Privacy certifications boosted by new regulations

Chris Sienko: Hello, and welcome to another episode of The Cyber Speak with Infosec Institute Podcast. Today's episode is a rebroadcast of a recent webinar entitled Five Ways an IAPP Privacy Certification Can Boost Your Career. Our guest presenter is Aaron Stevens, North American channels manager of the International Association of Privacy Professionals, the IAPP. He'll be in conversation with Jeff Peters, Infosec Institute's product marketing manager of training. Just as a reminder, if you'd like to see the webinar as it unfolds, including presentation slides, you can also find this podcast on our YouTube page by searching Infosec Institute, I-N-F-O-S-E-C Institute, and visiting our YouTube channel. Here, along with moderator Camille Dupuis, IAPP's Aaron Stevens and Infosec's Jeff Peters.

Jeff Peters: Thanks everyone joining us today, whether you're listening to this live or listening to the recorded version. Just really quick, just going to talk about what we're going to be covering in the next 30 or so minutes. I'm going to be chatting with Aaron about: What are the IAPP privacy certifications that are available to you? We're going to talk about how earning those certifications can boost your career in different ways. We're going to talk about which privacy certification is the right fit for different individuals and different careers. And then we'll close out the webinar by taking any question that you guys have about privacy certifications, or training, or anything like that. So I guess to get started, we'll cover a little bit about what the IAPP is, and I'll throw it over to Aaron.

Aaron Stevens: Thanks, Jeff. And good morning to everyone. So the IAPP, as you can see on the slide, we were founded in 2000. Actually, it was a group of general council attorneys for a large organization that realized that data, personal data, was going to become more of a legal challenge for them. Fast forward to today, where they're calling data the new oil. So they definitely had some forward thought when they formed our organization. Today, we are the largest privacy association in the world. We represent organizations globally. We have members from 112 different countries. And we are actually getting closer to 45,000 members as we speak.

There have been some new regulations in Europe and soon to be in the United States that have really driven our membership. But to really start, I'd like to cast a wide net because the challenge comes down to the word privacy. Privacy can mean a lot of things to a lot of different people, similar to the word set. Now set has so many different meanings. I'm all set. Game set, match, chess set, China set, TV set. Privacy is similar in that it can mean something different depending on your culture, your background, your generation. What my dad views as privacy is very different than what my children view as privacy due to technology.

Further, I have a friend from India who goes home and everyone asks him what he gets paid, which is a very big cultural difference than that here in the United States. So to really define what we're talking about, we are talking about what individuals expect through the context of law. So for example, when you went to Home Depot many years ago and used your credit card, you fully expected that Home Depot would do everything that they could to keep that information safe. And while it is, we are talking about security in that regard, we are also talking about the information itself. So the bottom line is it really comes down to the context of law and that individual's expectations.

Jeff: Yeah. And I'm wondering where IAPP fits in, in the privacy landscape because obviously privacy is a pretty big issue currently. So I assume there's other organizations that also do privacy certifications. Is that true? Or is IAPP the main player?

Aaron: Actually, today we are the only player. We are the only certified ISOS, internationally recognized ISOS certified certification. So while there are other organizations that are generally training organizations that have privacy training courses, our certification is kind of a gold standard when it comes to the certification in privacy. We are the only internationally recognized privacy association in the world.

Jeff: I know that you have quite a collection of different privacy certifications, but they generally fall into three different buckets, the CIPP, the CIPM, and the CIPT. So could you maybe run down just a little bit of information on what each of those certifications is, and then who they're targeted towards?

Aaron: Absolutely. Happy to. The challenge here is that CIPP is a regional certification, so these listed here are actually for different certifications. They're each their own two day class. They each come with their own certificate. So if you are based in the United States, for example, generally we recommend the CIPPUS, which is the US private sector. If you're in Canada, we certainly would recommend the CIPPC, which is the Canadian jurisdiction. And of course, with Europe, the CIPPE, which is pretty much all the general data protection regulation, or the GDPR that was went into effect May of this year.

The Asia course exam is new. But as you can see, we are circling the globe as we grow out our certification program. And these are really focused on the what of privacy and why you need to know it. So we'll be looking at different laws, depending on the jurisdictions. We'll be looking at really a focus and a drill down on what you should be expecting within that jurisdiction. So those are four different certificates. Then we have the CIPM, which is really operationalization, or the how of privacy. So it would be, it's a certification for taking the laws and putting them into effect for your organization, whether it's creating a privacy policy, a privacy program, onboarding employees, onboarding new organizations, vetting vendors, which is probably one of the most important parts of the certification, and as a privacy professional.

