The Story of Daniel Seid, a PECB Certified ISO/IEC 27001 Master
Looking back over the last decade, it’s remarkable how much PECB’s network has achieved and advanced professionally. Such advancement is not only a result of our training development and deliverables, but also of the ways by which we’ve been able to provide assistance and guidance to many of our members around the world. Seeing the great importance of distinguishing highly experienced professionals, PECB has introduced the Master Credential Scheme. This credential is given to individuals who have made a major contribution in their professional field and brought multiple benefits to businesses and society.
Such commitment inspires us and is one of the reasons why we had a lovely conversation with Daniel Seid, a PECB Certified ISO/IEC 27001 Master, who has an extensive – 30 years to be exact – experience in security. He explains his passion for his work as a “geekish” curiosity to find out how things work; he likes to break things apart in detail, trying to understand how things are interconnected and how things work together:
For me it started with IT systems and servers, now it’s more like large corporations and soft skills.
Daniel first and foremost is a family person, who alongside his wife has raised their lovely identical triplet daughters and thus, during his 30 years of working in security, Daniel has exercised his profession mainly in Sweden, but has also had assignments abroad. His first five years he worked in various (physical) security guard assignments, after returning from the compulsory army service. Later on, Daniel worked for more than 10 years in offensive security and penetration testing as a project leader.
He has worked for specialized security firms as a security consultant and has been employed by governments, municipalities and state-owned companies. He recently started his own company after serving for more than five years as CISO at “Svenska Spel,” in charge of upholding triple organizational security certifications for the company and prior to that, he worked for three years as IT, Risk and Security Manager at Karolinska University Hospital.
Since Daniel started his own company, he constantly evaluates his work in retrospective, through his clients, peers and with the help of the feedback from attendees of trainings that he provides. In his current jobs as an information security auditor, information security teacher, data protection officer, and CISO, he makes a difference in changing the mindsets and perceptions on information security by explaining how information security is another tool in the arsenal that businesses have to reach their overall goals. In his company, Daniel encounters a lot of challenges and enjoys achievements every day.
His work experience has led him to build a system for data protection similar to PIMS, “Privacy Integrity Management System”, named “Personal Information Management System”. He knew it would take some time for the working draft of ISO/IEC 27552 (PIMS, Privacy Integrity Management System) to be finalized and officially released, so instead he built his own PIMS that handles people, processes, procedures (as he learned from the PECB ISO/IEC 27001 Lead Implementer training course) and now this system is fully operational at a private healthcare provider.
Necessary documentation such as policies, guidelines, and instructions along with specific risk analyses and file registers have been produced and top management and key persons in the company are involved. This custom built PIMS is still being further developed, and Daniel highly recommends any organization to use such an approach for a systematic and strategic approach regarding continuous improvements with respect to the GDPR.
Daniel’s Road to Standards
When it comes to successes, Daniel has a lot to tell. But being a father to his daughters is on the top of his chart. Second, is having designed and built their family home: Daniel did the complete architecture of two houses with Google SketchUp. He also became the project leader, financier and legal contractor for the individual construction working specialist teams that he negotiated with. Third, according to him, is starting his own business and receiving the ISO/IEC 27001 Master certificate.
When we asked Daniel to map out his way up to standards and information security, half-jokingly, Daniel talks about becoming this grumpy old man complaining about the younger generations having it so much easier with all the available resources nowadays, like higher education access and security certification courses. People now argue online which certification is the best. That was not the case when Daniel started the professional career in Information Security.
Nowadays, there are, for example, offensive security courses with constant professional online support and virtual safe labs or step-by-step instructional videos on YouTube. Laptops today are on steroids! Actually, Daniel started looking around 1999 for some kind of branch standards, on general security demands. Especially relating to procurement issues on both services and devices because he had a need for a documented and systematic approach to reoccurring security issues. This need led Daniel to find out about BS 7799, the predecessor of ISO/IEC 27001.
At that time he was switching between penetration testing and strategic information security. He figured that if he could manage to crack all passwords in an organization, it was often because of the fact that back then there were no efficient security controls in place. The deeper cause was the lack of awareness from the top management because of a lack of proper or reasonable resources available for the staff to properly protect the assets. Daniel has personally seen IT managers many times claim that “our technical staff has our IT under control” until he showed the IT manager personally and practically how insecure their IT infrastructure was – i.e. he cracked their personal login password and showed them the result. “That’s why I have used the last years mainly focusing on ISO/IEC 27001.”
Daniel sees the standard’s certification as a form of quality mark. Regardless if it’s a personal certification or a business certification, quality marks business growth. It also fosters innovation and constant improvements. With a joking tone, Daniel says:
There might exist some fine pilots without a license but I would prefer to fly with one that has a pilot certificate.
It is the same case in the information security industry. “Certified businesses should be given precedence when considering partnerships, in products and in service deliveries. I prefer to do business where there are some rules that are in place that also are vetted by an independent party. For me, my personal certifications open doors to interesting opportunities.”
Daniel is a firm believer that standards set and provide a well-known security baseline. “That does not mean that a certified business is “hack-proof.” But it does mean that the certified business has an independent quality assurance of a common set bar, based on the best security practice. And as such that can be measured and compared to other KPI’s for the internal business goals, and, against the competition.”
How Has the ISO/IEC 27001 Master Qualification Supported Daniel’s Career?
“I get noticed and have an advantage when it comes to new interesting offerings from possible new clients in Sweden and abroad as well as peers in my business (that also help me advance my career) that I probably wouldn’t have had without this certificate. I continuously learn new things that will also be benefiting my existing clients, and having satisfied customers is probably the best support one can have for his/her career.”
With the digital revolution going on, businesses are producing, managing and storing more data than ever before. This data is not anymore just raw material, but the reflection of an organization’s ability to save it and transform it into useful information that can unlock a world of opportunities. The rapidly increasing digitalization of industries and the society in its totality is changing production methods and how we work in general.
So Daniel’s advice for those who are seeking a career in Information Security is: “If your heart and mind are into security, the ins and outs of security – not only for the paycheck – just go for it. There is so much to learn and try to understand or even grasp. It’s endless. Never stop, but take pauses and always try to move forward. Never, ever, stop learning.”
“There are people out there who are younger, smarter and faster than you, find them, follow them and learn some more.”