You have earned your certification! Congratulations!

Qualifying for, and studying for an InfoSec exam is not an easy task, and you should be proud of your accomplishment. But once the glow of accomplishment has worn off and you have framed your certificate, there is the nagging problem of earning the Continuing Professional Education (CPE) credits to remain in good standing in your organization.

For some folks this is an easy task. Credits may be earned through the simple act of attending conferences and meetings of sponsored chapter organizations. However, many of these meetings and conferences are not free. This presents a problem for a newly certified professional who may not have the money to attend these events.

Fortunately, there are plenty of free ways to earn your CPEs.

To avoid having the CPE rejected, one should fully understand the intent of the requirement. The reason for the CPE is to stay abreast of new developments and to remain active in the InfoSec community. While some of the certifying authorities are very strict about the subject matter, others are more permissive. For example, if you have a Certification from the EC-Council as a Certified Ethical Hacker, they insist that all your CPE credits are related to InfoSec, so if you submit a CPE for a general book about Ethics, it will be rejected unless it has a chapter that specifically addresses “Computer Ethics”. On the other hand, if you have a certification from ISC2, they will freely accept a CPE for study of general ethics. This is not a criticism of either organization; it is presented to illustrate the differences in certifying authorities.

Some CPE credits are classified into different categories. ISC2 has different credits for the “core” disciplines (such as the ten domains of the CISSP) which they call “Type A” credits, and alternate “Type B” credits. Type B credits could be just about any field of knowledge that shows that you are committed to learning. For example, if you study a foreign language, you may submit that for a type B credit. Have you brushed up on your math skills lately? Claim a type B credit.

If you carry a certification that requires 120 CPE Credits over 3 years, the math breaks down very easily to just 3.33 hours a month over 36 months. This means that you can clock 1 hour each week and still end up with a surplus! This sounds like a lot, but it is easily manageable.

Here are some recognized methods for CPE credit.

One of the simplest methods is to install a podcast app on your mobile device and subscribe to some podcasts related to your certification and the podcasts will be ready when you are. No need to visit each podcast URL site hunting for what’s new; you can browse from your app. If you listen to as little as 15 minutes over 4 days, that is an hour for that week. Webcasts are also available (and most are provided for replay if you cannot attend the live webcast).

Some excellent podcasts include (in no specific order):

PaulDotCom.com “Drunken Security” and “Security Weekly”. http://www.PaulDotCom.com (also available on video at http://securityweekly.com/watch )

BrightTalk: Offering webcasts from notable organizations such as SANS and other reputable InfoSec vendors. https://www.brighttalk.com/

Steve Gibson’s “Security Now!” broadcast on “The Week In Tech” (TWIT). Gibson also makes his entire webcast available in multiple formats, including text transcripts.

https://www.grc.com/securitynow.htm

Down the Security Rabbit Hole: http://podcast.wh1t3rabbit.net/

Bank Info Security http://www.bankinfosecurity.com/ - You can achieve InfoSec benefits from this site even if you do not work at a bank.

This is by no means a comprehensive list, so please seek whatever educational avenues that work best for you. Most important is to try to go beyond your own area of expertise. Take your weakest topics and focus on strengthening them.

The worst that can happen is that the CPE is rejected, in which case you may appeal the rejection, or it is “audited”. People shudder when they hear the word “audit”. Will the auditors come to your house with subpoenas and start searching through your closets? No, the audit process is nothing like that at all. It is generally an E-Mail notice to which you may respond with further information about the CPE that you submit. The easiest way to avoid the audit process is to take some notes while you are listening to a presentation. If the podcast offers transcripts or slides, those may be submitted for verification as well.

As you can see, the CPE credits are easy to maintain, and like the doctors, attorneys, and accountants, it helps us to keep current in our field and advances the maturity of the InfoSec profession.

Bob Covello, CISSP, C|EH

Sandy Tyson, CISSP