The biggest source of breaches has been through vendor mismanagement. And then finally, the CIPT, which is the Certified Information Privacy Technologist. That's the how in relating to technology. Privacy and technology go hand in hand as more and more technology evolves, privacy is trying to keep up. One of the very first articles ever written about invasion of privacy was back in the late 1800s when the first portable camera was developed. So privacy and technology, or at least in general, privacy is always trying to keep up with technology because as technology evolves, we start to lose more and more privacy.

Jeff: I wanted to ask you which of those different certifications is the most popular, or what you're seeing most of your members gravitate towards, and if that's shifted at all over the recent years.

Aaron: That's a great question, Jeff. Yes. So our flagship product was the CIPPUS certification. It was our very first certification and was by far the most, had the most certificants. But with the development with GDPR, general data protection regulation out of Europe, the CIPPE is quickly catching up to being the most, having the most certificants under that certification. GDPR has scared, and rightly so, a lot of organizations to get smart on privacy as fast as possible, and has in some ways exposed a lot of vulnerabilities for organizations that they are now looking at. So that's a really good question. We do see, depending on the region, spikes here and there, as legislation rolls out. I suspect that when the AB-375, which is a new California online privacy protection act, starts to get closer to going in to effect in January of 2020, that we will see a greater number of people taking the CIPPUS certification. And so goings on in the world, I guess is the best way to put it, really drives which certifications are starting to be gone after.

Jeff: One of the things that I noticed that really stood out to me going through some of the IAPP materials and studies that you guys have done is just the overall growing demand for privacy professionals. For example, I believe it was in the annual privacy governance report, there's a lot of good stuff in there. But I guess the big thing is just looking at budget. So the average privacy budget increased from 1.7 million to 2.1 million in 2017, and 55% of your members had expected more growth in their budgets throughout 2018. It seems like there's pretty significant growth there in terms of both budgets and then potential job opportunities.

Aaron: Absolutely. What we're seeing really is the news. The news is helping the privacy office, the compliance office, people in IT, that deal with that see a lot more attention. We've got Cambridge Analytics in the news talking about privacy. We've got the Expedia breach, where people's social security numbers are flying all over the dark web. We've got people that are friends of mine, or colleagues of mine, or people that I used to work with, that are calling me and asking me how they protect themselves. When I first started with the IAPP six years ago, it was really hard to explain what I do. Today, it's not hard to explain at all.

Jeff: There's dozens of privacy laws just in the CIPPUS, so it's obviously important to stay relevant. But I guess the big one that everyone's been talking about this year was the EU's general data protection regulation, which went into effect on May 25, 2018 this year. That seems to be, as you said, the driver of a lot of growth of the CIPPE. Do you have just any thoughts in general on the GDPR how it's affecting the economy and how it's affecting privacy in general?

Aaron: Well, it's affecting the economy in general in that organizations are having to spend money to deal with it. Microsoft alone set aside $400 million just to deal with GDPR. And yes, Microsoft is a huge organization. But at the end of the day, that's still $400 million. The challenges really comes down to being prepared and doing something about it, or when these data protection authorities, DPAs, start to levy fines. For example, Chevron did an analysis and figured that if they went up against a GDPR ruling, it could be a billion dollar fine to them. Small mom and pop businesses, while chances are that they may be overlooked, if they do something egregious enough, a 20 million euro fine would wipe them out. So the reality is you can't just shrug your shoulders when you have a breach anymore and say, "Oh, well. That's a bummer."

These people, we'll give them a year's worth of credit monitoring and be done. These are real life fines. I suspect that we will see some pretty large fines starting to come against the heavy hitters like, Google and Facebook before the end of the year. And that will give us even more push. As I said, the news really sort of drives our business. So the more that these breaches and these fines start to become in the news, the more people are going to go after our certification program.

Now interesting about the California Consumer Privacy Act is that while it is still a ways away, January 2020, you're still only looking at a year and a half, 18 months. Our certification program will be adjusting as those rules start to materialize. What the rules are today will look very different when it goes into effect. But the challenge there is that I suspect before that goes into effect that the federal government will, because they were pushed by organizations, by companies in the United States, will release their own guidelines, their own privacy act because what will happen is California has set this bar, and other states will want to have their own. This could be a giant headache at the very least for organizations in the United States that would have to comply to each and every state's individual privacy law. So this is great opportunity the federal government come in and set one up and sort of make it sort of a, not a global, but a countrywide privacy act.

