Privacy is shaping the future of cybersecurity careers: Are you ready?

Chris Sienko: Hello and welcome to another episode of the Cyber Work with Infosec podcast, the weekly podcast in which I talk to a variety of industry thought leaders to discuss the latest cybersecurity trends, how those trends are affecting the work of Infosec professionals, and offer tips for those trying to break in or move up the ladder in the cybersecurity industry. Today's episode is a webinar posted on August 21st and entitled "Privacy is shaping the future of cybersecurity careers: "Are you ready?" Moderator Hunter Reed speaks with IAPP Channel Sales Manager for North America, Byron Johnson, as well as Infosec's Product Marketing Manager, Training, Jeff Peters, about our shifting understanding of the concept of privacy as it regards to data and how it is used and protected or not by large companies. In today's webinar, Byron and Jeff discuss how privacy is changing cybersecurity, privacy skills and how they apply to different cybersecurity roles, the future of online privacy and data protection laws, and will also answer privacy certification and career questions from live viewers of the webinar. To help you accelerate your cybersecurity studies, Infosec is giving away a free month of the Infosec Skills platform as part of National Cybersecurity Awareness Month. Just go to infosecinstitute.com/podcast, and use the start learning link to sign up for your free month of skills. But be sure to sign up for your free month before October 31st. And now let's listen to IAPP's Byron Johnson and Infosec's Jeff Peters along with moderator Hunter Reed in their webinar "Privacy is shaping the future of cybersecurity careers: "Are you ready?"

Hunter Reed: All right, thanks for joining us on today's webinar, "Privacy is shaping the future of cybersecurity careers: "Are you ready?" My name is Hunter Reed and I will be helping moderate today's webinar. We're excited to have Byron Johnson, IAPP Channel Sales Manager for North America, here with us today. In his role as Channel Sales Manager for North America at the IAPP, Byron Johnson manages the official training partner network in the US, Canada, and Caribbean. Byron works to grow and enable official training partners to extend the reach of the IAPP, delivering IAPP training and certification as part of their core competencies. He works with consultancies, law firms, professional training schools, and privacy-focused companies like InfoSec to further the IAPP's mission to define, support, and improve privacy globally. He is also joined by Jeff Peters, Infosec's Product Marketing Manager for training, including IAPP certifications. Jeff, why don't you take it away?

Jeff Peters: Yeah, thanks Hunter, glad to be here, and thank you guys all for attending this webinar. So I'm Jeff Peters, as Hunter said, I am the Product Marketing Manager for Infosec's training and certifications, and we started working with IAPP about 15 months ago, offering their different privacy search that they offer. So today what you can expect in this webinar, Byron's gonna be talking about a little background on who the IAPP is within the privacy landscape, and then we're gonna switch gears, talk a little bit about how the cybersecurity role is changing, and kind of the new era of cybersecurity professional, and in particular how that plays into privacy. We'll talk a little bit about the regulations and how those are affecting cybersecurity roles and jobs, then we'll talk a little bit about the different IAPP certifications out there, and if they're a good fit for you in your career, and then at the end we'll have a Q and A. So if you have any questions, feel free to post them in the chat. We could also answer questions throughout the webinar, so if anything pops up that you would like us to discuss, feel free to drop it there in the chat, and Hunter'll be monitoring that for us. Well with that, I'll throw it over to Byron to give us a little background on the IAPP.

