Saturday, November 13, 2021

Security and Privacy Certifications and CPEs

This may not sound like a security/privacy-related topic, but there is more to these professions than wearing hoodies with 'l337 H4ck3rz' written on its back.

Early this year I earned the ISACA Certified Data Privacy Solutions Engineer (CDPSE). They do issue pretty badges to put in your website to impress your friends and be the life of the party:

The thing is, if you want to keep your hard earned (and usually not cheap) professional credentials, you need to do some professional development, which is measured using Continuing Professional Education (CPE) credits. Before you put your surprised face on, understand this is not specific to IT and InfoSec industry. The first time I learned about that was in the medical industry: over there it is called Continuing Medical Education (CME), but the principle is the same.

ISACA is not the only place requiring CPEs; if you have a (ISC)2 (I am looking at you, CISSP holders) or CompTIA certification, chances are you too need some CPEs. Given the cost of the CISSP, the last thing you want to do is lose it because you did not spend the time to get the required amount of CPEs. For the sake of this discussion I will focus on how ISACA handles CPEs. According to this certification requirements, I need

  • 20 CPEs annually
  • 120 CPEs every 3 years

Two things I would like to point out:

  1. The 3 year cycle you need to earn the 120 CPEs start in the year after you are certified. So, for me that would be 2022 to 2024.
  2. You need to earn the CPEs for a given year X in the year X - 1. In my case, I was certified in 2021, so I need to earn and submit my CPEs in 2021 for the year 2022.
  3. The math is a bit scary: you need a total of 120 CPEs in a 3 year interval; that means an average of 40 CPEs/year. If you have done the bare minimum -- 20 CPEs -- each year for years 1 and 2, in the last year you will need to come up with 80 CPEs. At the time I wrote this, my CPE count looks like this:
    I covered the bare minimum for 2022 but it would be better if I come up with another 9 CPEs.

So, how do we earn some nice free-range CPEs? ISACA does publish a doc on how to earn them. Some you can earn by doing things associated with them, like going to their conferences or taking their training classes. But you can also eanr them through other activities such as

  • Teaching / Lecturing / Presenting: This is how I got most of my CPEs this year, thanks to the talks and the workshops I gave. You can earn a lot of them.
  • Publication of Articles, Monographs and Books: Last article I wrote that was published happened last year, so it does not count. But, maybe you did something, as it earns you a lot of CPEs.
  • Self-study Courses: I took a class -- Certified Cyber Security Architect -- in March of this year, so I could add some CPEs. I am also taking another class right now; I will contact the instructor to see if I can get CPEs trough it too.
  • Non-ISACA Professional Education Activities and Meetings: In other words, attending monthly meetings, say the ISSA one, count as a way to earn a few more CPEs. Not much (I think one per meeting) but every little bit counts.
  • Passing Related Professional Examinations: I did not realize I could also earn them this way, so I have a few more to add. Two CPEs per examination add up.
  • Vendor Sales/Marketing Presentations: Suck it up and watch that infomercial webinar!
There are more events but these are the ones I have used.

Bottom Line

There is no excuse for you to lose a certification due to lack of CPEs! If I can do it, so can you!