Bear February 8, 2013 3:27 PM

@fatbloke: “But surely, any publicity is better than no publicity?”

Some p/e/o/p/l/e/ marketing weasels truly believe that. I recall the morning the Indy sales manager of [telecomm name redacted to preserve the idiot’s ability to get another job] rushed into to my office to proudly display the… er, wonderful above-the-fold (most of above the fold, and continued on iside pages) article about the company. I pointed out that the entire article was about how incomprehensibly terrible the company is, and how no one should ever risk doing business with us.

“But it’s publicity! People will remember our name.”

Yeah, like they remember the Hindenberg, Love Canal, and Three Mile Island.

This obviously is quite a few notches better than that, but still… you’d think it would have been worth the guy’s time — researching one of the top ten security experts in the freaking world — to click and read the second page of google results.

Travis February 8, 2013 3:31 PM

No, no… it’s bringing together security and fire — two separate things. See, their catchline? IP Security and Cyber Security are tabs at the top of their page! Clearly you fall into an expert for those areas!

Hopefully they don’t mean they literally want to bring you in close physical proximity to a pyre, though. I think a lot of software companies might want that.

Count0 February 8, 2013 4:03 PM

Well I’m in physical security and have been reading this column since it was a monthly email news letter. The tech crossover may be more than you give yourself credit for.

pointless_hack February 8, 2013 4:36 PM

I studied political theory in school. When a person or company “makes it,” analysts predict a stage of public approbation, but after a point, envy garners hatred.

I hope congratulations, and not condolences are in order.

Paul Waterman February 8, 2013 6:00 PM

I’m confused… Where does this article imply that Bruce is a physical security expert? Many of the other security experts profiled are indeed physical security experts, but Bruce’s profile doesn’t mention physical security, and indeed, it specifically says “He is killing it in the world of online security.”

Have they perhaps updated the profile since Bruce’s blog post?

Henning Makholm February 8, 2013 6:07 PM

Most of what I’ve seen you write here in the last several years seems to apply as well to physical security as to anything else.

Why do we need it? How much of it do we need? What can it do for us? What will we have to give up to get it? Is it worth the trade-off? Is it solving the right problem? Does the nice salesman from the security firm have our best interests in mind?

Including you on the list makes good sense, though it doesn’t look like the copywriter had any idea why you’re on it.

Bear February 8, 2013 8:07 PM

Paul Waterman, February 8, 2013 6:00 PM: “Where does this article imply that Bruce is a physical security expert?”

Kinda by context. IFSEC has primarily been a physical security group (hence the “fire” tie in), with computer security being a comparatively recent addition.

Dominic February 9, 2013 8:51 PM

After 10 years in the physical security buisness time and time again i find your writing infulence the way i think about security and how the physical aspect fits in with the clients overall security aims. No one else writing about security has the same insight into how security works with people and how we can make it work better. just because your not in this subset of security does no mean you do not infulence it.

In short if someone is not infulenced by you they are in security but just chucking stuff on walls.

Dominic February 9, 2013 8:53 PM

that last seentence should read
‘they are not in security but just chucking stuff on walls’

moz February 10, 2013 3:10 PM

I think it’s kind of cool. As has been discussed here before the IT security of physical security systems is awful. I was “shocked, SHOCKED” to find out how the building security systems are put together in some of the places I work. Remember the problems certain hotel lock manufacturers had providing needed security updates. I think it is great if these guys come here to learn and read. If I were you, Bruce, I’d encourage this, not slag it off.

Kim February 10, 2013 5:27 PM

I might be wrong, but I read the “I seem to be a physical security expert”… as a tongue-in-cheek reference to the fact that the “bio” on that site spends more time talking about the Norris->Schneier memes than about any of his crypto/infosec/psychology of security work.

KG February 10, 2013 7:11 PM

I’d stand in front of a dumpster. King of the Mountain for geeks. Can’t see around this part of the building…need an extra camera here w/ audio. Physical Security and Social Engineering are the big ones. Then there’s 65000 ports to deal with on the technical side. I like what I’ve heard from Bruce Banner so far. He’s a native Mississippian, you know. No wait, that’s David Banner.

Funniest thing I heard this week in the infosec geekery was that Panetta’s getting a billion dollars for the cybersecurity budget. The Federal Reserve hack was embarrassing I would think. I’m sure there’s great spear phishermen with intimate knowledge of tools that want to get their hats dirty with that. Funniest thing is that the DoD said that they don’t have the capability to train 4000 additional qualified information security pros. DOH!!

