On March 5, 2024, Len Shneyder, Vice Chair of M3AAWG’s Abuse Desk Committee, spoke with Amanda DeLuke of HigherLogic and M3AAWG Expert Advisor, Laurin Weissinger, a few questions about personal certifications, or as Amanda nicely put it, "professional self-care".
The session, which is available to members on the M3AAWG Engagement Series page, covered a variety of questions, such as how one gets certified, what is needed to get certified, how to best prepare for exams, and, crucially, when it makes sense to pursue certifications.
To summarise a long discussion, there is no single, perfect answer to any of these questions.
On the privacy end, professionals are currently best served by the International Association of Privacy Professionals (IAPP) certifications, including:
- The Certified Information Privacy Professional (CIPP), which exists in different jurisdictional flavors but generally covers the relevant privacy rules, laws, and regulations in a given territory, giving the certification holder a good overview of the applicable rules and how to deal with them.
- For the privacy technologist, IAPP offers the Certified Information Privacy Technologists (CIPT) certification, which is geared towards those who want to implement privacy protections technically, e.g. by following privacy by design principles.
- The Certified Information Privacy Manager (CIPM) designation is for those who manage privacy programs and processes, covering key aspects such as how to manage privacy processes and controls.
While none of the discussants hold Information Systems Audit and Control Association’s (ISACA) Certified Data Privacy Solutions Engineer (CDPSE) designation, it appears to be most comparable to the CIPT. Unlike the IAPP certifications, it comes with experience requirements.
In security, certifications are quite a bit more complicated. Various vendors and service providers offer certifications related to their products as well as the underlying technologies and theory. This session does not cover these certifications but panelists noted that they can be useful and applicable to those specializing in the relevant products.
Mostly, the panelists covered vendor-independent certifications by industry heavyweights International Information System Security Certification Consortium (ISC2) and ISACA. ISC2 administers the probably most well-known certification in security, the Certified Information Systems Security Professional (CISSP). Requiring five years of experience and an exam, it covers a considerable amount of ground. Other ISC2 certifications of note are the Certified Cloud Security Professional (CCSP) focussed on cloud security, which also requires passing an exam, sufficient experience, or the Certified Information Systems Security Professional (CISSP), and the Certified in Cybersecurity (CC), which is ISC2's baseline certification for those starting out.
ISACA's offering of certifications is more focussed on specific areas of expertise: the Cybersecurity and Infrastructure Security Agency (CISA) certification focuses on audit and assurance, while the Certified Information Security Manager (CISM) hones in on security management and the Certified in Risk and Information Systems Control (CRISC) on risk management. All these topics are also covered by the CISSP to some extent but the ISACA certifications go more in depth. Last but not least, the Certified in the Governance of Enterprise IT (CGEIT) provides insight into governance at the organizational level. All the ISACA certifications require passing an exam and a certain amount of experience to become certified.
With that many options, which only provide a small slice of options in case of security, it is not necessarily easy to choose a certification to pursue. In general, the choice is individual; a security auditor is likely best served by CISA, while the experienced professional looking for a certification covering most of security is likely served best by the CISSP. As the panelists noted, the choice of certification might also depend on what certifications are offered by one's employer, what colleagues are currently pursuing, if one wants to extend one's knowledge, or "prove" one's expertise, and so on.
In terms of preparation, both Amanda and Laurin have almost exclusively relied on self-study, using the official materials provided by IAPP for privacy certifications, and a mix of sources in case of security. In addition to books, materials available online include video lectures, audio books, quiz apps, and more. Without a doubt, boot camps and trainings can be extremely useful, either as a starting point and overview, or after some self-study to focus on what matters. As they are often pricey, it is an individual choice if they make sense or not.
For those starting out in privacy, the most apposite IAPP certification is likely a good starting point. In security, due to the breadth of options, making a choice is harder. For those starting out, ISC2's CC or CompTIA's Security+ might be a great starting point, while CISSP covers a lot of ground for those experienced in the profession. Nevertheless, focusing on one's personal situation is likely best, both in terms of topic/certification selection, as well as in terms of the best cost-benefit ratio.