Bruce Schneier announced in a brief blog post, “I’m leaving IBM.” His three-year stint with what he calls “the nicely ambiguous title of ‘Special Advisor’” ended at the end of June 2019. He gives no specific future plans beyond saying that he will continue to write, speak, teach and occasionally consult.
Schneier has been a cybersecurity luminary since his book Applied Cryptography was published in 1994. Since then he has developed several ciphers, including Blowfish, Twofish, Threefish, and MacGuffin. Twofish was one of the five finalists in the NSA encryption contest that ultimately led to the selection of Rijndael as the Advanced Encryption Standard.
But Schneier is more than a cryptologist. He describes himself as a ‘public-interest technologist, working at the intersection of security, technology and people’ — and is a board member of the Electronic Frontier Foundation (EFF). His opinions are often blunt, but almost always insightful. Cory Doctorow famously contracted one of his comments into Schneier’s Law: “Any person can invent a security system so clever that he or she can’t imagine a way of breaking it.”
Schneier is not an easy fit in large companies. He spent seven years in BT as Security Futurologist (another nicely ambiguous title) following BT’s purchase of his company Counterpane for around £100 million in 2006. During that period, BT was involved in what became known as the Phorm Scandal. Phorm was an early targeted advertising platform that sought agreements with ISPs (such as BT) in order to gain users’ browsing behavior through deep packet inspection. BT secretly trialed the Phorm software with about 10,000 users — but failed to tell them about it.
This sort of behavior runs counter to Schneier’s natural beliefs (he was a severe critic of the NSA and GCHQ mass surveillance revealed by Edward Snowden), and in 2008 he blogged, “I was not involved with BT and Phorm, then or now.” He left BT at the end of 2013. BT was quoted as saying, “We have agreed to part ways as we felt our relationship had run its course and come to a natural end. It has nothing to do with his recent blogs.” He said, “It’s past time for something new. As to what comes next: answer cloudy; ask again later.”
In the following month he joined a former colleague from Counterpane (John Bruce) at CO3 Systems as Chief Technology Officer. In February 2015, CO3 changed its name to Resilient Systems, and Schneier blogged, “The new name better reflects who we are and what we do. Plus, the old name was kind of dumb.” Resilient Systems provided an incident response platform.
During 2015, the platform was integrated with IBM’s QRadar SIEM, effectively creating an early SOAR. The integration was successful, and in 2016, IBM announced its intention to acquire Resilient Systems (with Schneier admitting it had been his hope). He moved with the company to IBM.
“We’re still working out what I’ll be doing at IBM,” he blogged at the time. “I know they want me to be involved in all of IBM Security. The people I’ll be working with know I’ll continue to blog and write books. (They also know that my website is way more popular than theirs.) They know I’ll continue to talk about politically sensitive topics. They know they won’t be able to edit or constrain my writings and speaking. At least, they say they know it; we’ll see what actually happens. But I’m optimistic.”
In the event, he stayed with IBM for just three years, far less than the seven years at BT, even though IBM was arguably a better fit for him than BT.
You could never call Bruce Schneier unemployed — he is always engaged in one or more projects. For the moment, there is no clue from him over future intentions (SecurityWeek has asked, and will append any response to this article). He will be courted by large security firms for the cachet of employing Bruce Schneier with yet another nicely ambiguous title. But his stints with BT and IBM followed the acquisition of his companies, and may have been part of the deal.
Whether he has another new company in the pipeline will become clearer in the coming months.
Related: Security Awareness Training Debate: Does it Make a Difference?
Related: Stolen SIM Card Keys Could be Powerful Spy Tool
Related: Senators Reintroduce IoT Cybersecurity Improvement Bill
Related: US, British Spy Agencies Crack Web Encryption: Reports