Byron Johnson: Thanks Jeff. Byron Johnson here again from the IAPP. I hope everyone's doing well. I just wanted to tell you a little bit about the IAPP. We are the big tent for privacy pros globally, offering information and community surrounding our common space of privacy. We have over 50,000 members representing over a hundred countries, with our membership more than doubling within 20 months thanks to privacy regulation. We offer our members original content from our awesome publications team, and industry analysis from our Westin Research Center. We are a not-for-profit, non-advocacy association, having launched and developed the only globally recognized credential program in information privacy. Our certifications and training play a key role in the maintenance and professionalization of the privacy field, now more than ever with our sole mission to define, support, and improve privacy globally. Thank you so much for being here. Thanks again, Infosec Institute, and happy to be able to share with you. Let's get right into it. So the privacy landscape, you guys have probably all heard of it. It's been in the news lately. Privacy is one of the most important and rapidly expanding and changing fields in the world today. Increasingly most aspects of daily life involve the often unwitting collection of communication and use of personal data. My buddy, for example, just got a refrigerator that now can track and make suggestions on when he might run out of milk. It's a pretty interesting time out there. As personal data are generated and collected more widely, and are far more revealing, governments are challenged to determine the proper limits and regulatory structures to enforce those limits. We've seen that already with the EU, and coming regulation that I'll talk about more, CCPA and beyond, while businesses and other data users now must determine how to comply with those emerging rules, often in the context of new technologies and unclear norms, like that refrigerator. Okay, so new privacy regulation like again GDPR and CCPA, they limit what companies are able to store, process, collect, and share for personal information. We are in the age of a data economy. Last year, for example, data surpassed oil as the world's most valuable commodity. Businesses want data because it has value. It helps them sell more, in many cases data is the business. Privacy regulation is the result of unauthorized access to this data, and being protected in new ways that consumers are starting to expect, and business is still trying to understand. So what can you do and can't you do with personal data? You can, should, and will have to protect your employee and customer personal data with current and impending regulation, here and abroad. I'm sure you are doing this now in your roles as cybersecurity and information security professionals. Covered extensively in our CIPT certification, that I'll review in detail a little bit later, privacy by design is the idea that you need to bake privacy into the early stages of IT products and services for cost control, accuracy, and speed to market. Using this concept to help choose vendors or processes will help protect you from the beginning. You should also be making the quote unquote trip across the hall to work directly with the early adopters of privacy in your work. There will be people who are working on compliance, will from a legal standpoint and a GRC standpoint, maybe seek them out and try to do your job there, helping privacy along and helping that culture shift. Data privacy is no longer just a legal issue. The issue no longer sits with lawyers, or governance, risk, and compliance folks; your role in cybersecurity will be greatly affected by this regulation. The can'ts, for example, you can't store personal information for longer than needed, you can't share data with third party collectors or processors without the right controls in place to limit their ability to identify specific persons from that information, and you definitely can not sell personal information, as I'm sure you've heard throughout the breach kind of culture we've gotten into here, without the explicit consent from your customer or employee. These new controls around personal data, though not yet commonplace, will drastically change the way you operate on a daily basis. Your role in cybersecurity is about to change. Jeff, tell us a little bit about that.

