In this compelling episode of the Chasing Entropy Podcast, host Dave Lewis, Global Advisory CISO at 1Password, sits down with renowned cybersecurity expert Runa Sandvik, founder of Granite and longtime advocate for digital security in high-risk spaces. Together, they explore a career dedicated to protecting journalists, challenging the status quo in cybersecurity, and hacking smart rifles (yes, really).

From Oslo to the Front Lines of Press Freedom

Runa recounts her journey from a curious teenager in Oslo intrigued by hacking, to working at the Tor Project, and eventually becoming head of newsroom cybersecurity at The New York Times. Her work there included launching a secure, anonymous tip line for whistleblowers, a pivotal tool for modern investigative journalism.

Building Trust in the Security Community

The conversation dives into how cybersecurity professionals can meaningfully support journalists—by building relationships not only with individual reporters but also with the infrastructure teams behind them. Runa highlights organizations like the Freedom of the Press Foundation and the Electronic Frontier Foundation as crucial players in this ecosystem, alongside companies like 1Password that provide free tools to journalists.

Hacking Smart Rifles: The DEF CON Tale

In one of the more unexpected twists, Runa discusses her 2015 research that exposed vulnerabilities in smart rifles. What began as a curiosity at a gun show evolved into a full-blown technical exploit, revealing how attackers could lock triggers or cause shots to miss targets dramatically. The story underscores a vital lesson: as technology continues to permeate even the most unlikely of devices, security needs to follow closely behind.

The Persistent Shadow of Shadow IT

Dave and Runa also explore the persistent issue of shadow IT—when employees turn to unapproved tools to get work done. Runa emphasizes the importance of understanding user needs, fostering open communication, and demonstrating the benefits (legal, privacy, and security) of company-approved solutions. Without this approach, she warns, organizations risk being blindsided by their own internal blind spots.

AI, Privacy, and Human Rights

As AI continues to reshape the tech landscape, Runa cautions against jumping on the bandwagon without first establishing clear policies and security frameworks. She draws important parallels between the rush to adopt AI and the ongoing struggles organizations face with basic cybersecurity hygiene.

Looking Ahead

Despite the allure of emerging technologies, Runa concludes by urging listeners not to lose sight of the foundations: training, awareness, clear policy, and human-centered security practices remain the bedrock of any resilient security program.

Resources Mentioned:

• Granite – Runa’s security consulting firm
• 1Password for Journalists
• Freedom of the Press Foundation
• SecureDrop