CPE / CPD tips
Tips on how to develop your knowledge and collect those important CPE credits.
A number of IT certification bodies require you to obtain Continuing Professional Education (CPE) or Continuing Professional Development (CPD) "credits" in order to remain current. My experience of this relates to ISC2, where I'm a member and hold the CISSP qualification (I wrote about getting my CISSP here), so my comments will be based on the ISC2 requirements and framework. You may be able to apply the same tips to your accrediting body, but check with them!
More importantly though, ensuring you stay current with your industry and tech developments will help you perform well in your day-to-day role. You'll also, hopefully, find it interesting and useful. Even if you're not a member of an accrediting body I'd recommend doing some CPE / CPD (CPE hereafter), and it's also useful if you look to change job and get asked "how do you ensure you remain current?".
Disclaimer: I've never had a problem with claiming CPE credits following the tips I outline below, but you should check the rules for your organisation. The fact I've listed it here is not a guarantee that it would be accepted for you.
What is CPE?
I suspect the answer to this varies based on the requirements of the body your a member of, but essentially CPE is something that is related to your field or role that develops you / improves your ability. Not all CPE has to be technical, it could be that you attend a course that develops you professionally (e.g. "how to be a good manager" or "how to take criticism well"). Generally speaking, CPE is something in addition to your normal role - i.e. training or additional research that doesn't form part of your day-to-day tasks.
Why record "credits"?
First, let's define a "credit", which in ISC2's case, very roughly, is one credit for every hour of CPE undertaken. Credits are an arbitrary unit for measuring progress.
As a member of ISC2 with a CISSP I'm required to get 120 credits over each three year certification cycle. If I fail to do so then I'm considered not in good standing, and potentially have to sit the CISSP exam again - something I don't want to have to do (it was horrible!). Helpfully ISC2 don't mandate that you do 40 credits a year (which could be a problem if you take a career break, or have time off to raise a family), so it's possible to spread your CPE out however you need. That said, I don't recommend trying to do it all in a rush at the end!
Similarly, if you've got a system for recording CPE (either your own or one that your accrediting body requires you to use) I strongly recommend that you log CPE activity in the system as you go. Don't leave it to the last minute to log, as you probaby cannot bulk upload entries. Keep an eye on the maximum number of credits that you can claim for each area, as some organisations limit what you can claim (e.g. ISC2 only allow 10 CPE credits for authoring professional blogs).
Having a record of what you've done not only acts as evidence for your accrediting body, but also as a useful memory aid for you. Being able to look back at what you've studied may help you remember skills you forgot, or give you confidence that you can do it really.
"I don't have time"
Unless you've got a really heavy CPE requirement, this probably isn't true - you probably do have time but don't realise it. For example, in my first year with ISC2 I got the 120 credits I needed for the full three year cycle. I ended up with 205 credits logged for my first cycle, and there were definitely CPE activities that I didn't log.
You might also find that you can multitask for some of your CPE credits, perhaps by listening to a podcast or webinar while working. Personally, so long as you're deriving a benefit from it I'd say that counts. I often have a podcast on in the background while working (not all count for CPE!), and have been known to stop, make a note of something important that was said, and then return to what I was working on.
If you can't multitask (maybe your brain doesn't work that way), you might be able to speed up the audio or video. I generally listen to podcasts at 1.25x the speed, and often can cope with the same in training videos. I do then adjust the credits I claim for accordingly given I've spent less time.
"I don't have the money"
This one is certainly more complicated, and given the cost of living at the moment I can really understand not having spare funds to spend on training. There are a lot of free resources available that will likely count towards CPE credits though, and I link to some of these under Resources. Quite a few of the other suggestions I make are cost free too.
Evidence & audits
When logging your CPE credits you'll likely be asked for a summary of the activity or some other evidence. If I've attended a training course, either online or in person, I tend to make notes so I'll take a photograph or screenshot of the notes to upload as evidence. There may also be a course completion certificate that I can upload too. Attending webinars is more difficult to evidence, but again any notes I've made will count. Alternatively I'll take a screenshot as I'm watching the webinar and attach that.
This evidence can then be reviewed if you're called up for audit. ISC2 does randomly audit CPE submissions from its members, and I was selected for audit for an entry I made in late 2023. The email was very clear that I had 90 days to provide evidence of a presentation I'd worked on, or the CPE may not be counted. Within a day I'd received a message to say the audit had been passed, even though I'd not done anything yet. That was down to the evidence I'd already uploaded (a link to the video of me giving the talk).
What can I do?