Jeff: Yeah, I wanted to talk just a little bit about how the overall cybersecurity landscape is changing. I started here at Infosec a little over a year ago, and one of the things I've really been digging into a lot is the skills gap. Before I was at Infosec, I worked at a cyber threat intelligence company for about five years, so I've been in this space for a little bit, and one of the challenges that is really, even going back to when I first started five, ten years ago, is this skills gap. I think we've been seeing more and more people talk about it. For example, ISC Squared, they released their workforce study last October, November, and revised their number of on-field cybersecurity jobs to three million, with half a million here in North America. The pace of learning is really increasing, slowly, but it is going up, and that's one of the things we're focused on here at Infosec, is training and certifications, but the pace of technology is outpacing that. So we're getting this gap and it seems to be growing and getting worse. And I think privacy is a big part of that, you know, obviously we had GDPR just a couple years ago, and now we've got CCPA coming. So one of the other things that's been written about quite a bit is this two year half life for all skills really, but particularly tech skills, especially thinking in terms of privacy, you know, you might have finally learned all the privacy skills that you need a couple years ago with GDPR, but two years later, half of those skills may be out of date or irrelevant because there's new laws and new regulations. So yeah, that's obviously one of the challenges here, and that's one of the things that we're really trying to address as a company, and with our various partners like IAPP that we work with. Yeah, on the next slide here, one of the interesting things we did, at the start of the year, we surveyed all of our alumni and people who've taken training with us, and we put together our 2019 cybersecurity industry report, and it was the first time I have been involved in a survey like that, so I was actually kind of surprised with the findings. One of the big things that we found was that 62% of Infosec professionals reported that they did not have clear career paths, and I guess it's important to note that of the people we surveyed, I think about nearly 80% had a bachelor's degree, something like 60% had at least five years experience, so it's not like we were talking to entry level people here, we were talking to people who've been in the field for quite a while, and those people who were unsure of their career paths, more than a third of them were not confident in their career goals, and we had a few other findings along those lines. One of the positive things is that 60% of Infosec pros are spending at least a few hours a week learning new skills, and nearly all of them were spending at least a few hours a month, so it's clear that Infosec professionals need to learn new skills including privacy. But I think the big takeaway that I got from that, in addition just going to local events and talking to people who attend our webinars and stuff, is that there's really not a clear path forward in terms of cybersecurity progression in careers, and where you are now and where you should be a year from now, two years from now, and I think a lot of that's due to the murkiness around privacy, and I think one of the things going forward is if we can really build up your privacy skills, I think that's one potential path that I think is gonna become more and more important going forward. So yeah, if you're one of those people who was maybe confused about your career path, or are you a little uncertain about your career goals, just looking at the news and the people I'm talking to and working with Byron at IAPP, I think privacy is probably a skill that you wanna definitely add to your toolset no matter where you are in cybersecurity. But then there's also a lot of really privacy focused positions that are opening up. So yeah, with that I'll pass it back over to you, Byron.

Hunter: Yeah, so we have a question here that says, "On the topic of cyber skills gap, "the more fundamental question is what are security "slash business risk resource requirements?"

Jeff: Sure, yeah, so one of the things that we're working on here at InfoSec is we have our Infosec Skills platform, and one of the things that's on our roadmap to build is our assessments, 'cause I think, really, and hopefully this answers your question is you really have to understand those risks and get an enterprise-wide look of your skills gap, is what we're hearing from the organizations and the analysts that we're talking to. So when you're talking about addressing your skills gap, there's a lot of stuff about individuals out there, but I think as a organization, you need to look at being able to test and assess your whole cybersecurity team, your whole IT team, and then your whole organization, and that's kind of how Infosec is built. We have our phishing platform for the whole organization, we have our skills training for the IT team, and then we have our certification training for those more hardcore security folks. So that's really the path that we see forward, is really having that assessment and understanding of your skills gap, and really using the data to help address the risks within your organization, and that's how I think we want to approach it going forward, and the enterprise organizations that we work with, that seems to be what they're asking from us.

Hunter: Awesome, looks like that answered their question. All right, and we're gonna move onto Byron.

