Chris Sienko: Hello and welcome to another episode of the Cyber Work with Infosec podcast, the weekly podcast in which I talk to a variety of industry thought leaders to discuss the latest cybersecurity trends, how those trends are affecting the work of Infosec professionals, and offer tips for those trying to break in or move up the ladder in the cybersecurity industry. Today’s episode is a webinar posted on August 21st and entitled “Privacy is shaping the future of cybersecurity careers: “Are you ready?” Moderator Hunter Reed speaks with IAPP Channel Sales Manager for North America, Byron Johnson, as well as Infosec’s Product Marketing Manager, Training, Jeff Peters, about our shifting understanding of the concept of privacy as it regards to data and how it is used and protected or not by large companies. In today’s webinar, Byron and Jeff discuss how privacy is changing cybersecurity, privacy skills and how they apply to different cybersecurity roles, the future of online privacy and data protection laws, and will also answer privacy certification and career questions from live viewers of the webinar. To help you accelerate your cybersecurity studies, Infosec is giving away a free month of the Infosec Skills platform as part of National Cybersecurity Awareness Month. Just go to infosecinstitute.com/podcast, and use the start learning link to sign up for your free month of skills. But be sure to sign up for your free month before October 31st. And now let’s listen to IAPP’s Byron Johnson and Infosec’s Jeff Peters along with moderator Hunter Reed in their webinar “Privacy is shaping the future of cybersecurity careers: “Are you ready?”
Hunter Reed: All right, thanks for joining us on today’s webinar, “Privacy is shaping the future of cybersecurity careers: “Are you ready?” My name is Hunter Reed and I will be helping moderate today’s webinar. We’re excited to have Byron Johnson, IAPP Channel Sales Manager for North America, here with us today. In his role as Channel Sales Manager for North America at the IAPP, Byron Johnson manages the official training partner network in the US, Canada, and Caribbean. Byron works to grow and enable official training partners to extend the reach of the IAPP, delivering IAPP training and certification as part of their core competencies. He works with consultancies, law firms, professional training schools, and privacy-focused companies like InfoSec to further the IAPP’s mission to define, support, and improve privacy globally. He is also joined by Jeff Peters, Infosec’s Product Marketing Manager for training, including IAPP certifications. Jeff, why don’t you take it away?
Jeff Peters: Yeah, thanks Hunter, glad to be here, and thank you guys all for attending this webinar. So I’m Jeff Peters, as Hunter said, I am the Product Marketing Manager for Infosec’s training and certifications, and we started working with IAPP about 15 months ago, offering their different privacy search that they offer. So today what you can expect in this webinar, Byron’s gonna be talking about a little background on who the IAPP is within the privacy landscape, and then we’re gonna switch gears, talk a little bit about how the cybersecurity role is changing, and kind of the new era of cybersecurity professional, and in particular how that plays into privacy. We’ll talk a little bit about the regulations and how those are affecting cybersecurity roles and jobs, then we’ll talk a little bit about the different IAPP certifications out there, and if they’re a good fit for you in your career, and then at the end we’ll have a Q and A. So if you have any questions, feel free to post them in the chat. We could also answer questions throughout the webinar, so if anything pops up that you would like us to discuss, feel free to drop it there in the chat, and Hunter’ll be monitoring that for us. Well with that, I’ll throw it over to Byron to give us a little background on the IAPP.
