How Santa Clara University Scales Security With a Small Team and Big Community
Santa Clara University (SCU), a Jesuit institution in the heart of Silicon Valley, runs on innovation, and that includes cybersecurity. But with just four people on its security team serving over 12,000 students and employees, scaling security was a growing concern.
For Kristen Dietiker, CISO at SCU, the challenge was clear: How do you protect a constantly evolving and expanding digital environment with limited staff and countless connected assets?
But Dietiker didn’t have a year to grow her security team. Traditional security testing felt impossible to scale. She needed something to extend her team’s reach without overwhelming them.
Turning to the Power of the Community
71% of CISOs at educational organizations currently use bug bounty programs with the primary purpose of identifying unknown vulnerabilities, and Dietiker knew of other universities with bug bounty. She was likewise drawn to the model of tapping into the power of a community to scale her small security team and as an entryway for students to learn cybersecurity.
“It appealed to me for two reasons,” she said. “First, it improves our security posture. But equally important, it gives our students an experiential learning opportunity.”
Dietiker decided to join the 71% of CISOs and start SCU’s very own private, student-driven bug bounty program, where students and staff could test university systems ethically. The program’s dual purpose of enhancing security while building skill development for students fits perfectly with SCU’s Jesuit values of education, ethics, and community service.
“I work in higher ed because I value its ability to transform lives,” she said. “If students can learn ethical hacking and help improve our security hygiene at the same time, that’s a win-win.”
Building Buy-In Across Campus
Gaining executive buy-in can often be a hurdle for security initiatives but in SCU’s case, tying the program to its educational mission made approval easier.
“The hardest part is usually the budget,” Dietiker said, “but we found a way to fund it within our department. Once we showed that this would give students a safe and structured way to learn, there was no pushback.”
To keep things organized, Dietiker and her team introduced an application process for student participants. Applicants had to be in good academic standing and demonstrate technical interest. SCU’s finance and IT departments also established an internal audit process to ensure transparency in bounty payouts, underscoring the program’s ethical foundation.
Managing the Fear Factor: Quality Over Quantity
When Dietiker first pitched the idea of a bug bounty, there were natural concerns from IT and infrastructure teams.
“They were afraid we’d be overloaded with bug reports,” she said. “But the fact that HackerOne manages triage and remediation support made all the difference.”
With the operational and financial barriers removed, the university’s decision came down to principle: act now or keep accepting unseen risk.
But Dietiker knows waiting is riskier: “Those [vulnerabilities] are going to exist regardless if you have a bug bounty or not,” she said. “So you better be the ones finding them.”
HackerOne Bug Bounty gave Santa Clara University the capacity to act, the confidence to launch, and the assurance that every report would move them closer to a more secure campus.
Even in its early stages, the program has already improved how SCU’s security team monitors their digital environment, particularly across less-visible assets like research servers and departmental cloud instances.
Empowering the Next Generation of Cyber Leaders
For Dietiker, the real impact goes beyond finding bugs. It’s about developing ethical hackers who understand the responsibility that comes with their skills in the landscape of innovation.
“We want students to learn how to engage with technology ethically,” she said. “In Silicon Valley, technical talent is everywhere. But ethical thinking, that’s what we’re uniquely positioned to develop.”
Dietiker hopes to track how student participation in the bug bounty program influences job readiness and career outcomes. Her goal? To turn SCU into a model for hands-on cybersecurity education that benefits both the university and the students themselves.
Bringing Defense in Depth to Higher Ed
Santa Clara University’s journey shows what it looks like to apply defense in depth in an academic setting, layering automation, human expertise, and student engagement to create continuous visibility across the university’s attack surface.
With HackerOne’s bug bounty programs, Dietiker and her team are transforming limited resources into an ever-expanding network of defenders, proof that when education and cybersecurity come together, the results are powerful.
Discover how public sector organizations reduce security blind spots
*Hacker-Powered Security Report 2025: The Rise of the Bionic Hacker
Survey methodology: HackerOne and UserEvidence surveyed 99 HackerOne customer representatives between June and August 2025. Respondents represented organizations across industries and maturity levels, including 6% from Fortune 500 companies, 43% from large enterprises, and 31% in executive or senior management roles. In parallel, HackerOne conducted a researcher survey of 1,825 active HackerOne researchers, fielded between July and August 2025. Findings were supplemented with HackerOne platform data from July 1, 2024 to June 30, 2025, covering all active customer programs. Payload analysis: HackerOne also analyzed over 45,000 payload signatures from 23,579 redacted vulnerability reports submitted during the same period.