Byron: Yeah, great points Jeff, thanks, and I wanted to add there, awareness training is a great place to start. It might get you and your team kind of thinking about the questions that you should start asking as you look into what's next for you, whether it be privacy or infosec, cybersec-focused. That might be a way to figure out what's coming next and also what might be interesting to you in your career, and then also how you might be able to help your teams. InfoSec's got some great resources there. Back to privacy here, so how is privacy changing cybersecurity? Our partner, TRUE Staffing, who places individuals in many of the roles now asking for privacy prowess, advises that for professionals in either security, governance, or risk, privacy experience has now become a clear silo of expertise that is desired, if not required, for consultants, advisors, managers, and operators of technology or controls. In other words, you may not need to be privacy policy experts, but any cybersec, infosec professional absolutely should expect to have privacy touch their job requirements meaningfully. Settlements strengthen the argument that privacy is now more than ever a high profile business issue for organizations. This should mean that privacy offices will receive larger budgets, potentially leading to additional hires to help companies ensure regulatory compliance. So the IAPP certifications can definitely help with that, and are actually now being asked by name. Another quote here, "Hiring managers "almost always ask for CIPP certification holders." I'll go over the CIPP certification and the other ones that we offer in a little bit here. And having a CIPP/US or E, the USA or euro laws and regulations, coupled with that CIPM, the managerial side, almost guarantees a candidate's resume will have greater consideration than a candidate who does not have these certifications. So that's huge for us to hear from organizations that are placing these people in these first privacy roles, as they kind of hit the US here. The best way for hiring managers to mitigate risk within their organization is to establish a solid privacy and data governance program. Companies are doing this by training up their teams. Changing your mindset from an information security focused one to an information privacy focused one is a challenge, but the IAPP and InfoSec is here to help. In today's global information economy, getting privacy right has emerged as one of the biggest risk factors for most organizations, as well as a potential competitive advantage. In a recent IAPP study of the disclosure statements of more than 100 publicly traded companies, quote, "Losing customers' or employees' "personally identified information," PIIs we call it, "ranks first among disclosed information related risks." So to this end, the IAPP has taken significant steps to start educating tomorrow's privacy leaders. We're actually exploring partnerships with educational institutions to start teaching privacy in classrooms, so the next CISSP is ready to protect their networks as well as their customers' information. I would compare today's privacy landscape to the pre-DoD 8140 and 8570 directives of the early 2000s. Those two lists were created to provide guidance for training and certification, right? There was a very real possibility that underqualified workers performing critical cyber functions poorly could greatly impact our economy, the wellbeing of our companies, and of course damage the lives of our consumers. The IAPP is working hard to professionalize the privacy field, as yours was not too long ago. We're just a couple years behind. This is hitting the US now. It's brand new to us, meanwhile the EU has been dealing with privacy regulation and kind of a culture for like 30 to 40 years. So this is gonna be new, it is gonna be a little bit weird, but this regulation will affect you, and the IAPP is trying to validate privacy using all of the resources that we have. So 2018 was a big year for the IAPP. We were assured GDPR, the EU's sweeping privacy regulation, was going to have a significant effect on the world. But when we saw membership double within 20 months, we knew we were going to see the same here in the US. 15 states, that number changes every day, already have proposed comprehensive privacy laws. With CCPA, as everyone's heard, the California Consumer Privacy Act, enforcement's starting 1/1 of 2020. That's only a couple of months away. Your counterparts in Europe, as I mentioned, with 30 or 40 years of experience here, have and continue to train and certify in privacy. Our EU market absolutely exploded, with your field well-represented. The Ponemon Institute actually conducted a study via questionnaire, 29,000 questionnaires, with the findings that the technology sector, and those that support the vertical, were among the first adopters of GDPR. Why is that, you may ask? Regulation affects cybersecurity. Comprehensive changes needed to be made in business practice that started with you, the cybersec, infosec people, the people in charge of protecting and controlling the flow of data within and outside the walls of your organization. You would probably agree a basic goal of cybersecurity is to control access to information, so that it doesn't suffer unauthorized exposure, right? One goal of privacy regulation on the other hand, is to influence the way in which unauthorized exposure is defined with respect to personal information, so the information of our consumers and employees, and then spell out the consequences for organizations when they permit such exposure to occur. So in this information economy, all employees, regardless of where they sit in an organization, who come in contact with data, whether that be sales or marketing, or even cybersec, IT, infosec, they have to be knowledgeable, they have to be aware at a minimum for what they can and can not do with data, before a costly mistake happens. Our courses, the IAPP's courses, delivered by Infosec, can actually give you the frameworks and privacy responsibilities for all IT professionals to protect in this new medium. To kind of go over what we do offer, our courses help you prepare for certification in our three ANSI/ISO accredited privacy designation options. So as the IAPP works to professionalize privacy, our certifications are already pretty legit, ANSI/ISO accredited. While not purely test prep courses, this training is appropriate for professionals who plan to certify, as well as those who want to deepen their privacy knowledge. So this might be a good place to start for those that might not yet know of a program internally that your organization's already working toward a privacy function for. Each targets a different part of a business function as it relates to privacy. So our CIPP, for example, is the global standard for the go-to person for privacy laws, regulations, and frameworks. Now this one is really for the person putting privacy law and policy to work. You very well may encounter this privacy champion as your org adopts a privacy framework of its own. I highly recommend to you specifically our CIPM designation, which will give you the detail you need to operationalize privacy, work with your privacy team, and provide value from your seat in cybersec, infosec. You can help promote compliance and the necessary culture shift with the information in this training and certification. It might be a good place to start. Also very relevant to you and your teams, the CIPT designation. Regulators worldwide are calling for tech professionals to factor data privacy into their products and services. The job market for privacy trained IT pros has never been stronger. Great value can come from the training, which covers how to communicate privacy issues with partners such as management, development, marketing, and legal, some of the places, the business that we might all come into contact with. The sections factoring privacy into data classification and emerging tech can be a subject quick value turnaround for you in your everyday functions. Those are things that you might be dealing with today. So get yourself plugged into the information economy, now that technology pros like you can take privacy knowledge and your career to a higher level with Infosec. Jeff, after you.