Byron Johnson: Thanks Jeff. Byron Johnson here again from the IAPP. I hope everyone’s doing well. I just wanted to tell you a little bit about the IAPP. We are the big tent for privacy pros globally, offering information and community surrounding our common space of privacy. We have over 50,000 members representing over a hundred countries, with our membership more than doubling within 20 months thanks to privacy regulation. We offer our members original content from our awesome publications team, and industry analysis from our Westin Research Center. We are a not-for-profit, non-advocacy association, having launched and developed the only globally recognized credential program in information privacy. Our certifications and training play a key role in the maintenance and professionalization of the privacy field, now more than ever with our sole mission to define, support, and improve privacy globally. Thank you so much for being here. Thanks again, Infosec Institute, and happy to be able to share with you. Let’s get right into it. So the privacy landscape, you guys have probably all heard of it. It’s been in the news lately. Privacy is one of the most important and rapidly expanding and changing fields in the world today. Increasingly most aspects of daily life involve the often unwitting collection of communication and use of personal data. My buddy, for example, just got a refrigerator that now can track and make suggestions on when he might run out of milk. It’s a pretty interesting time out there. As personal data are generated and collected more widely, and are far more revealing, governments are challenged to determine the proper limits and regulatory structures to enforce those limits. We’ve seen that already with the EU, and coming regulation that I’ll talk about more, CCPA and beyond, while businesses and other data users now must determine how to comply with those emerging rules, often in the context of new technologies and unclear norms, like that refrigerator. Okay, so new privacy regulation like again GDPR and CCPA, they limit what companies are able to store, process, collect, and share for personal information. We are in the age of a data economy. Last year, for example, data surpassed oil as the world’s most valuable commodity. Businesses want data because it has value. It helps them sell more, in many cases data is the business. Privacy regulation is the result of unauthorized access to this data, and being protected in new ways that consumers are starting to expect, and business is still trying to understand. So what can you do and can’t you do with personal data? You can, should, and will have to protect your employee and customer personal data with current and impending regulation, here and abroad. I’m sure you are doing this now in your roles as cybersecurity and information security professionals. Covered extensively in our CIPT certification, that I’ll review in detail a little bit later, privacy by design is the idea that you need to bake privacy into the early stages of IT products and services for cost control, accuracy, and speed to market. Using this concept to help choose vendors or processes will help protect you from the beginning. You should also be making the quote unquote trip across the hall to work directly with the early adopters of privacy in your work. There will be people who are working on compliance, will from a legal standpoint and a GRC standpoint, maybe seek them out and try to do your job there, helping privacy along and helping that culture shift. Data privacy is no longer just a legal issue. The issue no longer sits with lawyers, or governance, risk, and compliance folks; your role in cybersecurity will be greatly affected by this regulation. The can’ts, for example, you can’t store personal information for longer than needed, you can’t share data with third party collectors or processors without the right controls in place to limit their ability to identify specific persons from that information, and you definitely can not sell personal information, as I’m sure you’ve heard throughout the breach kind of culture we’ve gotten into here, without the explicit consent from your customer or employee. These new controls around personal data, though not yet commonplace, will drastically change the way you operate on a daily basis. Your role in cybersecurity is about to change. Jeff, tell us a little bit about that.
Jeff: Yeah, I wanted to talk just a little bit about how the overall cybersecurity landscape is changing. I started here at Infosec a little over a year ago, and one of the things I’ve really been digging into a lot is the skills gap. Before I was at Infosec, I worked at a cyber threat intelligence company for about five years, so I’ve been in this space for a little bit, and one of the challenges that is really, even going back to when I first started five, ten years ago, is this skills gap. I think we’ve been seeing more and more people talk about it. For example, ISC Squared, they released their workforce study last October, November, and revised their number of on-field cybersecurity jobs to three million, with half a million here in North America. The pace of learning is really increasing, slowly, but it is going up, and that’s one of the things we’re focused on here at Infosec, is training and certifications, but the pace of technology is outpacing that. So we’re getting this gap and it seems to be growing and getting worse. And I think privacy is a big part of that, you know, obviously we had GDPR just a couple years ago, and now we’ve got CCPA coming. So one of the other things that’s been written about quite a bit is this two year half life for all skills really, but particularly tech skills, especially thinking in terms of privacy, you know, you might have finally learned all the privacy skills that you need a couple years ago with GDPR, but two years later, half of those skills may be out of date or irrelevant because there’s new laws and new regulations. So yeah, that’s obviously one of the challenges here, and that’s one of the things that we’re really trying to address as a company, and with our various partners like IAPP that we work with. Yeah, on the next slide here, one of the interesting