Jeff: Yeah. And even if a federal law wasn't enacted, I think it's important to point out that California recently passed the UK to become the world's fifth largest economy. And some of the stats I pulled from you guys' website, it said that IAPP predicted the new law will affect more than half a million US companies just based on all the California residents out there. So even if a federal law wasn't going to be passed, it's still going to be pretty impactful. Half a million companies, that's just in the US. And then you've got all the other companies around the world that could be affected by this law in a couple years.

Aaron: Yeah. I mean, at the end of the day, Jeff, you're right. It's really going to come down to very small regional businesses that won't be affected. And by that I'm talking about trash collection, people that take care of children. But as soon as you start selling something on the internet, you will be affected. So in this economy, people are going to have to start really paying attention to this. And the challenge here is the penalty is per individual violation. So the reality is that if you have a breach, and you lose a million clients' information, that's going to cost you a lot of money.

Jeff: Just this past month there was a $50 million privacy settlement with Hearst Communications. They were selling information to third parties without people's consent. Facebook, as you mentioned, Cambridge Analytica, they were fined the maximum amount by the UK regulator, 500,000 pounds. If that incident would've happened under GDPR, potentially would've been much larger.

Aaron: It would've been horrible. I mean, it would've been really impressive, but it would've been significantly higher.

Jeff: It would've been good for privacy professionals. One thing that really stood out to me looking through some of the data is that more than half of ... This is from a Ponemon study I read from earlier this year. It said, "More than half of CISOs predict that the organization will have a data breach involving 10,000 or more records this year." So those are the people kind of in charge of protecting data, and more than half of them are just expecting that they're going to see a pretty significant breach this year. I thought that was pretty surprising to me.

Aaron: Yeah. And well, I mean, at the end of the day, the thing that I've been hearing in the field is it's not whether or not you're going to have a breach, it's when you realize that you've already had one. These organizations, it's inevitable, so what they really need to do is they need to look at what they've got inside. So security is one thing, but what we're talking about is the data itself, the core information. Why do you have it? What's the purpose of it? If you don't need it, you are creating a bigger risk profile for no good reason.

Jeff: A couple other data points from that Ponemon study, just to stress the importance of privacy professionals and the growing demand, 70% of those CISOs said that a lack of competent in house staff was their number one concert. And 65% that inadequate in house expertise was the top reason they're likely to have a data breach. So it just really goes to show how a privacy certification and becoming a privacy professional really seems to me to be quite in demand from some of these studies that I'm reading.

Aaron: That's what we're seeing too.

Jeff: If you get certified with CIPP, for example, US, you become an IAPP member for a year, so you get the IAPP membership and all those benefits. I was just wondering if you could talk a little bit about how the IAPP membership works and what they get out of that.

Aaron: Well, absolutely. And that's a really good part of this because not only is this a certification program where you get a certification, but you also get the membership, complimentary membership for a year. And our foundation, we are built as a membership driven organization, so we are constantly rolling out white papers, we have events globally. We have one in California, well, actually, it's in Austin this year, one in DC, Toronto, London, Brussels, Singapore. And we just added Germany and France. So we are constantly bringing people together. We are always talking about the best new practices, the new technologies, things that are happening in the world because it affects everyone. I mean, we are moving further and further into a global economy.

We have webinars. Ultimately, the bottom line is that we are a continual source of information, templates, things that go well beyond just the training itself. And I think that's really where the rubber hits the road for our certification program versus anything else that's out there on the market. We will continually bombard you with information if you let us, and to keep you up to speed, because as I've said, we are, privacy is trying to keep up with technology and technology is constantly evolving. So to sit down take your certification, that's great. It's a great first step. But the reality is if you want to stay ahead of the game and really matter, it's always good to keep that information coming in. At the very least, read what's going on in the privacy world.

Jeff: Yeah. And we mentioned how in demand privacy professionals are. But even with that demand, a lot of studies have show that as many as 85% of jobs are filled via networking, so that's one of the benefits you get with IAPP membership, also with training with InfoSec Institute, you get access to our growing alumni community. You get a chance to network with your peers, connect with decision makers. In addition, we have different Facebook study groups and groups on LinkedIn and the network that can help you with your certification questions, talk about exam updates, changes, all the things that kind of relate to the training side. So that's one benefit of training with InfoSec Institute as well.

Moving on to the last point, probably the one our viewers care about most, is that getting an IAPP certification can increase your salary. The numbers that I saw on your guys' website said that individuals with one IAPP certification earn on average $25,000 more per year than their peers, and individuals with multiple IAPP certifications earn $35,000 more. So that seems like a pretty significant boost for people who become privacy professionals.

