InfoSec CPE: If you pay for your infosec specialists’ membership fees why aren’t you reviewing their annual CPE transcripts?
accountability article 25 article 28 article 35 awareness bcms BeCyberSafe breach british airways ciso contracts controller cybersecurity data breach data privacy Data Protection dataprotection data protection officer data protection service DPIA DPO encryption GDPR iag informationsecurity information security leadership management penetration testing Pentest Privacy processor resilience risk risk appetite risk management riskmanagement security security as a service small business strategic transparency vciso virtual ciso vulnerability scanning
400+ hours of InfoSec CPE completed…
It’s that time of year, just before the anniversary of gaining my CISSP, 10 long years ago, where I access the ISC2 portal and input my log of annual Continuing Professional Education (CPE), Trying to find the time to do 40 hours a year of relevant information security education on top of the day job (and everything else!) has been a challenge but on balance definitely worth the effort compared to doing a six-hour exam every three years! As I inputted the 400th hour of Infosec CPE, I reflected on how many times I have been asked to prove my certifications are still in good standing. The answer is a resounding zero. Never have I been asked to submit a transcript detailing what I have done to maintain my knowledge. Never have I been asked to confirm my CISSP, CIPP/E, CIPM or any of the other qualifications I hold are still in good standing. Yet, it’s taken for granted I still know what I am talking about…regardless, I’d like to think I do still have some clue…and it’s likely the same can be said of the specialists you are leading…
…That said, I would strongly recommend periodically asking your staff for their current qualifications’ CPE transcripts. Not just your InfoSec or Risk specialists but all your specialists.
CPE – use it or lose it!
Continuous Professional Education is a requirement of ISO 17024:2012 certifications. It basically requires the certification holder carries out a number of hours (usually between 20-40 per year) of relevant education with the aim of keeping their knowledge up-to-date. If they don’t maintain their infosec CPE quotient then their certification will lapse and they are not permitted to state they hold the aforementioned qualification. If someone has CISSP after their name, for example, they must be currently in good standing. If they have lapsed then they cannot place CISSP after their name. Same with IAPP qualifications. The good thing is, high-quality certification bodies maintain this information on their publicly facing website. If you can’t find a register, then I wouldn’t rely too much on the quality of the certification as a litmus test for the specialist’s knowledge!
So why require continuous education? Well, it is generally understood after undergoing any form of training unless the knowledge attained is regularly applied, there is likely to be an increasing level of skill fade over time. Skill fade is where your knowledge of a subject degrades because you’re not actively using what you have learned. This is not the same as the Dunning-Kruger effect where a person thinks they have a certain level of knowledge but is deluding themselves. With skill fade, they at one point had the knowledge but have forgotten some (or all) of it. I know this has happened to me. For example, at some point in my late teens, I could definitely produce a mathematical proof or work out a binomial expansion with relative ease but ask me to do either now and I would have to go away and have a bit of a think! The reason, simply I have forgotten how to do these mathematical problems because I have not done either in 20 years! The same can be said of professional knowledge. If you don’t use it, you will forget pretty quickly.
The other thing one needs to consider is that things can and do change. Many of us have grown up with certain knowledge we accept as fact, an anchor we lash ourselves to in times of crisis. A good example for me is that dinosaurs look like those depicted in the amazing documentary film Jurassic Park (yes, I am joking!). It has been the scientific norm for over a hundred years that dinosaurs were scaly green beasts but recent research has shown most, if not all, were completely feathered, and eventually evolved into birds. For hundreds of years, people thought the world was flat – some still do it seems. Many espoused that the earth was at the centre of the cosmos until astronomers such as Galileo and Copernicus risked their lives to speak out about what may have been considered ‘alternative facts’ at the time. The simple fact is; generally accepted wisdom can and does change. The old adage ‘if it ain’t broke, why fix it’ and ‘we’ve always done it this way’ reverberate around many an office and are often the root cause of why companies’ fail. That’s why earning a qualification with a CPE element over those that test your knowledge at a fixed point in time and then leave you to your own devices, is so essential. It’s doubly essential in the break-neck paced world of change we live in.
Why InfoSec CPE is so essential
Infosec CPE goes a long way to combat the effects of the two situations described above (three if you count challenging a person’s delusions about their own knowledge). Mandatory CPE provides a strong motivator to certification holders to maintain their current knowledge but also aids in challenging their beliefs.