things we did, at the start of the year, we surveyed all of our alumni and people who’ve taken training with us, and we put together our 2019 cybersecurity industry report, and it was the first time I have been involved in a survey like that, so I was actually kind of surprised with the findings. One of the big things that we found was that 62% of Infosec professionals reported that they did not have clear career paths, and I guess it’s important to note that of the people we surveyed, I think about nearly 80% had a bachelor’s degree, something like 60% had at least five years experience, so it’s not like we were talking to entry level people here, we were talking to people who’ve been in the field for quite a while, and those people who were unsure of their career paths, more than a third of them were not confident in their career goals, and we had a few other findings along those lines. One of the positive things is that 60% of Infosec pros are spending at least a few hours a week learning new skills, and nearly all of them were spending at least a few hours a month, so it’s clear that Infosec professionals need to learn new skills including privacy. But I think the big takeaway that I got from that, in addition just going to local events and talking to people who attend our webinars and stuff, is that there’s really not a clear path forward in terms of cybersecurity progression in careers, and where you are now and where you should be a year from now, two years from now, and I think a lot of that’s due to the murkiness around privacy, and I think one of the things going forward is if we can really build up your privacy skills, I think that’s one potential path that I think is gonna become more and more important going forward. So yeah, if you’re one of those people who was maybe confused about your career path, or are you a little uncertain about your career goals, just looking at the news and the people I’m talking to and working with Byron at IAPP, I think privacy is probably a skill that you wanna definitely add to your toolset no matter where you are in cybersecurity. But then there’s also a lot of really privacy focused positions that are opening up. So yeah, with that I’ll pass it back over to you, Byron.
Hunter: Yeah, so we have a question here that says, “On the topic of cyber skills gap, “the more fundamental question is what are security “slash business risk resource requirements?”
Jeff: Sure, yeah, so one of the things that we’re working on here at InfoSec is we have our Infosec Skills platform, and one of the things that’s on our roadmap to build is our assessments, ’cause I think, really, and hopefully this answers your question is you really have to understand those risks and get an enterprise-wide look of your skills gap, is what we’re hearing from the organizations and the analysts that we’re talking to. So when you’re talking about addressing your skills gap, there’s a lot of stuff about individuals out there, but I think as a organization, you need to look at being able to test and assess your whole cybersecurity team, your whole IT team, and then your whole organization, and that’s kind of how Infosec is built. We have our phishing platform for the whole organization, we have our skills training for the IT team, and then we have our certification training for those more hardcore security folks. So that’s really the path that we see forward, is really having that assessment and understanding of your skills gap, and really using the data to help address the risks within your organization, and that’s how I think we want to approach it going forward, and the enterprise organizations that we work with, that seems to be what they’re asking from us.
Hunter: Awesome, looks like that answered their question. All right, and we’re gonna move onto Byron.
Jeff: Yeah, you’ve brought up the CCPA, and just in case the people listening aren’t aware, with your registration you should’ve gotten a link to the free CCPA ebook that we did. We did a different webinar, I think back in February with Sentinel, and we had some really good guests on there who really got into the minutiae of the CCPA, so if you really wanna dig deep into all that kind of stuff, that ebook’s a good start, and then we also have that other webinar. But yeah, in terms of IAPP training, like I mentioned, we started working with IAPP I think about 15 or so months ago, and at that time we added a lot of new certifications, not just, excuse me, not just IAPP ones but other, if you’re at all familiar with the landscape, you know that there’s tons of new certifications that get released and everyone’s always trying to kind of build out these new ones. But the IAPP ones definitely from our perspective have really grown and we’ve seen quite a few enrollments over the past 15 months with those. So yeah, just a little bit about our training, if you’re unfamiliar with Infosec, the primary way to get certified is with our Infosec Flex boot camps. So the IAPP certification boot camps, we have two day boot camps, but then if you wanna get more than one certification, we also have four day boot camps where you could get, for example, CIPP/US and CIPM, as Byron was talking about, or we even have a six day boot camp if you want to hit the holy trifecta and get the CIPP/US, the CIPM, and the CIPT. So with our boot camps, they’re livestreamed, so you can either attend a classroom in person or you can use our Zoom integration, watch it from your home, interact with your instructors, things like that. And then another benefit that people really like about our boot camps is our exam pass guarantee. So if you take an IAPP boot camp, like say you wanna get your CIPP/US for example, and then you go ahead and you take the exam and you fail, well, we’ll give you a second exam voucher to retake the exam, and we’ll even let you resit the course. We definitely wanna make sure that you’re successful if you take one of our boot camps. And then another thing just to mention, we are a, as Byron said, we work with IAPP, we are a partner of theirs, and we’re really trying to help them grow these certifications. I think now we’ll probably switch over, see if there’s any questions from you guys or anyone in the audience.
