Founder of the Week: Melanie Rieback and Radically Open Security

Every week, we highlight one women founder. This week, Melanie Rieback, founder of Radically Open Security is put in the spotlight.

A new study course, titled “Post Growth Entrepreneurship” will be launched at the beginning of 2023 at the Universiteit van Amsterdam. A pioneering 6 ECTS course developed and taught by Dr. Melanie Rieback. She is the founder of Radically Open Security, the world’s first nonprofit cybersecurity company. In 2023, 120 students will be taking social entrepreneurship to the next level. The enrollment cap was reached, and sign-up is now closed 

For the last 20 years, Melanie Rieback has been navigating the cyber security world. Starting off in academia, switching to corporates, and ending up being dissatisfied and founding her own company. Besides being a founder of a rather cool nonprofit company, she has been a pioneer in nonprofit entity forms, looking into non-extractive business and entrepreneurship. 

Could you tell us a bit about yourself?    

I am primarily a cybersecurity professional. I’ve been in cybersecurity for 20 years at least. I started out in academia as an assistant professor of computer science at the Free University of Amsterdam. After I did that for about 7-8 years and at a certain point, I moved over to the industry. I worked at ING as part of the cybercrime team, and eventually, I left ING to do my own startup, which is no longer a startup. It’s now an 8.5-year-old company with roughly 50 people. We have had hundreds of customers, from Google to the Coronamelder to the European Commission, to the tiniest little civil society activist organization like small groups of Iranian refugees.     

We are what I call a “not-for-profit company”, a BV 100% owned by a foundation. We’re basically set up in an attempt to lock the financial value inside the company. We also have some constructions in place to prevent the sale of the company in the future. The company is also registered as something called a Fiscal Fundraising Institution. That is an archaic tax construction from the Dutch Church, that ensures 90% (or more) of our profit goes to charity. We have given almost 3/4 of a million euros to the NLnet Foundation, an Internet-related charity.    

We have won several awards and probably after 4-5 years of running this company, people started coming up to me and asking how they could set up a similar business model in different areas. So that’s how I created Nonprofit Ventures, which is a startup incubator dedicated to helping founders bootstrap nonprofit and non-extractive companies. We heavily emphasis on not-for-profit entity forms and Steward Ownership. We have incubated almost 50 startups until now.   

What did trigger you to start your company in such a way?   

I started Radically Open Security out of discontent with some of the leading players in the cybersecurity market. At that time, I was working at ING. I had some very negative experiences with how opaque they would behave with their customers, trying to cultivate the dependence of the customers on their services by being as non-transparent as possible.   

Security is an essential human right and privacy should be one of the SDGs – it’s not, but it should be. Personally, I don’t think that using cybersecurity and privacy as a cash cow, to enrich a small number of people is appropriate. So that’s when I thought, I’ll put a non-commercial and not-for-profit alternative on the market if only to make my point. And it has been a large success.   

So, how would you explain what Radically Open Security does to someone not in cybersecurity?  

We hack companies, organizations, and governments, and then we tell them how we did it, and give them recommendations on how to fix it. We do all of this with permission, of course. Another service that we offer is called an incident response, which helps victims of hacks and data breaches. We also train people on cybersecurity awareness and how to make their companies’ code better. However, 90% of what we do is ethical hacking.    

Which were the first reactions when you came up with the idea of Radically Open Security?  

When I first started, people thought I was crazy. I remember that one guy from ING I saw quite some years later told me: “Melanie, when you first told me you’re starting a nonprofit cybersecurity company, I thought you were full of shit. But you managed to pull it off!”    

That was the kind of reaction I got from a lot of people. When you have this kind of unconventional idea, it’s going to be met with disbelief and skepticism, but you just need to ignore all that. If you have a vision in your head of what you want to build, just build it. That’s when the skeptics will shut up and get on your side. With 50 staff members, hundreds of customers, and multiple awards, nobody thinks I am full of shit anymore.   

On your website it says “If a job is even remotely morally questionable, we won’t do it”. Could you give an example of ‘morally questionable’?  

Ethics is relative to context and culture. There are some people who think abortion is ethical, and others who think it’s terribly unethical. So ethics is always going to be relative to the frame of reference and the community you’re talking about.    

That being said, the kind of people working in my company tend to be pretty geeky and a little anarchistic. We are hackers, geeks, and techno-hippies. My people are not really into authority and capitalism either. They want things to be fair, and for people to be treated equally, with information to be accessible in order to have a safer world. If you take that frame of reference, sometimes we refuse to work with customers as a whole. For example, if the Dutch Secret Service (AIVD) came up to us with a totally legit request, there’s no way I could square away our involvement with them, we would say no.   

We need to be mindful of geopolitics in general. We won’t do offensive hacking, nor do we get involved in cyberwarfare or hacktivism. Our niche is more in trying to help people and organizations to defend themselves. Occasionally, we get weird requests and they get thrown into a chat room and I let my team decide. Sometimes half of the people agree, while the other half disagrees. It’s not always black and white. Our ROS Ethics chat room also may be the heart and soul of our company. We have the most interesting discussions there, and it helps to define who we are as a collective organization. 

Want to read more about amazing woman founders? Click here to read our other Founder of the Week blogs.