Jeff: Yeah, you've brought up the CCPA, and just in case the people listening aren't aware, with your registration you should've gotten a link to the free CCPA ebook that we did. We did a different webinar, I think back in February with Sentinel, and we had some really good guests on there who really got into the minutiae of the CCPA, so if you really wanna dig deep into all that kind of stuff, that ebook's a good start, and then we also have that other webinar. But yeah, in terms of IAPP training, like I mentioned, we started working with IAPP I think about 15 or so months ago, and at that time we added a lot of new certifications, not just, excuse me, not just IAPP ones but other, if you're at all familiar with the landscape, you know that there's tons of new certifications that get released and everyone's always trying to kind of build out these new ones. But the IAPP ones definitely from our perspective have really grown and we've seen quite a few enrollments over the past 15 months with those. So yeah, just a little bit about our training, if you're unfamiliar with Infosec, the primary way to get certified is with our Infosec Flex boot camps. So the IAPP certification boot camps, we have two day boot camps, but then if you wanna get more than one certification, we also have four day boot camps where you could get, for example, CIPP/US and CIPM, as Byron was talking about, or we even have a six day boot camp if you want to hit the holy trifecta and get the CIPP/US, the CIPM, and the CIPT. So with our boot camps, they're livestreamed, so you can either attend a classroom in person or you can use our Zoom integration, watch it from your home, interact with your instructors, things like that. And then another benefit that people really like about our boot camps is our exam pass guarantee. So if you take an IAPP boot camp, like say you wanna get your CIPP/US for example, and then you go ahead and you take the exam and you fail, well, we'll give you a second exam voucher to retake the exam, and we'll even let you resit the course. We definitely wanna make sure that you're successful if you take one of our boot camps. And then another thing just to mention, we are a, as Byron said, we work with IAPP, we are a partner of theirs, and we're really trying to help them grow these certifications. I think now we'll probably switch over, see if there's any questions from you guys or anyone in the audience.

Hunter: So we're having a lot of questions about certifications, it looks like. So Miguel wants to know, he already has the HCISPP from ISC Squared. How does that compare to other certs?

Jeff: Yeah, that's not a certification that we offer at Infosec, so I'm not very familiar with that one in particular. I don't if you have any insight into that at all, Byron, in terms of how they compare to the IAPP certifications?

Byron: Not really, I assume it's pretty close to our CIPT, but from a security standpoint. I also wouldn't feel comfortable saying much on it, just I'm not a pro on that. But it might be a good starting point. If you found that having value, it might be a good starting point to see what else makes sense, both from a privacy standpoint and other cybersecurity certifications. Certifications in general are great for you. You're gaining knowledge that will benefit your organization, increasing your salary, or improving your chances of promotion. There's no real terrible reason to get certified, so if you're thinking about it, I certainly would, or at least take the training, and then you can make that decision for yourself. You also enter a community of fellow professionals, and peer networking opportunities, so you may be able to ask your peers if that's a good option for you. And definitely look into what InfoSec has for that community as well.