Aaron: Yeah. I mean, at the end of the day, Jeff, it's a differentiator. I mean, I had been working the booth at the RSA conference in San Francisco many years. And one, in the beginning, this gentleman came to me and was talking about how he wanted to apply for a job at Twitter, and was sort of interested in understanding our certification program. We were giving out the CIPPUS books at the time. So he took one, and he came back to me the next year saying that he had gotten certified. And then he went into Twitter, and in the four interviews that he had had with them, it was the only thing people asked about, that he had all the checked boxes for his CISSB, and different certifications, the same experience as a lot of the other applicants. But this certification was a differentiator. And he swore up and down that it was weird the first time he was asked, and by the fourth interview, he expected it to come. So he swears that it was a differentiator and helped him get the job.

At the end of the day, yes, we are a 45,000 member organization. We're still not that big. I mean, we're still evolving and we are still moving into the mainstream. It helps a lot that people are talking about privacy in the news. But the reality is, people that get certified even today are still ... I wouldn't consider them early adopters, but certainly on the early end. It's definitely worth taking a look at.

Jeff: Yeah. Another interesting stat I found looking at you guys' materials is that nine out of 10 privacy professionals came to privacy from another job, for example, from the legal field. That seems like a pretty high percentage for people coming over to the privacy side compared to other industries, I would imagine.

Aaron: Yeah. Well, so there's actually a lot to that. There are people that work for small companies that basically the boss came to them and said, "You do IT security, you're now in charge of privacy." Or, "You do HR, you're also now in charge or privacy," or it's sort of forced upon them. But there are also a lot of people that get into it because it's kind of interesting. I mean, in a world of compliance, which can be moderately dull, this is ever evolving, and can keep people interested. That's why we always offer up our membership with this to keep you moving down the road and keeping the information flowing. But the reality is that this is actually more of a female dominated line of work. In our office alone, I would say 65% to 70% of the people at the IAPP are female. And it was recognized as an equal pay profession. So it's really, I would say, cutting edge on a lot of different levels.

Jeff: Yeah. If we could move on now, I'd like to just really briefly talk about which IAPP certification is going to be right for different individuals. That's probably a question a lot of people who are listening to this are wondering, which one they should take. Just wondering if you have any advice on where people should start in terms of, I don't know if you can break it up by job field, or by where they should start just researching the different ones, or any advice you can give on the different certifications.

Aaron: Sure. That's kind of a hard question to answer because it really comes down to where you are. So if you're in the United States, or Canada, or Europe, who you do business with, where they are, whether it's Europe, or United States, or Canada, or Asia, or your job role. So if you're a technologist, we always assume, for example, that most of the people at Intel would take the CIPT. The reality is that most of them actually take the CIPPUS because they want to get more understanding of the law and the jurisdictional part to privacy, versus the operationalization and technology. But then again, we also see a lot of lawyers taking CIPT when they work for a technology company because they want to understand what the technologists are saying to them. The language of law and technology are vastly different. So this has sort of been a crossover for people.

And we honestly never expected compliance and legal people to take the CIPT. This was really originally designed for technologists, people in security, to take privacy and talk about privacy by design. And by that, I'm talking about where you have, you're white boarding a product, for example, and you're cooking privacy into it from the very beginning. The challenge really has come down to compliance, where before, and I'm sure this is getting less and less today, but when organizations would create a new product line and get all the way to just before release, and go to the compliance officer and say, "Hey, we're ready to go. Just check this box and we'll release it."

And they would look at it and say, "This is riddled with privacy challenges that we can't release it." So their return on investment was getting people that are understanding it as a privacy enough to at the very least raise their hand and say, "Hey, we really should check with compliance well before we go to just right before we release to the market." So I would love to tell you, if you're in technology, take the CIPT. If you're in management, take the CIPM. If you live in, I don't know, Florida, take the CIPPUS. But it really depends on the business model of your organization, where you're located, what you're looking at, the customer base you're dealing with. And there is no one single answer. And that's why we actually see so many people get more than one certificate.

Jeff: So those of you out there wondering how to get an IAPP certification, one of the ways is through InfoSec Institute. InfoSec Institute is an official training partner of the IAPP. One of the things that we really pride ourself on is that we offer flexible training solutions, so you can train when, where, and how you want. We do have flex classroom trainings, which are public training bootcamps held nationwide. We have our flex basic training, which is self paced, computer based training. We have flex enterprise, where if your whole team needs IAPP certification, we can come to you and we can tailor it to your organization. And then we have flex pro, which is our most popular format. So with that, you can basically attend our award-winning training from anywhere. You can do it from your office. You can do it from your home. You get the live instruction. You get the interaction.