Hunter: So we’re having a lot of questions about certifications, it looks like. So Miguel wants to know, he already has the HCISPP from ISC Squared. How does that compare to other certs?
Jeff: Yeah, that’s not a certification that we offer at Infosec, so I’m not very familiar with that one in particular. I don’t if you have any insight into that at all, Byron, in terms of how they compare to the IAPP certifications?
Byron: Not really, I assume it’s pretty close to our CIPT, but from a security standpoint. I also wouldn’t feel comfortable saying much on it, just I’m not a pro on that. But it might be a good starting point. If you found that having value, it might be a good starting point to see what else makes sense, both from a privacy standpoint and other cybersecurity certifications. Certifications in general are great for you. You’re gaining knowledge that will benefit your organization, increasing your salary, or improving your chances of promotion. There’s no real terrible reason to get certified, so if you’re thinking about it, I certainly would, or at least take the training, and then you can make that decision for yourself. You also enter a community of fellow professionals, and peer networking opportunities, so you may be able to ask your peers if that’s a good option for you. And definitely look into what InfoSec has for that community as well.
Jeff: Yeah, and I was just gonna follow up. Yeah, I know I didn’t really get a chance to address your question in particular, but if you do go to our website, whether it’s the CIPT bootcamp or the CIPM bootcamp, we do have an outline of the whole two days of talking of all the different major subjects that you’re gonna cover, as well as you could go to IAPP’s website, and I’m sure you can see the exam domains, and our course is designed to prepare you for that exam, so if you wanna do a little research, you could either go to the InfoSec website or the IAPP website, and look at our course details or look at the domains and see how they compare to that other cert if you wanna get into the nitty-gritty with that.
Byron: Yep, you can look at exactly the body of knowledge which both the training and certification exam are based on.
Hunter: Cool, and we have a question here from Medusu, what are the requirements for each of these IAPP certifications?
Byron: Again, definitely touch base with the website, but the trainings as we offer them are two days each. The boot camp model that Infosec offers has a different take on it. They bake in some value that the IAPP doesn’t directly, so it’s a great place to start. I would say, starting with the CIPM might be a great place to kind of understand where privacy is from a larger picture. The CIPP/US goes deep into the laws and regulations, and it might seem a little bit dry to someone who’s making that jump from cybersec, infosec. So check out the CIPM, definitely go to that body of knowledge. That might be the best place to see what topics are covered. If you’re looking for more of the technologist’s standpoint, the CIPT goes over privacy risk models and frameworks, value-sensitive design, privacy responsibilities of the IT professional, software security in relation to privacy, data-oriented strategies, I could go on and on. Definitely look at what hits home for you. Obviously you wanna be able to take this information and do something with it, so something that you’re gonna be more prone to enjoy might be a good place to start.
Jeff: Yeah, and just to follow up, I would say for our boot camps there’s not any specific prerequirements that you need to meet in order to attend any of those. I think you’d probably be able to attend any of them, and potentially be successful in passing the exam, but obviously, like with CIPM, that body of knowledge is about privacy program governance, and the privacy program operational lifecycle, so if that’s not going to be directly applicable to your job duties in some way, it might be a little more difficult to understand the real world experience. I mean obviously anyone can probably study hard enough and do a decent job with the exam, but the more it applies to your real world experience, probably the better. So yeah, I would recommend looking at the three and seeing which probably ties closest to your job role. That’s personally how I would go about it if you’re looking at obtaining one of these, ’cause that’s probably obviously the most beneficial way to do it.
