I have made no secret of my distain for the ‘GDPR Practitioner Certification‘ badge, and I still have no time for it, or its recipients who pass it off as real-world experience. But what alternatives are there if you want to obtain some form of data protection certification / privacy education?
The de facto standard, and really the only player in town, is the International Association of Privacy Professionals (IAPP), and their flagship badge, the Certified Information Privacy Professional (CIPP), is the most widely recognised and respected acronym you can add to your CV/resume. It’s the equivalent of the CISSP for those of us in the cybersecurity industry.
As a security professional, I’m really only looking for education that will help me AS a security professional. I’m only studying this ‘privacy stuff’ because I know full well that the lines between data security and data protection have become increasingly blurred. Both sides of the privacy equation desperately need to become far more familiar with each other to accurately translate the middle ground.
But how do we do that?
Yesterday I took, and thankfully passed, IAPP’s Certified Information Privacy Technologist (CIPT) exam. CIPT is designed to help technologist to; “build [your] organization’s privacy structures from the ground up.” and “meet the growing need that only tech pros can fill—securing data privacy at all stages of IT product and service lifecycles.”
My primary driver for this was knowledge, but being able to demonstrate some commitment to the subject in the form of a certification certainly doesn’t hurt. I’ve already added it to my LinkedIn profile, so I expect to be inundated with work offers any time now.
The preparation for the exam involved reading several books and other collateral. It’s the collateral with which I have the biggest issue. The ‘Authoritative texts’ are:
- Privacy in Technology: Standards and Practices for Engineers and Security and IT Professionals. Cannon, J.C. Portsmouth: AN IAPP Publication, 2014. ($65)
- Introduction to IT Privacy: A Handbook for Technologists. Breaux, Travis. Portsmouth: An IAPP Publication, 2014. ($29.95)
- Information Security and Privacy: A Practical Guide for Global executives, Lawyers and Technologists. Shaw, Thomas J. New York: American Bar Association, 2012. (I paid ~ $300.00)
Right off the bat you will notice that not one of these ‘authoritative’ texts is less than 5 years old, and the oldest (if you can even find a copy), is MASSIVELY expensive! Amazon has a copy on sale for over $2,000!!
Other issues include:
- All of the material is very US-centric – while this is understandable given that they were founded there, the US is not exactly on the forefront for this stuff;
- None of the material covers what ‘s going on NOW – At 5 years old minimum, the authors had never even heard of the GDPR (for example), let alone incorporated relevant content into their books;
- The threat landscape changes a lot in 5 years – 5 MONTHS is a long time in security;
- Technology has move on too – and no, I don’t mean AI!!;
- Getting the right answer to an old exam question does no one any good.
While I understand that getting material together in order to provide an accredited ANSI/ISO standard 17024:2012 course and certification mechanism (which CIPT is) is a Herculean task, the IAPP have nevertheless had 3 years to get more current material built into the collateral.
So while I have undoubtedly learned quite a bit, I feel that I would have been better off waiting until the course material was appropriately updated. Again, I’m in this for the knowledge, not [necessarily] the acronym.
But will all of this stop me from taking other IAPP certifications? No, actually, I’m already signed up for the Certified Information Privacy Manager (CIPM) and the Certified Information Privacy Professional / Europe (CIPP/E). Why you ask? Because unfortunately they are still the only thing around that has any meaning whatsoever. That and I will learn new stuff every time I read a book, no matter how old.
I have nothing against the IAPP (they provide a LOT of free resources), but we really need training courses, collateral, and yes, even certifications, that actually mean something. I suspect that it will be some time before we see such a thing from any vendor.
Most importantly I guess; Would I recommend these certifications? Yes actually, I would, but only because neither reading nor certifications are bad for your career.
Wait for the new versions though, and only if they have updated the reading material appropriately.
[Ed. Note 12-Aug-20 – I have since reviewed the CIPT training and reading material, it is now MUCH better and with consideration for both IS and privacy professionals alike.
[Ed. Note 02-Aug-19 – Missed this; IAPP announces revamped CIPT certification. Looks like the revamp won’t be until next year, with a new ‘textbook’ available in January.]
[Ed. Note 02-Aug-19 – I have to say I’m very impressed with IAPP, they have already reached out to chat about my blog. Kudos where it is due.]
[If you liked this article, please share! Want more like it, subscribe!]