For much of her career, hacker Runa Sandvik has worked to protect journalists and newsrooms from powerful adversaries who want to keep wrongdoing and corruption out of the public eye. Journalists and activists are increasingly targeted by the wealthy and resourceful who seek to keep the truth hidden, from nation-state aligned hackers hacking into journalist’s inboxes to governments deploying mobile spyware to snoop on their most vocal critics.

Few know the threats that journalists face better than Sandvik, a native Norwegian. She defended The New York Times newsroom from hackers and nation-state adversaries, trained reporters to cloak their online activity in anonymity at the Tor Project, and helped organizations like the Freedom of the Press Foundation to build tools that allow journalists, like us at TechCrunch, securely communicate with sources and receive sensitive source documents. Sandvik is also a renowned hacker and security researcher and, as of recently, a founder.

With her new startup, Granitt — with Sandvik as its principal — aims to help at-risk people, like journalists and activists but also politicians, lawyers, refugees and human rights defenders, from threats they face doing their work.

“At any point someone finds themselves in a category where there might be some repercussions for them doing whatever it is they’re doing, that’s something I would consider ‘at risk’ and something that I can help with,” Sandvik told me when we spoke in New York City this week.

Sandvik told me about her work and her new bootstrapped startup, how leaders should prioritize their cybersecurity efforts, and, what piece of security advice she would give that every person should know.

Our chat, which has been lightly edited and condensed for clarity, follows.

ZW: You’ve been laying the groundwork for Granitt for the past decade. Tell me how you got here.

RS: If you look at a decade ago when I worked for the Tor Project and they got funding, we set out to teach reporters how to use the Tor Browser. And very quickly realized that it’s not super impactful to just teach someone how to use the Tor Browser if they’re not also familiar with good passwords, two-factor authentication and software updates — things to consider when they’re traveling to conflict zones, for example. And we started building out a curriculum around what you should do to be safe online. I later consulted for the Freedom of the Press Foundation doing somewhat similar work, and also then working on SecureDrop. And my role at The New York Times was building on that type of work as well. And after the Times eliminated my role, I worked with ProPublica, Radio Free Europe, and the Ford Foundation to look at not just security for individuals but also how to help the business side of media organizations to support the newsroom.