Sadly, some people who undergo training courses do so to tick a box. A good example in recent years was the uptake of privacy qualification on the back of GDPR going live in May 2018. Just before May, it seemed every man and his cat suddenly became an expert in GDPR having done a one week (or sometimes one day) course, often of dubious quality. A quick check of online LinkedIn profiles showed many had not worked in data protection before and similarly, a lot had not even been a Data Protection Officer under the old 1998 DPA regime. Yet, here they stood ready to give dodgy (and costly) advice. Who can forget the article in Wired “The House of Commons splurged £100k on ‘ludicrous’ GDPR training” or the Law Gazette Piece “Lawyers warned over potentially negligent GDPR advice“. For such stories to make the mainstream is a shocking indictment of how bad things can become when a training gold rush occurs but could checking CPE help sort the wheat from the chaff and prevent a hiring manager from making an expensive mistake when hiring a specialist – I think it can.
How should hiring managers leverage CPE?
If hiring managers (or better still recruiters) asked for CPE transcripts when screening candidates for specialist roles they would quickly see whether the person has done an exam to ‘tick-the-box’ and is likely to have limited knowledge or, is the kind of person who is a dedicated professional who keeps up-to-date with what is going on in their industry over a number of years. The kind of person who makes a contribution above and beyond the bare minimum. The kind of person who will be a real asset to your organisation. The kind of person you want to protect your organisation!
Once a person has been hired, maintaining their CPE could form part of their annual performance review. Maintaining a minimum number of hours could be a Key Performance Indicator (KPI). After all, the pace of change, certainly in the technology world, is rapid. Just have a look here at the current AWS Solution portfolio. It’s highly likely someone (if not more than one) is using one (if not more than one) of these technologies in your organisation. If not on AWS then Azure or Google’s Cloud Platform. If your security specialists aren’t keeping up-to-date with the latest developments, how on earth are they going to be able to keep the data processed in these organisations secure? The simple fact is they won’t. Using CPE can provide a means for the specialist to develop their own annual learning plan too so there are benefits both to the employee as well as the employer.
It’s not hard to get these transcripts either. Prospective candidates can easily generate a personal transcript from their certification body portal. CPE is also a requirement of an ISO 17024:2012 qualification so if a transcript can’t be generated warning bells should sound about the validity and quality of the qualification!
So I have the Infosec CPE transcript, what should I look for?
Different organisations have different policies on what does and does not constitute continuous professional education and good certification bodies will have this information publicly available (if it isn’t then there is something wrong!). Take ISC2 and the IAPP, you can read their policies here (ISC2) and here (IAPP – Also with snazzy video!). I would encourage recruiters and hiring managers to do a little bit of research and read the relevant CPE guides but some of the key things to look out for in the transcripts are:
For Junior Hires:
- Attendance on training courses (e.g. Certified Ethical Hacker – CEH)
- Participation in schemes such as those provided by the Centre for Cyber Safety and Education and the UK NCSC CyberFirst programme
- Writing reviews on books relating to their particular field
- Writing articles or maintaining blogs
For Senior Hires:
- Attendance on leadership courses (e.g. Certified CISO C-CISO)
- Attaining Fellowship level within their certification scheme
- Writing thought leadership pieces
- Authoring or co-authoring books
There are of course many other ways in which a person could develop their skills, the key is whether the development activity is of sufficient quality, is relevant, and is continuous!
Hire at leisure, fire in haste!
Infosec CPE is a useful tool, especially if you’re not an expert in the field. It’s likely you’re hiring specialists because they have the knowledge and skills you don’t. Reviewing CPE transcripts as part of the screening process can shed light on the specialists’ world. It can show whether the candidate is someone who is a true professional or a fly-by-night chancer!
“If your specialists aren’t keeping current, the Hackers certainly are!”
Once you have hired the specialist it can serve as a useful tool to demonstrate they are maintaining their skills because if they aren’t maintaining the appropriate knowledge and skills to protect your infrastructure…who is?!
About the Author:
Stephen Massey is the Managing Director of Fox Red Risk, a boutique Cyber Security and Data Protection consultancy. Stephen has worked in the information security risk, business continuity and data protection world for nearly 20 years. Stephen has delivered complex security programmes across defence, real estate and financial services. Stephen has also authored the popular book “The Ultimate GDPR Practitioner Guide” which is available on Amazon in both paperback and Kindle eBook.
About Fox Red Risk:
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing controls frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.