Plus, you get a lot of the really cool features that comes with our flex pro training. For example, the lessons are recorded, so if you want to go back and revisit them the next day to help prepare for your exam, you can do that. You get detailed reporting on your exam readiness, all sorts of fun stuff like that. But probably the thing that students like you like best about InfoSec Institute is that we have an exam pass guarantee. So what that means is you don't pass your IAPP exam on the first attempt, you'll get a second attempt for free. So if for whatever reason, maybe you just had a bad day, or maybe the exam was a bit harder than you thought it was going to be, you actually have the ability to come, reset the course for up to a year, retake the exam when you're ready. So that gives a lot of people peace of mind. If they're going to invest in training for an IAPP certification, they have that exam pass guarantee. And that's one of the big differentiators at InfoSec.

Camille Dupuis: Thank you, Aaron and Jeff, for a really informative session today. It's just so interesting how privacy really does affect anyone and everyone, especially with the recent huge numbers of breaches and things like that. So we'll move on here. We have time for just a couple of questions. And if we don't answer your question on air here, we will go ahead and get back to you for sure. We have a question from Spencer. How many questions are on the exam? Aaron, I think you might want to talk about this. So he's wondering: How long is the exam? How many questions? Maybe a little more detail, if you can give us any.

Aaron: Sure. Spencer, that's a great question. So the exams are 85 to 90 questions. And 70 to 75 of them are scored, meaning that we have some test questions that we put into it as we roll out our certs. The exam itself are all two hours, 120 minutes. And the best way, I know that this is going to sound crazy, but it happens, the best way to study after the course is to actually read the textbook.

Camille: Quite the answer for that one, read the textbook.

Aaron: Always good advice.

Camille: Good advice. Thank you, Aaron. So hopefully, Spencer, that'll give you an idea of what to expect if you sit for the exam. Another question here. What sectors, Aaron, would you say are most interested in these certifications? I know we briefly touched on it, that there's really not a direct answer of what course you should take, who would take that course. But do you have any thoughts on that of who really is it? Is it mainly IT people that you would say sign up for these?

Aaron: No. And so the sector question, it's kind of different because our membership ranges from obviously Facebook, Microsoft and Google, to energy companies, Chevron and the like. But we also have financial businesses, Bank of America, Chase. In fact, if you check out our website, aipp.org, you can look at our corporate membership. And our sectors cross every single boundary. I mean, the reality is unless the organization is not holding personal data, which doesn't just have to be customer data, by the way, it is employee data that applies, then we are a reason to have a certification. So all sectors, all businesses, we apply.

As far as job title, gosh, when I first started, it was 40% legal and compliance. And I would say that has dramatically changed as our certifications have evolved and attracted people in different business units within that organization, but also depending on what the C suite, or CEO, or whomever, the leadership of the organization, deems important. At the end of the day, what's the downside of having a privacy certification in your group? It's only going to help the organization protect themselves. So while I'd love to point in one direction or another on, these are the people that need to get certified, the bottom line is that in every business unit, somebody, at least one person should be certified so that people can know enough to say, "Hey, wait a second. This seems like this could be an issue. We should really talk to the compliance officer."

Camille: Looks like we have one more question, Aaron. What languages are available on the exam?

Aaron: Oh, that is a good question. So we have French, German, English, obviously. I think we have Italian rolling out. And they are working on some form of Mandarin, but I'm not sure which that is. And I think those are a year or so out.

Camille: Wrapping up here, just want to thank everyone for joining us today. We have a special offer. We want to thank everyone for learning with us today and participating. So if you are ready to enroll in a course, in a bootcamp with InfoSec Institute, and you sign up by August 31st, we'd like to give you a special offer, and you will save $200, so great deal there. Go ahead and mention that to the sales rep when you are signing up. Happy to give you that offer. Want to thank Aaron and Jeff for a great session today. We really appreciate it, and thank everyone for participating with us today.

Chris: Thank you for listening to this week's episode. If you'd like to hear more, please subscribe to Cyber Speak with InfoSec Institute in your podcast grabber of choice. Many of these episodes are also available as videos. Just go to YouTube and type in InfoSec Institute, I-N-F-O-S-E-C, to find our page. If you'd like to read more about a variety of InfoSec security topics, please visit resources.infosecinstitute.com for thousands of articles, certification tutorials, labs, videos and more. Thanks again to Aaron Stevens of the IAPP and Jeff Peters of Infosec Institute for today's presentation. And we will talk to you again next week.