Runa Sandvik - Senior Director of Information Security, New York Times


Written by

The New York Times faces a long list of threats. When the president of the United States isn’t calling the publication an enemy, there are hackers and harassers to think about while journalists and other employees try to do their jobs. It’s a complicated security situation.

Runa Sandvik helps the company weather the chaos, keeps it secure and allows her colleagues to work instead of worry. Sandvik has been at the Times for nearly three years, but her tenure in journalism extends back further. She used to work with the Freedom of the Press Foundation, she’s done reporting herself with Forbes and was also a developer on the Tor Project. Now, in the middle of Manhattan, she’s helping to usher the 167-year-old Gray Lady safely into an uncertain 21st century.

CyberScoop: You recently said that journalists in the last year are increasingly being targeted. Given your wide experience with journalists both at the Times and elsewhere, what’s happened in the past year that we haven’t seen before?

Runa Sandvik: In terms of escalation, what I was referring to specifically was online threats and harassment. I think for reporters, that’s always has been a thing. But I imagine that for some, it’s been this noise in the background as opposed to this escalated, persistent different type of harassment. It’s something that does fall in under the work that the information security team at the Times deals with and supports the newsroom with.

CS: How do you do your work with colleagues who are in, say, the Moscow bureau or the Beijing bureau, or a colleague who travels? What are the differences in how you approach those problem sets?
RS: There’s a couple of different ways that we go about training staff that will be based in bureaus. One is during onboarding, where we get a full one hour with every new hire in the newsroom for security onboarding specifically. In some cases, we visit the bureaus in person and do trainings there. We also do regular phishing tests, both on the newsroom and company side, that will inform bureaus. We also have monthly newsletters, we publish weekly tips. We do try and communicate with all staff regardless of where in the company, or where in the world, they are located. That is the current approach.
CS: Is there a set of technology, software or hardware, that you try to guide your journalists toward? 
RS: We take the approach that if there are ways in which I can secure your current workflow and just turn on different settings or just make it safer by default, that’s where we’re going to go for. For example for email we use Google, so we’ve enforced two-factor authentication. In the cases where we can’t control how something is done, like in the case of a communication between a reporter and a source, we do recommend Signal.
We do regular trainings on secure communication encrypted email, travel, general best practice, to try to help people understand what kind of tools are available to them in that sort of space where we can’t enforce the settings.