Jeff: Yeah, and I was just gonna follow up. Yeah, I know I didn't really get a chance to address your question in particular, but if you do go to our website, whether it's the CIPT bootcamp or the CIPM bootcamp, we do have an outline of the whole two days of talking of all the different major subjects that you're gonna cover, as well as you could go to IAPP's website, and I'm sure you can see the exam domains, and our course is designed to prepare you for that exam, so if you wanna do a little research, you could either go to the InfoSec website or the IAPP website, and look at our course details or look at the domains and see how they compare to that other cert if you wanna get into the nitty-gritty with that.

Byron: Yep, you can look at exactly the body of knowledge which both the training and certification exam are based on.

Hunter: Cool, and we have a question here from Medusu, what are the requirements for each of these IAPP certifications?

Byron: Again, definitely touch base with the website, but the trainings as we offer them are two days each. The boot camp model that Infosec offers has a different take on it. They bake in some value that the IAPP doesn't directly, so it's a great place to start. I would say, starting with the CIPM might be a great place to kind of understand where privacy is from a larger picture. The CIPP/US goes deep into the laws and regulations, and it might seem a little bit dry to someone who's making that jump from cybersec, infosec. So check out the CIPM, definitely go to that body of knowledge. That might be the best place to see what topics are covered. If you're looking for more of the technologist's standpoint, the CIPT goes over privacy risk models and frameworks, value-sensitive design, privacy responsibilities of the IT professional, software security in relation to privacy, data-oriented strategies, I could go on and on. Definitely look at what hits home for you. Obviously you wanna be able to take this information and do something with it, so something that you're gonna be more prone to enjoy might be a good place to start.

Jeff: Yeah, and just to follow up, I would say for our boot camps there's not any specific prerequirements that you need to meet in order to attend any of those. I think you'd probably be able to attend any of them, and potentially be successful in passing the exam, but obviously, like with CIPM, that body of knowledge is about privacy program governance, and the privacy program operational lifecycle, so if that's not going to be directly applicable to your job duties in some way, it might be a little more difficult to understand the real world experience. I mean obviously anyone can probably study hard enough and do a decent job with the exam, but the more it applies to your real world experience, probably the better. So yeah, I would recommend looking at the three and seeing which probably ties closest to your job role. That's personally how I would go about it if you're looking at obtaining one of these, 'cause that's probably obviously the most beneficial way to do it.

Hunter: Jeff, you may have just answered that, but I have a few questions coming in about people just entering the privacy sector, starting as a novice. What role can certifications play with that, and where can people start, I guess?

Byron: I can take this one. So certifying is kind of your second option. I would definitely look at training, and specifically instructor-led. The instructor can really provide a perspective that's helpful to you. If you're able to tell the instructor a little bit about where you're coming from, what you've dealt with in the past, where your career has gone and where you hope it goes, they might be able to tie some of the privacy frameworks and ideas to things that you've already kind of come into touch with. The real thing here is taking a step into training. That's where awareness training might be a great option, where you don't necessarily have to certify. That is definitely the best way to have that information make a real impact, like I was saying before. The salary increase alone is usually the driver there for most people, including myself. But it gets you closer to something that's going to be huge. I mean, the EU's business practices have completely changed from GDPR, and they started with a culture of privacy. At a restaurant, they bring a credit card scanner right to you; they don't disappear with your credit card for 15 minutes. So learning about how privacy is and will affect business from here on out using this training and certification, certification makes the most sense from a bang for you buck type of thing. It's four letters, you get to, or five, that you get to add to your name saying that you are a professional, and you know what you're talking about, and you've done the work to pass an exam. It's not easy. It's a step in the right direction to start training and see if it really connects with what you like and enjoy.