Hunter: Jeff, you may have just answered that, but I have a few questions coming in about people just entering the privacy sector, starting as a novice. What role can certifications play with that, and where can people start, I guess?
Byron: I can take this one. So certifying is kind of your second option. I would definitely look at training, and specifically instructor-led. The instructor can really provide a perspective that’s helpful to you. If you’re able to tell the instructor a little bit about where you’re coming from, what you’ve dealt with in the past, where your career has gone and where you hope it goes, they might be able to tie some of the privacy frameworks and ideas to things that you’ve already kind of come into touch with. The real thing here is taking a step into training. That’s where awareness training might be a great option, where you don’t necessarily have to certify. That is definitely the best way to have that information make a real impact, like I was saying before. The salary increase alone is usually the driver there for most people, including myself. But it gets you closer to something that’s going to be huge. I mean, the EU’s business practices have completely changed from GDPR, and they started with a culture of privacy. At a restaurant, they bring a credit card scanner right to you; they don’t disappear with your credit card for 15 minutes. So learning about how privacy is and will affect business from here on out using this training and certification, certification makes the most sense from a bang for you buck type of thing. It’s four letters, you get to, or five, that you get to add to your name saying that you are a professional, and you know what you’re talking about, and you’ve done the work to pass an exam. It’s not easy. It’s a step in the right direction to start training and see if it really connects with what you like and enjoy.
Jeff: Yeah, and I would just second what Byron said. You don’t even necessarily have to get the certification. If you’re just looking for a place to start studying, we actually, one of our Infosec instructors, actually even suggested that people who are new to cybersecurity start with the CISSP, which is typically one of the most advanced ones, certifications that’s available out there. Not that you’re gonna try to earn the CISSP right away, but you can look at all the domains, and you can kind of get an idea of, ’cause that’s one of those certifications that’s described as a mile wide and an inch deep. So you can get kind of a good view of where you could be in five years or ten years down the road in your career. And I think you can do the same thing with the IAPP certifications. If you’re just looking to kind of get a feel for if it’s something that you would like, you could look at the domains, the different bodies of knowledge, go to the Infosec website, see what you’re gonna learn, and just kind of explore those on your own. Another thing that Byron said though is with training I think the biggest thing, the biggest feedback that we get on our training is our instructors. It’s one thing, I mean, you can train for any certification, go on YouTube, do self study, and a lot of people do that and do it fine, but the benefit of having a professional with a decade of experience, being able to share stories with your classmates, see how other organizations are approaching it, be able to ask questions, that’s I think where a big bulk of the value comes from in terms of the boot camp experience. But yeah, if you’re looking just to break into cybersecurity, that’s a question we’re trying to solve with a lot of enterprises that we work with, and there’s a lot of different ways to do that, and a lot of other entry level cybersecurity certifications like CompTIA that you could take in addition to the IAPP stuff, so you can kind of build up your other technology skills and then supplement that with some good IAPP certifications to get that privacy foundation. And it might actually be interesting to see how that plays out going forward. With privacy becoming stronger going forward, I think a lot of people have come at privacy backwards, where it’s like they’re a cybersecurity expert, and now they’re trying to catch up on their privacy, so it’d be interesting to see some of these new people in the cybersecurity, if they kind of come up with privacy and that’s sort of the foundation that they’re building their cybersecurity skills on, kind of a flip of, I think, of what we’ve been doing. That could be potentially a big differentiator as you progress in your career. So just something to think about.
Hunter: All right, so I think we have time for about two more questions. Max is wondering about the CCPA and how that’s gonna affect other states. I know that California’s one of the first states in the US to introduce these privacy policies. How is it gonna affect other states?
Jeff: Yeah, I don’t have too much to add to that other than, I’m obviously not a legal expert by any means, but I think just seconding Byron’s point about from my perspective it’s just gonna mean more change. Obviously GDPR, that was a big change, and I think with California, and other states then, and even within the law itself, with all the changes and addendums and arguments going on in California between the different companies that have to enforce it, and privacy organizations, I think we can just expect over the next year, two years, five years, to see a lot of changes and evolution in the landscape, particularly here in the US. That would be my prediction if I had to make one. But yeah, again, if you want more details on that, we do have that previous webinar and the ebook which, obviously, we may need to update that ebook as the CCPA continues to evolve.
