Cybersecurity leadership is often framed around technology, controls, and crisis response, but the reality of the role extends far beyond technical defense. CISO Diaries explores the daily rhythms, decision-making philosophies, and personal habits that shape how modern security leaders protect organizations while enabling business growth. Through conversations with CISOs across industries and geographies, the series highlights how leaders navigate risk, balance competing priorities, and build security programs that people actually adopt.
In highly operational environments such as maritime transportation, where digital systems intersect with physical infrastructure, the stakes of cybersecurity expand even further. Leaders must secure not only data and networks, but also operational technology, safety systems, and business continuity across complex, distributed ecosystems. In this edition of CISO Diaries, we speak with Kim Bruland, whose pragmatic, business-first security philosophy reflects the growing need for security strategies that drive measurable value while strengthening resilience.
About the Interviewee: Kim Bruland
Kim Bruland is a technology and cybersecurity leader with more than 20 years of experience spanning IT operations, digital development, and strategic security leadership. He currently serves as CISO and Head of Digital Security at Fjord Line, where he oversees cybersecurity across both IT and operational technology (OT) environments. His responsibilities include risk management, regulatory compliance across frameworks such as IMO, NIS2, and GDPR, crisis preparedness, identity and access management, and building a strong security culture grounded in empathy and user-focused design.
In addition to his role at Fjord Line, Kim serves on the board of NORMA Cyber, the Nordic Maritime Cyber Resilience Centre established by the Norwegian Shipowners Association and DNK. The organization provides cross-sector threat intelligence, monitoring, and crisis response capabilities to strengthen cybersecurity across the maritime industry. Known for his practical and value-driven approach, Kim emphasizes maximizing the effectiveness of existing tools, reducing unnecessary complexity, and aligning security initiatives closely with operational and business outcomes.
How do you usually explain what you do to someone outside of cybersecurity?
I usually say I protect the company’s revenue. For kids, I simplify it a bit more and tell them I stop computer bad guys from hurting us, which makes me sound much cooler than I actually am. Both explanations are surprisingly accurate.
What does a “routine” workday look like for you, if such a thing exists?
The day starts with checking relevant cyber news and reviewing alerts and incidents in our SIEM. After that, most of the day is out of my control, which is often a good indicator of how security really works in practice.
What part of your role takes the most mental energy right now?
Being a business enabler in the age of AI. Making sure we move fast enough to stay competitive, while remaining secure enough to sleep at night, requires constant attention and judgment.
What’s one security habit or routine you personally never skip? (Work or personal.)
Updating and restarting my browser. It’s not glamorous, but it’s one of the highest return security actions out there.
What does your own personal security setup look like? (Password manager, MFA, backups, devices, at a high level.)
I use a password manager, hardware security keys for MFA, and maintain regular backups. Beyond that, I try to keep things simple and well-maintained. Complexity is the enemy of security.
What book, podcast, or resource has influenced how you think about leadership or security? (Doesn’t have to be technical.)
The CISO Tradecraft podcast. It focuses on the realities of the role rather than just the theory, and has helped me think more strategically about the business side of security leadership.
What’s a lesson you learned the hard way in your career?
You don’t win by being right; you win by being understood. Security only works when people actually buy into it.
What keeps you up at night right now, from a security perspective?
Nothing. I would never allow security to steal my sleep. Fatigue is a bigger risk than most vulnerabilities.
How do you measure whether your security program is actually working?
We track operational metrics like Mean Time to Remediate and phishing reporting rates to measure our technical performance. For our security culture program, we use Lance Spitzner’s model and measure attitudes and behaviors through regular pulse surveys in our employee satisfaction program. Things like whether people feel safe reporting incidents they caused, if they find security policies easy to follow, and how confident they are at recognizing social engineering attacks.
What advice would you give to someone stepping into their first CISO role today?
Focus on what matters. Be comfortable with the fact that you cannot secure everything. Pick your battles carefully and make them count.
What do you think will matter less in security five to ten years from now?
Perimeter-based security thinking. The idea that you can build a wall around your organization and be safe inside it is already outdated, and will be completely obsolete as work becomes more distributed and cloud-native.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
Governing AI systems and managing third-party risk in increasingly complex supply chains. Emerging technologies such as quantum computing, AI, and secure automation frameworks will require more strategic thinking and stronger risk governance. The tools will evolve, but the leadership challenge will still be to balance opportunity and harm.