Jeff: Yeah, and I would just second what Byron said. You don't even necessarily have to get the certification. If you're just looking for a place to start studying, we actually, one of our Infosec instructors, actually even suggested that people who are new to cybersecurity start with the CISSP, which is typically one of the most advanced ones, certifications that's available out there. Not that you're gonna try to earn the CISSP right away, but you can look at all the domains, and you can kind of get an idea of, 'cause that's one of those certifications that's described as a mile wide and an inch deep. So you can get kind of a good view of where you could be in five years or ten years down the road in your career. And I think you can do the same thing with the IAPP certifications. If you're just looking to kind of get a feel for if it's something that you would like, you could look at the domains, the different bodies of knowledge, go to the Infosec website, see what you're gonna learn, and just kind of explore those on your own. Another thing that Byron said though is with training I think the biggest thing, the biggest feedback that we get on our training is our instructors. It's one thing, I mean, you can train for any certification, go on YouTube, do self study, and a lot of people do that and do it fine, but the benefit of having a professional with a decade of experience, being able to share stories with your classmates, see how other organizations are approaching it, be able to ask questions, that's I think where a big bulk of the value comes from in terms of the boot camp experience. But yeah, if you're looking just to break into cybersecurity, that's a question we're trying to solve with a lot of enterprises that we work with, and there's a lot of different ways to do that, and a lot of other entry level cybersecurity certifications like CompTIA that you could take in addition to the IAPP stuff, so you can kind of build up your other technology skills and then supplement that with some good IAPP certifications to get that privacy foundation. And it might actually be interesting to see how that plays out going forward. With privacy becoming stronger going forward, I think a lot of people have come at privacy backwards, where it's like they're a cybersecurity expert, and now they're trying to catch up on their privacy, so it'd be interesting to see some of these new people in the cybersecurity, if they kind of come up with privacy and that's sort of the foundation that they're building their cybersecurity skills on, kind of a flip of, I think, of what we've been doing. That could be potentially a big differentiator as you progress in your career. So just something to think about.

Hunter: All right, so I think we have time for about two more questions. Max is wondering about the CCPA and how that's gonna affect other states. I know that California's one of the first states in the US to introduce these privacy policies. How is it gonna affect other states?

Byron: Yeah, great question. You know, this is my own opinion on this, just being on the sales side of things, I wouldn't wanna give you any information that you might run with from the legal standpoint or compliance standpoint. But the way I and some of my colleagues at the IAPP look at it, CCPA is the start of this experimentation here in the US. I think what we'll see is states choosing their version and edition of CCPA and GDPR, and doing it in their own way, and then possibly the federal government looking at this, you know, the guinea pig states, to figure out what they're gonna do federally. That's looking pretty far out. We don't have anything telling us there's gonna be something federal right now, but that's kind of how it's gone in the past with these types of compliance regulations that come through. CCPA is definitely the start of something that's not gonna disappear again, 15 to 16 states already having comprehensive privacy laws. Some are starting small, like Maine that was looking at internet security, and we've had things like COPA for a while where we're protecting our children's data, but now it's bigger. We are dumping data into companies without really any regard, and we really don't understand what we're sharing with them until it comes out in the news, some of these breaches where people are being followed through the internet via cookies. Now it's commonplace to have a cookie notification on a website, but this is just the start. CCPA is just going to be one version of what we're gonna see for privacy policy. I think each state is, again, just gonna have their own version, and then depending on who's in office, federally we might see something that is a combination or a parsing of each of those different states, maybe whoever had the most success. Hopefully that helps, I know it's not super detailed, but the IAPP has tons of resources on the CCPA to tell you what it is exactly. It's kind of changing every day right now with amendments and addendums coming in and out. That time has almost closed; I think it's the 31st of August that they have to finalize the law, and then we'll see the first version of that, and then maybe Nevada'll take it in a different way, and Washington State'll take it in a little bit different way. So hopefully that helps. Definitely keep an eye on the news; it'll definitely be there.

Jeff: Yeah, I don't have too much to add to that other than, I'm obviously not a legal expert by any means, but I think just seconding Byron's point about from my perspective it's just gonna mean more change. Obviously GDPR, that was a big change, and I think with California, and other states then, and even within the law itself, with all the changes and addendums and arguments going on in California between the different companies that have to enforce it, and privacy organizations, I think we can just expect over the next year, two years, five years, to see a lot of changes and evolution in the landscape, particularly here in the US. That would be my prediction if I had to make one. But yeah, again, if you want more details on that, we do have that previous webinar and the ebook which, obviously, we may need to update that ebook as the CCPA continues to evolve.

