Cybersecurity leadership is often described through incidents, controls, and compliance mandates, but its real substance lies in how leaders navigate uncertainty, make decisions under pressure, and build trust across the business. In CISO Diaries, we go beyond technical headlines to explore the routines, habits, and philosophies shaping today’s most experienced security leaders. The series looks at how CISOs balance strategic priorities with operational realities, communicate risk to leadership, and embed security as a business capability rather than a standalone function.
At a time when digital ecosystems are becoming more interconnected, regulated, and shaped by emerging technologies like AI, the role of security leadership is evolving beyond defense. It is increasingly about resilience, governance, and continuous validation of trust. Through these conversations, CISO Diaries offers a closer look at the human judgment and pragmatic decision-making behind modern security programs.
About Rune Carlsen
Rune Carlsen is a cybersecurity and risk leader with more than 30 years of experience across IT, technology, and security leadership, currently serving as CISO at KLP, one of Norway’s largest financial services groups. Over the course of his career, he has built and matured enterprise security organizations, implemented governance models at the group level, and embedded security as a core part of business management rather than an isolated control function.
His experience spans strategic security leadership, operational risk management, regulatory implementation, and digital resilience across highly regulated environments. Rune has led programs aligned to frameworks including ISO 27001, NIST, CIS Controls, and DORA, translating regulatory requirements into practical and measurable improvements in security maturity. Known for his structured and pragmatic approach, he works at the intersection of technology, business, and risk, with a strong focus on enabling trust, reducing uncertainty, and helping organizations operate securely in an increasingly complex digital landscape.
How do you usually explain what you do to someone outside of cybersecurity?
I usually say that I help my organization understand what could go wrong before it actually does and then put structures in place to reduce the likelihood and impact of those events. In simpler terms, I work to make sure the business can operate safely in a world where digital risk is constantly evolving.
What does a routine workday look like for you, if such a thing exists?
There is rarely a truly routine day, which is part of what makes the role interesting. Most days are a mix of strategic work, stakeholder communication, and dealing with whatever unexpected issue comes up. I try to protect time for long-term improvements, but operational realities often compete for attention.
What part of your role takes the most mental energy right now?
Balancing risk with business priorities. Security cannot exist in isolation, so a lot of mental energy goes into making pragmatic decisions on where to push hard, where to accept risk, and how to communicate that clearly to leadership.
What is one security habit or routine you personally never skip?
Being deliberate about access by reviewing what I have access to and questioning whether I still need it. It sounds simple, but over time, unnecessary access tends to accumulate, and that is a real risk.
What does your own personal security setup look like?
At a high level, a password manager, strong and unique passwords everywhere, MFA enabled wherever possible, and regular backups. I also try to keep a clear separation between devices and contexts, work versus personal, and stay mindful of software updates and basic hygiene.
What book, podcast, or resource has influenced how you think about leadership or security?
A classic that has stayed with me is The 7 Habits of Highly Effective People, especially around discipline and prioritization. On the security side, I regularly listen to Darknet Diaries and other cyber-focused podcasts. Real-world stories tend to shape how you think about risk far more than theory alone.
What is a lesson you learned the hard way in your career?
That being technically right is not enough. If you cannot communicate risk in a way that resonates with the business, it does not lead to meaningful change. Influence matters just as much as expertise.
What keeps you up at night right now, from a security perspective?
AI and how quickly it is evolving. Not just in terms of new attack vectors, but how it changes the overall risk landscape. Understanding how to safely adopt it while managing the increased uncertainty is a real challenge.
How do you measure whether your security program is actually working?
We use a mix of indicators. Our internal risk reporting tied to risk appetite is an important part of that, as it gives structure to the discussion. Beyond metrics, it is about whether we are actually reducing exposure, staying on top of evolving threats, and seeing security embedded in how the business operates day-to-day.
What advice would you give to someone stepping into their first CISO role today?
Focus on communication. You do not need to understand every single technical detail, but you do need to translate complexity into something the business understands and can act on. That ability will define your impact more than anything else.
What do you think will matter less in security five to ten years from now?
Over-reliance on perimeter-based thinking and purely reactive controls. The landscape is moving toward identity, context, and resilience rather than static defenses.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they do not today?
Managing trust across complex ecosystems, including partners, platforms, AI systems, and automated processes. Security will be less about guarding a boundary and more about continuously validating what can be trusted and under which conditions.
Cybersecurity is ultimately about enabling trust within the organization and across the ecosystems it depends on. While I value contributing to the broader community, my primary responsibility is to ensure that my own organization can operate securely and confidently. That balance between sharing and safeguarding is something I believe will only become more important going forward.