IAPP’s CIPT vs. ISACA’s CDPSE (Early Adoption)

4 years or so ago, I started getting serious about privacy / data protection. I read everything I could get my hands on, including the actual GDPR itself …dozens of times. While I appear to still be one of the few who has actually read it, there is nevertheless a whole new ecosystem of professionals who continue to blur the already blurred lines between security and privacy.

This is good.

And while I absolutely maintain that I am a ‘security guy’ and NOT a ‘privacy guy’, I, like most people who learn something new, wanted to ‘evidence’ that hard-earned knowledge to others (i.e. ‘acronym hunters’ on LinkedIn). So I looked around for relevant training/credentials/smoke-and-mirrors.

At that time (early 2019), the only organisation [that I could find] offering a certification tying together data security and data protection was the International Association of Privacy Professionals (IAPP) with their Certified Information Privacy Technologist (CIPT) credential. Per their website; “Organizations of all sizes are significantly investing in technology and technologists to help ensure compliance with new privacy legislations. Develop the skills to identify problems, create technical solutions and implement privacy principles in compliance with sweeping data protection regulations.”

While this seemed perfect, I was not very impressed with the rather dated/US-centric material. However, they have since completely updated it, and done so very well. But in relative terms, reading only ONE of the three books that were part of IAPP’s [now] Primary References, is one more book than the ISACA’s Certified Data Protection Solutions Engineer (CDPSE) currently requires.

During this ‘early adoption’ phase, the only things you need to be awarded the CDPSE credential are:

  1. a completed application form;
  2. two people to ‘verify’ the application; and
  3. $880, or $695 if you’re an ISACA member

That’s it, no reading, no test, no real-world references, just two people you know. They probably won’t even call them to confirm whether or not their verification is even appropriate. They didn’t in my case.

I have, over the years, tried to completely discredit credentials like the Certified GDPR Practitioner as a means of demonstrating real-world data protection competency, but given it’s 4-day classroom training and final test, it’s a veritable Masters compared to the CDPSE. How can this certification be seen as anything other than a completely hollow line of revenue at this stage?

Certifications are SUPPOSED to mean something. They are SUPPOSED to let people know that you can actually DO what the certification represents. The current iteration of the CDPSE does neither and only adds to the idea that vendors are selling little more than pet rocks.

So if it’s that meaningless, why do I have it? For me the reasons are 3-fold:

  1. I actually HAVE significant data security and data protection experience, as is evidenced by both client references and multiple certifications in the fields. Certifications that actually required reading and testing; CISSP, CISM, ISMS LA, CIPP/E, CIPT, CIPM and so on. I can actually meet the intent of the CDPSE;
  2. Anything that draws attention to my profile is potentially a good thing, even if it’s just an acronym;
  3. I have no college/university degree so collecting acronyms is an alternative, albeit a very poor one.

All that said, am I saying don’t bother getting it? No, I’m not saying that, but what I AM saying is a) don’t brag about it, or use it as an indication of expertise if you have it, and b) don’t base hiring decisions or even expertise search parameters on it if you need and expert, because it’s an indication of nothing.

When I wrote a negative article about IAPP’s CIPT certification, they immediately reached out to me for clarification and my further candid opinion. They listened, and then when they had released their new material they gave it to me for review. That’s how a professional organisation trying to make certifications actually mean something acts. Let’s see if ISACA do something similar.

If they do, I’ll happily update this blog.

[If you liked this article, please share! Want more like it, subscribe!]

We Can All Be Successful…

…as long as WE are the ones who define success for ourselves. Otherwise 99.9% of the world’s population would fall well short.

Seems obvious, right? For example, if you take money as a measure of success, for every billionaire (~2,600 as of 2019) there are nearly 3,000,000 people who are just ‘getting by’. So for the vast majority of us, the chances of being a big success [in monetary terms] are very slim.

The same applies for any other success factor where you are comparing yourself to the world’s best, there is very little room at the top.

Continue reading

On the Convergence of Data Privacy and Data Security – Part 1

If you’re fairly new to this ‘privacy stuff’, you might be wondering why I used the phrase ‘data privacy’, not ‘data protection’. Well, unlike the security industry where we can’t even agree on when to use ‘cybersecurity’, ‘data security’, or ‘information security’, the privacy world has its act together. Hell, security folk can’t even agree on the spelling OF cybersecurity/cyber security!

But for the purposes of this blog, and the Part 2 guest blog to follow, it’s important that you accept my definitions at least, whether you agree with the names or not. It’s the points I’m trying to make that matter, not the nomenclature.

Continue reading

You Want an Honest CV / Resume? Here’s Mine!

I have written several blogs on the poor state of cybersecurity recruiting, all with the hope that they may trigger at least some positive change. Even if that change is only in the very few people who are actually reading this crap.

When I say “poor state”, I of course mean fundamentally, systemically, and damned near fatally broken. It just does not work, not for the employers, not for the candidates, not for the recruiters, and not for the industry as a whole. As much as I have criticised/blamed recruiters, it’s really not their fault as much as we might think.

Recruiters, like any other salesperson, are rarely [if ever] subject matter experts in their chosen industry sector (i.e. they cannot DO the jobs they are trying to fill). The real experts, the ones who can actually do the work, are in turn rarely [if ever] capable of doing what the ‘salesperson’ does (i.e. they have no idea how to sell themselves).

Continue reading

Cybersecurity Recruiters: Your Failures Explained

Each time I think I’m getting to the heart of the challenges faced by those on all sides of cybersecurity recruiting, a further complexity raises its ugly head.

While I still think that job titles are horribly limiting, that job descriptions completely miss the point, and that the cybersecurity skill-gap misconception is mostly the fault of the organisations asking for help, there’s no getting away from the fact that cybersecurity recruiters are doing themselves no favours.

Continue reading