Besides work experience, I probably get more questions about CISSP continuing education than anything else CISSP-related. Fortunately, keeping your CISSP can be a lot cheaper and easier than getting it in the first place was.
CISSP continuing education is measured in CPEs. You get one CPE per hour of “study.” Study is a pretty loose term. If you’re learning about security, you can probably find a way to make it count. You need to get 40 CPEs per year.
Want some free and easy CPEs? Listen to podcasts. There’s a reason why most of them are an hour long. One podcast equals one CPE. Listen to podcasts, talk to your coworkers about what they talked about, and you’ll learn a lot. Listen to one hourlong podcast per week and you’ll exceed your requirement. It’s a productive use of your commute time.
Reporting those podcasts is the only downside. Filling out (ISC)²’s form 40 times isn’t my greatest joy in life. It’s also a hassle to track 40 different line items.
For ease of reporting, nothing beats reading (ISC)²’s magazine. Sign in, read 30-something pages, take a quiz, and you get two CPEs without any more paperwork. You can get 12 CPEs a year that way. I think I learn more from listening to two podcasts than I do from reading an issue of the magazine, but the magazine covers topics the podcasts don’t. Balance is valuable.
Security conferences are another big one. Everyone thinks of the huge, weeklong conferences in Las Vegas every summer, but every metro area has one or two daylong conferences per year. Attend those, talk to some vendors (you might even find me), spend the day, and you’ll get about eight CPEs for your efforts. The cost to attend varies, but if one of your security vendors happens to be a sponsor, they may be able to get you in for free. Ask your Account Manager.
The first local conference I attended left me pretty wide-eyed. Subsequent conferences haven’t done much for me. Usually there will be one or two talks that will be really good, but there’s a lot of repetition. But getting eight hours of CPEs in one shot is pretty nice. Two shows plus the magazine gets you 28 CPEs with only two line items to report.
Vendor-sponsored webinars are another nice option. I’ve used Ultimate Windows Security in the past and recommend it. Typically you’re looking at about 30 minutes of usable training and 30 minutes of vendor sales pitch, but the vendor sales pitch part sometimes has some gems of knowledge in it. The webinars are more interactive than a podcast and tend to go deeper into a topic. One webinar on Java security may have changed my career, and that’s what continuing education is supposed to be about.
When I first started studying for CISSP, I fretted a bit over the CPEs. My mentor said not to worry about it; he said he’d have 100 CPEs a year if he reported everything that counts. I’m not sure I’d have that many, but I know I have more than 40. That’s true of most of the really good CISSPs I know. There are enough opportunities out there that we really can learn something new every day. The more of them we take advantage of, the better security professionals we’ll be. Reporting all of that CISSP continuing education becomes an afterthought.