Back to News
Chris Gibson

Chris Gibson: “If FIRST disappeared, you would need to invent another forum of incident response.”

Chris Gibson is the Executive Director of the Forum of Incident Response and Security Teams (FIRST), an organization that brings together incident response and security teams from around the globe to ensure a safe internet for all. Founded in 1990, FIRST has grown to include over 760 members from corporations, government bodies, universities and other institutions across more than 110 countries. Short term grants and inconsistent funding are “an absolute problem,” Gibson says. The following interview is the second of three that dives into the struggles and achievements of nonprofit organizations for which Common Good Cyber intends to contribute transformative cybersecurity funding.

Could you describe how your organization positively impacts society and enhances community wellbeing?

FIRST – the Forum of Incident Response and Security Teams is, as its name suggests, a forum. Founded about 35 years ago during the early days of the Internet, it emerged when viruses and malware were new threats, and people didn’t know who to turn to or how to address these problems. The decentralized nature of the Internet made coordination difficult, so FIRST was established as a group of experts who knew each other and has grown steadily since.

Our vision is to make the Internet safer through building relationships and networks of teams worldwide. These teams support, train, and mentor each other, helping new groups develop until they can maintain incident response capabilities within their own countries or regions.

We aim to enhance safety for Internet users globally, regardless of region, country, or political affiliation. Our goal is for someone in any country to use the Internet confidently for daily tasks like filing taxes, shopping, conducting business, or setting up websites. We want users to feel secure, knowing that if they encounter a problem, there’s a resource available to help resolve it. These local resources are part of a broader network capable of addressing challenges worldwide.

Has FIRST ever faced challenges with sustainable funding?  What resources, financial or otherwise, are essential for FIRST to ensure continued operations?

We’ve never reached a point where we had no money. Over the years, we’ve been successful. Until five years ago, FIRST was entirely volunteer-led, keeping costs minimal. We had expenses for infrastructure, but they weren’t substantial, and we could cover them using our membership dues.

We’ve also relied heavily on conferences and events. Our annual conference has grown to a point where it now attracts up to 1,000 attendees and we look to make a surplus. We use that funding for various purposes across FIRST. The biggest setback came with COVID when we couldn’t hold conferences for two years. This created uncertainty around other events too. So, at that point we lost a significant funding stream, but membership dues kept us afloat. It’s no secret that we’ve dipped into our reserves considerably over the last couple of years, but fortunately, we had those reserves to draw from. We’ve never come close to financial collapse, but we have reassessed our fundraising methods and sponsorship sources.

Our challenge is that while we can approach governments for grants, these typically fund specific projects rather than organizations themselves. We’ve been fortunate to have a proposal accepted by the UK Foreign Office, funding our work in Africa. This allows us to hire two people for a three-year period, fulfilling our mission of building and maturing teams, fostering relationships, and providing training, all funded externally. However, it’s a time-limited grant, after which we’ll need to consider how to progress. It does give us an opportunity to develop further funding streams, but it remains a significant issue.

Given our history and origins, we’ve always maintained a flat membership fee structure. Whether you’re a security executive from Microsoft or a CERT from a country of 5,000 people, the fee is the same, and changing this would be challenging. However, as we’ve grown over the last five years, now with three staff members funded by the organization plus two more by the Foreign Office, these salaries represent a significant cost.

It’s become harder to fund this through dues alone. We need events to generate income and other sources to support us. This has forced us to take a hard look and reconsider our fundraising approach.

I believe it’s a universal challenge for nonprofits to maintain long-term financial stability. We aim for this stability despite the intermittent nature of government and grant funding, which can start or stop unpredictably.

What would be the consequences if your organization were to shut down? What would it take for other entities, governments, or industry to fill the gap left by your absence and continue the services you provide?

That’s a very good question. If FIRST disappeared, you’d need to invent another FIRST. You’d need another forum where people can come together. We pride ourselves on being non-governmental, non-country specific, with no vested ideologies. We’re a forum: a technical community where people can discuss their problems openly.

Because of this, we have teams from countries that may have tense or even antagonistic relationships with each other. I can recall instances when representatives from such countries would attend the same meetings and discuss their challenges. They understand that this interaction fluctuates as governments and politics change. But typically, they’ve been able to communicate even when their countries aren’t on the friendliest terms. When it escalates to an actual conflict between nations, that’s a different situation.

I don’t think any government could rebuild something like this because no government has that kind of non-political, non-ideological stance. Industry would find it difficult as well because there’s no profit in this. We don’t make money; we exist solely for the public good.

Realistically, if we folded, I think you’d probably need the same people. We might try to reinvent ourselves, but perhaps back at the volunteer stage, which would clearly mean we couldn’t do as much as we do now: fewer training sessions, a less sophisticated outreach program. I believe that’s what we do exceptionally well.

What specific organizations are critical to continue providing value and why are they important to your job?

Our members, company teams and incident response teams worldwide rely on data. They can gather some of it themselves. Some of the more mature teams have that set up within their jurisdictions. They’re pulling feeds, but many of them rely heavily on companies like Shadowserver. 

The data Shadowserver delivers, as a public service, is just fantastic. If Shadowserver disappeared, our membership’s ability to deliver safety on the internet would be significantly impacted. The world would be a poorer place without them. I think there’s absolutely no question about that. We have reserves, we’re in a good position, we have a funding stream, we run conferences. Other NGOs are not in the same position. We could not afford for them to disappear. They provide an essential service to the Internet.


Back to News

Join Us

Click below for our recent efforts and to sign up for upcoming news