Hunter: Definitely interesting stuff, I'm curious to see where this goes in the next few years. And to end, I was just curious myself on the IAPP certs. Which ones are the most popular, and how often are those certs being updated, and when are the next updates coming?

Byron: Great question. So here in the US, the CIPM and US have been most popular, definitely here at the Infosec as well. The M being the managerial side and how to apply privacy to the organization, I think is the easiest way in for most people, but of course privacy started here in the lawyer's offices, in the office of the general counsel, so going over the law and regulation here in the US in that CIPP/US designation was also very popular. Obviously with the EU and GDPR, M and over there the E were very popular. That's kind of died down a little bit with E still being relevant because companies here are dealing with EU citizens' data, and still having to train up on that. But for US business, M and US are definitely the most popular. Those are updated bianually, and also updated when big news or changes like CCPA happens. So we will include specific sections on law and regulation like the CCPA, for example, as they come out. We're pretty quick to turn that around. We are the gold standard for that information with our research center and publications teams. So we're reporting the news and also analyzing what's coming out of privacy offices. The CIPT is gonna take a big change coming up Q4, Q1 of 2020. That will include a lot of the emerging technology and things that have been changing, especially in 2019 as we start to look at AI and facial recognition, even Bitcoin. So we're pulling that together right now to be up and running for Q1, Q2 of 2020, and that's just one of those revamps that we need to keep it up to date. We're always looking at where privacy's going next and how to keep our training and certification relevant, and also giving our members and certifying members the information they need to do the best at their job as it relates to privacy. So biannual updates, updates as needed as news and regulation changes things, and in between we fill the gaps with publications and some of our research, including white papers that we put out on a regular basis.

Jeff: I would say when we launched the IAPP certifications here at Infosec last year, my prediction was that CIPT would be the most popular one, but of course I was wrong. Yeah, the CIPP/US, CIPP/E the Europe one, and the CIPM all have probably about pretty equal number of enrollments over the last 12 months. The CIPT is still growing, and we're scheduling courses for that and getting enrollments, but just not quite as many as with the CIPM and those other CIPP ones. Yeah so that's just kind of a general view of it from our perspective. But I think we've seen a good amount of growth overall over the last 12 months with our offerings here at Infosec, and I think if I had to make a prediction, I would say the CIPP/US is gonna grow quite a bit with the California privacy law, but take that with a grain of salt 'cause I was wrong in my last prediction. But that's kind of where I see it going, is in particular the CIPP/US and the CIPM probably growing as the strongest ones for Infosec courses, the most popular in terms of number of courses that we schedule. But I think the other ones are gonna continue to grow in popularity as well.

Hunter: Definitely. And I just wanted to thank Byron for joining us today and Jeff for helping out. You can watch this recording in an email coming soon after this webinar. If you'd like some more information right away, you can head to infosecinstitute.com, or call to speak with a rep with the number on screen, and again if you have any questions, please direct them to info@infosecinstitute.com, and we'll be sure to get back to you soon. Have a great rest of your day.

Chris: I hope you enjoyed today's webinar. Just as a reminder, many of our podcasts also contain video components which can be found at our YouTube page. Just go to youtube.com and type in "Cyber Work with Infosec" to check out our collection of tutorials, interviews and past webinars. And as ever, search "Cyber Work with Infosec" in your podcast app of choice for more episodes. As a reminder, again, in honor of National Cybersecurity Awareness Month, Infosec is giving away a free trial month of Infosec Skills, a subscription-based skills learning platform throughout the month of October. If you'd like to learn more about this offer, please visit infosecinstitute.com/podcasts, and use the start learning link to claim your free month. But be sure to sign up before October 31st 2019. Thanks once again to Byron Johnson, Jeff Peters, and Hunter Reed, and thank you all for listening. We'll speak to you next week.