Tag Archives: security certifications

The Unexpected Burden of Multiple Certifications

Those who have been in any information technology profession for a few years or more are witness to the practice of professional certifications. They function as a badge of achievement as well as a badge of access to further professional opportunities.

Many IT professional certifications have continuing education requirements. Organizations such as ISACA, (ISC)2, IAPP, the PCI Security Standards Council, and others require certificate holders to adopt a continuous learning lifestyle through periodic training and other learning opportunities. These and other organizations require that certificate holders document their CPEs (continuing professional education) with the certification body; occasional audits of documented CPEs keep certification holders honest.

ISACA’s CPE policy requires that a certification holder complete 120 hours of training during a three-year certification cycle. This comes to 40 hours per year. ISACA requires a minimum of 20 hours per year, which encourages certification holders to maintain that learning lifestyle.

What may not be immediately clear is that this requirement is per certification.

I now hold four certifications from ISACA: CISA, CISM, CRISC, and CDPSE. Last week, as I was entering my 2020 CPEs into the ISACA system, the reality of one aspect of the CPE policy became exceedingly clear to me: when you have multiple certifications with a single entity like ISACA, each CPE hour is applied to only one certification. For me, this means that I must earn a minimum of 80 hours per year and 480 hours every three years for all four certifications. Keeping the CPE’s level every year means that I must earn a minimum of 160 CPEs, or one full month, of training annually, or over three hours of training every week. ISACA’s policy and its CPE portal do not permit the application of a CPE to more than one certification.

The result: I’m now laser-focused on all of the different training methods and opportunities, and on a weekly basis I identify those that help me to continue to advance my knowledge and skills.

I keep very crisp records of my CPEs. On my personal laptop computer, I have a worksheet that is open all the time where I enter every webinar, vendor demo, writing project, mentoring session, and other eligible activities. My records include the number of CPEs, as well as which certification each CPE will be credited to. I try hard to “front load” my learning each year in the event that life or work get in the way later in the year. And for those three-year certification cycles (which for me, thankfully, are spread out evenly), I try to front-load each certification with more than 40 hours for the first year of the three-year cycle, so that I don’t end up in a situation in the third year when I need to earn more than forty hours.

Fortunately, there is no shortage of online learning opportunities. I subscribe to email feeds from (ISC)2, ISACA, Dark Reading, Brighttalk, TechTarget, and others, so my inbox always has opportunities for me to choose from every week.

I applaud you if you aspire to earn more certifications, whether they are a badge of honor or a means of opening doors for professional growth.

Update: apparently ISACA will permit CPE hours for an activity to be applied to more than one certification, provided the activity qualifies for each certification in question. Read more here. Full link here: https://isaca.force.com/support/s/article/Can-my-CPEs-be-applied-torwards-more-than-one-certification-1597877234103

Which security certification should you earn next?

A reader who recently received his CISA certification asked, “Which certification should I earn next: CEH or CRISC?”

I see this question a lot, so I’d like to answer this in two different ways.

Sometimes when someone asks which certification they should earn next, sometimes I wonder if that person is asking others to choose their career direction for them.

In this case, the person wants to know whether CRISC or CEH is the right direction. If this person were asking me personally, I would respond with these questions: what aspects of information security interest you? For which aspects do you have good aptitude? What kind of information security job do you want to be doing in five years?

In the case of CEH and CRISC, these two certifications could not be more different from each other. One is a hands-on certification that has to do with breaking into systems (and helping to prevent adversaries from doing same), and the other has to do with risk management, which is decidedly hands-off.

Now for my second answer: you choose. Both are well respected certifications. Which one aligns with your career aspirations?

Another thing – for anyone who is just trying to figure out the next cert to add after their name – stop asking that question and do some other things first.

1. Assess your experience.
2. Figure out where your experience can help you go next.
3. Determine your aptitudes. Meaning: what are your talents.
4. Decide what you want to be doing in five years, ten years.
5. Only after you have answered 1-4 can you then think about certifications. They should reflect your knowledge and experience.

Knowledge and experience come first. Certifications are a reflection of your knowledge and experience, not a forecast of future events.

– from my posting to the CISA Forum