officially-announced foundation is currently drafting a three-point pay equity pledge for organizations. Said Moussouris: “The first point is just acknowledging that unconscious bias exists. And one of the symptoms of bias is pay inequity. And the second point is, we will audit for symptoms and evidence of equity and root it out when we find it. And then the third point is, that we'll just make corrections when we find instances of pay inequities.”

One area where Moussouris feels there’s been better progress is the public and private sectors’ perceptions of bug-hunting hackers. Now, as cybersecurity’s “first wave of professional hackers enter our mid-careers,” said Moussouris, “we are the C-level executives” now. “We’re the founders of our own security companies. We were sort of our punk rock rebellious selves, speaking truth to power, then power started listening, and then we became the power. So we are the new steering committee of where this is going. And hopefully – hopefully – the world will benefit a bit from our experience and what we've seen.”

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.