How Santa Clara University Scales Security With a Small Team and Big Community

Santa Clara University (SCU), a Jesuit institution in the heart of Silicon Valley, runs on innovation, and that includes cybersecurity. But with just four people on its security team serving over 12,000 students and employees, scaling security was a growing concern.

For Kristen Dietiker, CISO at SCU, the challenge was clear: How do you protect a constantly evolving and expanding digital environment with limited staff and countless connected assets?

Image

But Dietiker didn’t have a year to grow her security team. Traditional security testing felt impossible to scale. She needed something to extend her team’s reach without overwhelming them.

Turning to the Power of the Community

71% of CISOs at educational organizations currently use bug bounty programs with the primary purpose of identifying unknown vulnerabilities*, and Dietiker knew of other universities with bug bounty. She was likewise drawn to the model of tapping into the power of a community to scale her small security team and as an entryway for students to learn cybersecurity.

“It appealed to me for two reasons,” she said. “First, it improves our security posture. But equally important, it gives our students an experiential learning opportunity.”

Dietiker decided to join the 71% of CISOs and start SCU’s very own private, student-driven bug bounty program, where students and staff could test university systems ethically. The program’s dual purpose of enhancing security while building skill development for students fits perfectly with SCU’s Jesuit values of education, ethics, and community service.

“I work in higher ed because I value its ability to transform lives,” she said. “If students can learn ethical hacking and help improve our security hygiene at the same time, that’s a win-win.”

Building Buy-In Across Campus

Gaining executive buy-in can often be a hurdle for security initiatives but in SCU’s case, tying the program to its educational mission made approval easier.

“The hardest part is usually the budget,” Dietiker said, “but we found a way to fund it within our department. Once we showed that this would give students a safe and structured way to learn, there was no pushback.”

To keep things organized, Dietiker and her team introduced an application process for student participants. Applicants had to be in good academic standing and demonstrate technical interest. SCU’s finance and IT departments also established an internal audit process to ensure transparency in bounty payouts, underscoring the program’s ethical foundation.

Managing the Fear Factor: Quality Over Quantity

When Dietiker first pitched the idea of a bug bounty, there were natural concerns from IT and infrastructure teams.

“They were afraid we’d be overloaded with bug reports,” she said. “But the fact that HackerOne manages triage and remediation support made all the difference.”

With the operational and financial barriers removed, the university’s decision came down to principle: act now or keep accepting unseen risk.

But Dietiker knows waiting is riskier: “Those [vulnerabilities] are going to exist regardless if you have a bug bounty or not,” she said. “So you better be the ones finding them.”

HackerOne Bug Bounty gave Santa Clara University the capacity to act, the confidence to launch, and the assurance that every report would move them closer to a more secure campus.

Even in its early stages, the program has already improved how SCU’s security team monitors their digital environment, particularly across less-visible assets like research servers and departmental cloud instances.
 

Empowering the Next Generation of Cyber Leaders

For Dietiker, the real impact goes beyond finding bugs. It’s about developing ethical hackers who understand the responsibility that comes with their skills in the landscape of innovation.

“We want students to learn how to engage with technology ethically,” she said. “In Silicon Valley, technical talent is everywhere. But ethical thinking, that’s what we’re uniquely positioned to develop.”

Dietiker hopes to track how student participation in the bug bounty program influences job readiness and career outcomes. Her goal? To turn SCU into a model for hands-on cybersecurity education that benefits both the university and the students themselves.

Bringing Defense in Depth to Higher Ed

Santa Clara University’s journey shows what it looks like to apply defense in depth in an academic setting, layering automation, human expertise, and student engagement to create continuous visibility across the university’s attack surface.

With HackerOne’s bug bounty programs, Dietiker and her team are transforming limited resources into an ever-expanding network of defenders, proof that when education and cybersecurity come together, the results are powerful.

Discover how public sector organizations reduce security blind spots

^{*The 15% Advantage: How High-Performing CISOs Leverage Crowdsourced Security
Survey methodology: Oxford Economics surveyed 400 CISOs from April to May of 2025. Respondents represented four countries (US, UK, Australia and Singapore) and 13 industries (Telecommunications, Real Estate/Construction, Utilities, Government/Public Sector, Consumer Goods, Education, Retail, Banking/Financial Services/Insurance, Retail/Ecommerce, Manufacturing, Healthcare, Transport/Logistics, and Not-for-profit/Non-profit). 70.5% of respondents worked at publicly-held organizations, while the other 29.5% worked for private organizations. Roughly 2 out of 5 respondents work at smaller organizations (between 1,000 and 2,500 employees); respondents from organizations with at least 10,000 FTEs make up 27% of the sample. Finally, revenue breakdowns are evenly split across 5 revenue buckets: Less than $500m; $501m to $999m; $1b to $4.9b; $5b to $9.9b; and $10b and more.}