Hunter: Definitely interesting stuff, I’m curious to see where this goes in the next few years. And to end, I was just curious myself on the IAPP certs. Which ones are the most popular, and how often are those certs being updated, and when are the next updates coming?
Byron: Great question. So here in the US, the CIPM and US have been most popular, definitely here at the Infosec as well. The M being the managerial side and how to apply privacy to the organization, I think is the easiest way in for most people, but of course privacy started here in the lawyer’s offices, in the office of the general counsel, so going over the law and regulation here in the US in that CIPP/US designation was also very popular. Obviously with the EU and GDPR, M and over there the E were very popular. That’s kind of died down a little bit with E still being relevant because companies here are dealing with EU citizens’ data, and still having to train up on that. But for US business, M and US are definitely the most popular. Those are updated bianually, and also updated when big news or changes like CCPA happens. So we will include specific sections on law and regulation like the CCPA, for example, as they come out. We’re pretty quick to turn that around. We are the gold standard for that information with our research center and publications teams. So we’re reporting the news and also analyzing what’s coming out of privacy offices. The CIPT is gonna take a big change coming up Q4, Q1 of 2020. That will include a lot of the emerging technology and things that have been changing, especially in 2019 as we start to look at AI and facial recognition, even Bitcoin. So we’re pulling that together right now to be up and running for Q1, Q2 of 2020, and that’s just one of those revamps that we need to keep it up to date. We’re always looking at where privacy’s going next and how to keep our training and certification relevant, and also giving our members and certifying members the information they need to do the best at their job as it relates to privacy. So biannual updates, updates as needed as news and regulation changes things, and in between we fill the gaps with publications and some of our research, including white papers that we put out on a regular basis.
Jeff: I would say when we launched the IAPP certifications here at Infosec last year, my prediction was that CIPT would be the most popular one, but of course I was wrong. Yeah, the CIPP/US, CIPP/E the Europe one, and the CIPM all have probably about pretty equal number of enrollments over the last 12 months. The CIPT is still growing, and we’re scheduling courses for that and getting enrollments, but just not quite as many as with the CIPM and those other CIPP ones. Yeah so that’s just kind of a general view of it from our perspective. But I think we’ve seen a good amount of growth overall over the last 12 months with our offerings here at Infosec, and I think if I had to make a prediction, I would say the CIPP/US is gonna grow quite a bit with the California privacy law, but take that with a grain of salt ’cause I was wrong in my last prediction. But that’s kind of where I see it going, is in particular the CIPP/US and the CIPM probably growing as the strongest ones for Infosec courses, the most popular in terms of number of courses that we schedule. But I think the other ones are gonna continue to grow in popularity as well.
Hunter: Definitely. And I just wanted to thank Byron for joining us today and Jeff for helping out. You can watch this recording in an email coming soon after this webinar. If you’d like some more information right away, you can head to infosecinstitute.com, or call to speak with a rep with the number on screen, and again if you have any questions, please direct them to email@example.com, and we’ll be sure to get back to you soon. Have a great rest of your day.
Chris: I hope you enjoyed today’s webinar. Just as a reminder, many of our podcasts also contain video components which can be found at our YouTube page. Just go to youtube.com and type in “Cyber Work with Infosec” to check out our collection of tutorials, interviews and past webinars. And as ever, search “Cyber Work with Infosec” in your podcast app of choice for more episodes. As a reminder, again, in honor of National Cybersecurity Awareness Month, Infosec is giving away a free trial month of Infosec Skills, a subscription-based skills learning platform throughout the month of October. If you’d like to learn more about this offer, please visit infosecinstitute.com/podcasts, and use the start learning link to claim your free month. But be sure to sign up before October 31st 2019. Thanks once again to Byron Johnson, Jeff Peters, and Hunter Reed, and thank you all for listening. We’ll speak to you next week.