Attend meet ups
Meet ups are often local groups that meet regularly to host talks, allow for networking and social time, and provide a great way to hear different people talk about diverse topics. I'm a regular attendee (and speaker) at codeHarbour, which is a meet up in the Canterbury area. Not all the talks have been about information security, or map directly to one of the CISSP domains, but those that do I've been able to use for CPE credits.
- Meetup search for "cyber security" (set your location in the top of the search)
- codeHarbour (Canterbury, South East Kent based)
- BCS events calendar (some events require you to be a member)
Blog post writing
Not all blog posts count, clearly, but for those that are related to the profession or the area you work in it's worth seeing if you can count them. ISC2 allow claiming credit for authoring professional blogs, and I've taken that to mean posts on a professional topic (e.g. on honeypot research, this post, security topics) rather than on a blog that's owned by a company.
It can take me an hour to write the an average blog post, with longer needed if I'm actively researching an area that I'm writing about. Generally I only claim one credit per post though, as I have plenty of other opportunities.
Books
Not your average novel, of course, but books related to your role, certification, or industry. There's a lot of books on cyber security, for example, and these can teach useful skills, thought processes, or history. It's probably worth not reading something too old, given how quickly our industry changes, but even an old book still teaches something useful in my experience. Charity shops / thrift stores are a good place to look for books if you're on a budget, as is your local library.
ISC2 gives five CPE credits per book with a 250 word summary.
Conferences
Conference sessions often provide up-to-date information and allow you to mingle with people working in similar roles. While some conferences cost money (some a lot of money), there are a number of free conferences available. Have a search online for conferences in your area that are free, and then see if your workplace will pay for the travel and potentially accommodation. When asking your employer to contribute, make sure you can explain how the organisation will benefit (e.g. new skills, networking opportunities, research).
Not all conferences happen exclusively in the physical realm / "meat space" / the real world [1], so remember to keep an eye out on online conferences too. SoSafe's Human Firewall conference offers online attendance (and is free), and ISC2 run Security Congress if your budget will stretch to it.
Make sure you take notes at the sessions. Some conferences will submit CPEs on your behalf, while for others you'll have to submit them yourself.
- Information Security Europe (free)
- SoSafe Human Firewall conference (free)
- ISC2 Security Congress via ISC2 events (paid)
Podcasts
I've mentioned already that I often have a podcast on, be that while out walking or in the background while working. There are many podcasts available, often for free, and you may be able to count these. I don't log every podcast I listen to, but I do certainly benefit from listening to them.
- Security Now (about 2 hours per episode)
- Smashing Security (about 45 minutes per episode, less technical so may not count for CPE)
- Phillip Wylie Show (episodes up to an hour)
Talk at meetups & conferences
In ISC2 terms, sharing your knowledge counts towards CPEs - both the preparation time and giving the presentation. If you've ever thought about speaking at a local meet up they can be a great, friendly, way to get into public speaking. Equally you could try talking at a conference.
Make sure you share something of value - you're not just doing this for CPE credit, which shouldn't be your motivation in my view.
Training
Often paid for, training courses are a great way to gain knowledge and CPE credits. Keep an eye out for deals from training course providers, particularly around Black Friday, Christmas, and New Year. Providers like Udemy often run special offers on individual courses, and Pluralsight has been known to offer large discounts.
While there are likely free training courses out there, be mindful of quality. Your ultimate goal is to learn something that you can put into practice - you don't want to follow a training course that's full of mistakes. I have abandoned courses before because they were poorly written and contained mistakes.
Training could be online or in a physical classroom - what works for you is important.
- Microsoft's Learn platform (free training available)
- ISC2 training (paid)
- Pluralsight online training (paid)
- Udemy online training (paid)
Webinars
I'd guess there are hundreds of webinars taking place online every day, at different times. Some of this will be live, allowing for interaction, while others are recordings you can watch on demand.
- BCS webinars via BCS events (some may require membership, set location to "Webinar")
- ISC2 webinars via BrightTALK (some may require membership, others are advert supported)
- BrightTALK webinars
Conclusion
Regardless of whether you've got a CPE requirement from an accrediting body, or if you're just curious and want to develop your skills, it's worth making some time to do some CPE. It doesn't have to cost money, with some high quality resources available for free.
It's also worth making sure you use what you're already paying for. If you're a member of an organisation like the BCS or ISC2, they provide a lot of content and events for free to members. I tend to view attendance at such events as a key return on my yearly investment (membership fee), so keep an eye on the calendars relevant to you.
Additional resources
- ISC2 2023 Continuing Professional Education handbook
- BCS Personal Development Plan (PDP) (may require membership)
Banner image: "Studying with books" by j4p4n on OpenClipart.org
[1] I hate saying "in the real world" to refer to something that's not online. It's all real world, just different venues!