Clive Robinson February 11, 2013 12:27 AM

@ Kim,

… as a tongue-in-cheek reference to the fact that the “bio” on that site spends more time talking about the Norris ->Schneier memes…

Did you also notice that none of the other Top10 had anything but a “Plastic Corporate Personality” not even a “Genuine People Personality”[1]. Presumably this is because of the PR [2] inverse thinking on “To err is human” thus they must not appear human to inspire confidence…

[1] See the works of Douglas Adams for more on the development of “Genuine People Personalities” byt the Cirius Cyber Corp. for lift doors etc…

[2] PR has two recognised meanings one for the medical fraternity who specialise in “areas down below” and Marketing droids in major organisations [3] who treat execs like Puppets (or should that be Muppets). Either way of the two the Medical PR people spend less time with their hand up your…

[3] See the works of Douglas Adams for more insight into PR and Marketing Droids, especialy the with respect to the Golgafrincham’s and their B-Ark [4]. If however you already know please swallow any drinks you might be consuming and have a hanky ready before reading,


Joe February 11, 2013 7:22 AM

It is my understanding (from within the UK industry in question) that this ‘Top 40’ was put together based on submissions from those within the industry. Your name was put forward by those within industry as an influence.

You may not consider your sphere of influence to include physical security, yet as pointed out previously by other commenters it does not mean that the methodology or approach to tackle an issue does not have application in that sector.

Increasingly, convergence is leading to a blurring of the lines between electronic security, security of electronic equipment and information security.

Look on the bright side, you don’t even have to record a video thank you 😉

For the record I did not vote for you, though after seeing your name mentioned in the listing it did lead me to reading and subsequently subscribing to your blog

nonymouse anon February 11, 2013 7:34 AM

Thanks for your humility.
You are wrong.
Here’s why.
1.)Physical layer is critical infrastructure
and critical infrastructure depends on computer security.
2.)SuperBowl Game. wrong type on
the electric protection relay coordination
prints/maps/’ladder logic’??
3.)SCADA on an obscure version using
deprecated hardware. that is used in
hospitals, key office buildings and
according to some OPEN BID DOCUMENTS law enforcement?
4.)hotel locks are compromized using
portable arduino and SOFTWARE.
tell your lady friends, wife.
5.)outsource of PHYSICAL PLANT controls for telco and communications.
One example from HISTORY is the
AT&T fiber optic cut that took out the
FAA control system and the airports.

6.)2003 electric blackout takes out the
stock exchanges. GE management
console software hangs in ‘race condition.,’ Software is global widespread and includes power plants
including the big ones. Result is the
Ohio Transmission Line overheats
because of ‘hung software.’
GE publishes (almost maybe it has
been ‘erased as history.’) a public
notice that strenuous testing of old
c and c++ code and ‘other’ resulted in
‘hung condition.’ – reporting the WRONG
results. appears to be no high level
‘gateway quality checks’, sanity checks
or even special procedures for the operator. warning: can be inaccurate,
as I am going from memory.

9.)numerous other examples, including
engineering software that mixes wrong
units/types/conversion factors. if the
bridge design is off by a factor of 3 (three)
that could be a VERY BIG NUMBER.

maybe promote yourself to SECURITY
GENIUS and say that even PHYSICAL
security is part of computer security?

Green Squirrel February 11, 2013 5:20 PM

Like Joe, I was under the impression this had been collated from votes – so obviously lots of people who vote for this sort of thing think Bruce was a suitable candidate.

Personally I think the disconnect between physical security and computer security is artificial – there is security, or no security.

One minor gripe about the IFSEC blog post: it seems to have been written by someone who has less than zero clue of any of the people. It is painful reading it.

Rob Ratcliff February 19, 2013 11:05 AM

Hey all, just seen this post — as many of the commenters point out the list was indeed compiled by our readers rather than my just Googling ‘security experts’. In fact (for shame) I must admit I hadn’t personally come across Bruce’s work — this is due to the fact that (as a few others have said) we traditionally have been the preserve of physical security. Of course, as the world’s of physical security and infosec converge we’ve made conscious efforts in recent years to do a bit more in the infosec space. This has been deliberately stepped up with our new website, which was launched with this list.

@Green Squirrel: Sorry if you thought it was painful reading! It was late, and I had a pile of stuff to do ahead of site launch. Hopefully I can raise my game if we make another list next year.

Chris Nielsen March 22, 2013 8:52 AM

I was checking Google listings for my client who IS a physical security guy and noticed a link to this page.

It almost sounds like it’s an insult to be associated with the area of physical security. While it may be a little off-topic for what you do, I think you should be happy that more people are finding you related to the topic of “security”.

My unsolicited advice is to refer people that are looking for physical security experts would be to refer them on to those that can provide the needed services. They may even return the favor, since we all know the physical experts don’t do “cyber”. 🙂

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.