If you don’t know Runa Sandvik, you’re likely new to the industry or you might have missed a beat. Sandvik is a notable industry leader who has taken what she learned at The New York Times, Freedom of the Press Foundation, and The Tor Project into building Granitt, her own mission-based venture that provides security guidance for journalists and at-risk people around the world.
You may know her as a hacker, and while her talent as such is superb, that is simply a modicum of what she represents. Professionally, she is also an inaugural member of CISA’s Technical Advisory Council and the Aspen Institute’s Global Cybersecurity Group, and a board member of the Signals Network. Yet again, she is so much more.
This is a special Rising Tide for me. I chose Sandvik for this installment because I have the honor of calling her one of my closest friends; so I have also had the honor of a front row seat to the grit, grace, and integrity that has taken her through much of this journey. I also have never met someone so dedicated to creating work around purpose and guiding others to do the same.
When you read below, you’ll learn more about her path through cybersecurity, which started in 2010, and some of her more traditional roles. Jobs like Sandvik’s current venture aren’t ones you may necessarily see posted online, but in her own words regarding doing work you love:
“If you can’t find it, but believe the work is worth doing, you can certainly create it.”
Beyond work, Sandvik is a fierce mentor, even outside of those in tech roles. I would not be where I am at if it hadn’t been for her gentle yet relentless reminders of what I am capable of accomplishing both personally and professionally. Her interests range from pole dancing, to indoor and outdoor skydiving, and even taught her cat how to fist-bump and high-five. Really.
Get to know more about Sandvik below.
Q. Many know you for your capacity for risk-taking and protecting those at-risk in your cybersecurity work. What would you consider is the biggest cyber or career risk you have taken?
A. There’s no university program or job description for the work I do, rather it’s a niche area that I’ve focused on for over a decade now. I’d say the biggest risk I’ve taken in that time is deciding to focus on protecting at-risk groups of people; having the confidence to say that it’s worth doing; and trusting that everything will work out.
Q. What inspired you to get into tech and ultimately to “hack” – and especially hack for good?
A. I stumbled into tech when I got my first computer at 15; then fell in love with the range of things you can learn and do. I really enjoy work with a purpose that is challenging and rewarding; so combine that with securing at-risk groups of people, and you have “hacking for good” that is also incredibly impactful.
Q. Tell me about Granitt and your journey to start this business.
A. Granitt is a consultancy focused on protecting journalists and other groups of at-risk people; such as lawyers, high-net worth individuals, election workers, people who investigate government corruption or war crimes. Having worked on security journalists at The Tor Project, Freedom of the Press Foundation, and The New York Times, I started 2020 working for myself with a small, reliable group of clients. I’ve known for a long time that protecting at-risk people is what I’m most passionate about and want to keep doing; making Granitt a full business in the summer of 2022 was just the right next step for me.
Q. Who are the profiles of people who can best benefit from the type of security you provide?
A. Some people, such as activists, journalists, politicians, will be at heightened risk of being targeted online/offline because of their identity or work. My role is to enable them to do their work securely; my main focus is on the cybersecurity portion of this, but I believe we need a holistic focus — accounting for physical, emotional, and legal security too — to achieve “working securely” for an at-risk individual.
Q: You’ve been very outspoken about very simple things that even the general, normal user can do to better secure themselves. What are some of those basics that you think people outside of our industry often overlook and how do they improve?
A. If you can only do three things: install the latest update on your devices as soon as it’s available; use a password manager to ensure you have strong, unique passwords across all your online accounts; use two-factor authentication to add an extra layer of security to your online accounts as well.
Q. You’ve posted on X about your love for pole artistry, of which you’ve become incredibly talented. I also can’t imagine a more polar opposite activity to security – is that part of its appeal?
A. Over the last six years or so, I’ve taken on pole dance; indoor skydiving; and outdoor skydiving. All three demand focus and body awareness that forces me to be present — I can’t fumble through it while my mind is occupied with something else. The three communities are incredibly diverse, supportive, and welcoming; and I’ve met some of my closest friends that way.
Q. Did you ever worry about people making misperceptions about you because of pole dancing?
A. I’d be lying if I said I didn’t think about it; and that’s probably why it took me so long to talk openly about pole dancing and the immense value I get from the workouts. I wanted to keep my professional life and my personal life separate, and I still do to some extent. That said, I’m no longer shy about talking about hobbies that I’m passionate about — and I’ve yet to receive any negative responses to doing so.
Q. Outside of pole and hacking, how do you let off steam and how do you like to spend your time? Feel free to talk about your cat, Pumpkin. We are cat friendly here.
A. I picked up indoor skydiving earlier this year. I’m seriously considering getting my license for outdoor skydiving as well. I’ve trained my cat, Pumpkin, to sit, fist bump, and high-five. I read stories about Cold War espionage for my newsletter called Journalist and Spy. I still travel quite a bit. I explore good (and not so good) food with friends in NYC.
Q. What do you wish you could tell every new person entering the industry that you wish you knew when you started in Norway so many years ago?
A. I think it took a while for me to see that this industry is more than “just” working for Big Tech or being a consultant for a large corporation. There are more roles than “just” compliance and penetration tester, and it’s perhaps easier to find those roles today than ~14 years ago. If you can’t find it, but believe the work is worth doing, you can certainly create it.
Q. Have you seen progress over the years of the industry being more inclusive in terms of underrepresented groups?
A. If we are going to secure a diverse world, we need a diverse workforce too. This industry has seen a lot of growth over the past decade: more companies, more roles, and more people. And with that comes diversity, too. There’s certainly more work to do here, but I do see a positive change between 2010 and 2024.
Related: Hacker Conversations – Runa Sandvik
