In today’s hyper-connected world, businesses and governments depend heavily on open-source tools and nonprofit cybersecurity initiatives to safeguard digital infrastructure. Yet many of these essential resources remain critically underfunded, exposing the global digital ecosystem to silent and systemic vulnerabilities. Without sustainable investment, the economic and security consequences will only escalate. Our discussions at RSAC Conference 2025 explored the intricate web of economic interdependencies and highlighted why democratizing cybersecurity is not just an ethical imperative, it is smart business. 

The Economic Backbone We Overlook

Cybersecurity is often perceived as a sunk cost rather than a strategic investment. However, countless organizations rely on free initiatives for core defensive capabilities. Consider two examples: VirusTotal, a widely used malware scanning service owned by Google, and MITRE ATT&CK, a threat intelligence framework maintained by a nonprofit. Both are free to users, yet only one benefits from the financial stability of a tech giant. The other depends on razor-thin grants and public funding cycles.

Often unknowingly, many of the tools critical to cybersecurity are not sustained by traditional profit models, but by nonprofit organizations operating on uncertain funding. Nonprofits such as MITRE, Shadowserver, Quad9, Global Cyber Alliance (GCA), CyberPeace Institute, I Am the Cavalry, Institute for Security & Technology, and Sightline Security offer vital cyber defense services at little to no cost that benefit everyone—but especially the most underserved communities. These organizations form the backbone of a cybersecurity safety net that protects sectors most often overlooked by traditional markets. If these initiatives were to disappear due to lack of funding, the ripple effects would cascade across industries. Entire supply chains, government functions, and even cyber insurance risk models are increasingly intertwined with these “invisible” protections. Underserved communities—nonprofits, schools, small businesses—would be especially hard hit, further exacerbating inequality in cybersecurity access.

Free Tools, Real Costs: Understanding the Trade-offs

While nonprofit-led tools and services are often free to the user, their ongoing maintenance and effectiveness require investment. Free doesn’t mean free of cost—someone is paying, either in dollars, labor, or data. Nonprofits operate on traditional funding pipelines like 501(c)(3) donations, volunteerism, and grants, all of which are short-term. Thus, funds are unevenly distributed in the cybersecurity community. Efforts providing visible services like technical and emergency support to high-risk actors or the development of new tools often receive more attention than the invisible tools, services, and platforms that are at the core of the digital infrastructure. 

The Case for a Social Return on Investment

We must redefine the return on investment in cybersecurity to include societal and ecosystem-wide returns. While it is majoritarily done by nonprofit-led initiatives, supporting underserved communities isn’t charity. It’s preventative risk management. These organizations are often the first to detect and defend against sophisticated attacks, but they are often underserved by the traditional cybersecurity market and routinely excluded from national cybersecurity planning and tech policy conversations. 

“Nonprofits make up 10% of the U.S. workforce, so while often overlooked, this is an important part of the economy with real purchasing power. Nonprofits also provide many essential services. While many would consider hospitals to be critical infrastructure that need protecting, the reality is that more than 50% of healthcare delivery on the African Continent is provided by non-profits, who are rarely discussed in cyber defense policies let alone have a seat at the table when those policies are developed or dedicated funding for their cybersecurity.” – Jochai Ben-Avie, Wisteria Strategies

This exclusion is not only unjust, it’s shortsighted. A fragmented cyber defense weakens the entire ecosystem. Democratizing cybersecurity means ensuring that all sectors, especially the most at-risk, have the tools and support needed to stay secure.

“If you want a thriving business, we need a thriving democracy.” – Erin Ceynar, Tides Foundation

When access to cybersecurity is uneven, everyone becomes more vulnerable. Nonprofits—many of which serve healthcare, education, and civil society— are significant targets due to their vulnerabilities and the valuable data they possess but they are underserved and often protected solely by free-to-use tools and nonprofit-led services. Many sophisticated tools and techniques are developed by state or state-affiliated actors and used first against frontline civil society organizations and independent media. These tools and techniques then filter down to more profit-driven criminal organizations. Because they are the first attacked, by partnering with these frontline civil society organizations, businesses would gain early insight into evolving threats—often 12–24 months ahead of wider industry awareness.

“What’s the value of knowing the next wave of DDoS or ransomware threats a year before they hit your sector?” – Jochai Ben-Avie, Wisteria Strategies

Collaborative Solutions for a Resilient Future

Solving this crisis requires multi-stakeholder collaboration. Here’s how we move forward:

1. Tech companies should commit a portion of their security budgets to supporting the nonprofit-led tools they already rely on. These are not donations. They are overdue investments in shared infrastructure.
2. Governments, foundations, and corporations can co-fund essential nonprofit-led efforts as part of national and economic security strategies through Common Good Cyber. 
3. What if you can’t donate money? Offer your time, expertise, and mentorship to underserved communities. Nonprofits from all sectors desperately need technical volunteers and board members with cybersecurity and governance experience. Legal departments within companies can also play a pivotal role by championing nonprofit-friendly partnerships and helping navigate legal complexities in public-private collaborations. Professionals should join nonprofit boards, provide pro bono support, and engage in hands-on partnerships tailored to the unique needs of mission-driven organizations.
4. Cybersecurity’s human and societal impacts need to be communicated more effectively. Metrics on nonprofit tool usage, threat detection, and user communities can highlight their immense value.
5. As a tech company, build tools and services that are secure and accessible following security-by-design practices.

“It is very important for the vendor community to make tools accessible, effective, and easy to use, so nonprofits can focus on their core missions.” – Rob Sheldon, CrowdStrike

Redefining What a Secure Internet Looks Like

“The deeper question isn’t just technical—it’s philosophical: What kind of Internet do we want?” – Jaya Baloo, Stealth Startup 

Do we want an Internet where only the well-funded are secure? Or one that protects civil society, marginalized communities, and mission-critical nonprofits with the same urgency as corporate networks?

“In the open Internet we want, cybersecurity cannot be treated as a luxury, accessible only to those who have in-house expertise or the money to outsource it. Creating a resilient digital ecosystem is not just a social responsibility, it’s a strategic investment with substantial financial and operational benefits for all.” – Kayle Giroud, Global Cyber Alliance

Cybersecurity is needed by all. Its democratization is not only a moral choice but a practical necessity. When we invest in the resilience of others, we invest in our own.

“Everyone’s responsibility is making sure this cyber ecosystem is secure.” – Chris Painter, Member of the Common Good Cyber Secretariat and Formerly at the Global Forum on Cyber Expertise (GFCE) 

To continue exploring how we can build a more resilient, inclusive digital ecosystem—and to join the growing movement to democratize cybersecurity—visit Common Good Cyber. Whether you’re a policymaker, technologist, funder, or citizen, you have a role to play in securing the infrastructure we all rely on. Discover how you can contribute, collaborate, or take action to strengthen the nonprofit cyber sector and ensure cybersecurity is a public good, not a privilege.