CISSP Cyber Training Podcast - CISSP Training Program

CCT 336 - Cyber Niche's and Submitting CPEs

Shon Gerber, vCISO, CISSP, Cybersecurity Consultant and Entrepreneur Season 3 Episode 336

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 25:57

Send us Fan Mail

Passing the CISSP is a huge win, but the part that quietly ends careers is what comes after: keeping the certification active. I walk you through how to submit ISC2 CPEs in a way that is accurate, defensible, and easy to repeat, so you never wake up to a renewal deadline panic. We talk real numbers too: 120 CPE credits per three-year cycle, a minimum of 40 each year, and the $125 annual maintenance fee that can sneak up on you if you are not watching your dashboard.

Before we get into the portal clicks, I bring up an idea that matters for every cybersecurity professional: the hidden cost of cybersecurity specialisation. Specialising can raise your income and sharpen your value, but without broad context you can lose the big picture, mis-prioritise risk, over-rely on tools, and slow down detection and response. The goal is to build depth while staying fluent across the CISSP domains and the business realities those domains protect.

Then we go step by step through CPE submission: choosing the right category (education, contributions, professional development, or unique work experience), understanding Group A vs Group B, selecting relevant CISSP domain areas, converting time into credit hours, and attaching supporting documentation that holds up during an ISC2 audit. I also share the most common mistakes that waste time, including waiting until the last minute, entering hours incorrectly, miscategorising activities, and failing to save proof for at least 12 months beyond your certification expiration date.

If you want more practical CISSP training and a smoother CPE routine, subscribe, share this with a friend who is newly certified, and leave a review so more people can find the show.

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox!  Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

Welcome And Podcast Purpose

SPEAKER_00

Welcome to the CISSP Cybertraining Podcast. We provide you training and tools you need at the CISP exam. Hi, my name is Sean Gerber. I'm your host podcast. Join me each week as I provide the information you need at the CISP exam and grow your cyber checker in the light. Alright.

The Hidden Cost Of Specialisation

Why CPEs Get Forgotten

CPE Totals And Annual Fees

A Simple Monthly CPE Plan

CPE Categories You Must Know

Group A Versus Group B

Step By Step Portal Submission

Proof, Audits, And Tracking Progress

Common CPE Mistakes To Avoid

Wrap Up And Listener Requests

SPEAKER_01

Good morning, everybody. It's Sean Gerber with CISSP Cyber Trading and hope you all are having a beautifully blessed day today. Today is Monday, and we're going to be getting into areas related to the CISSP, related to different topics that you are going to have to know so that you can one pass the CISSP and then move on in your cybersecurity career. Today we're going to be talking about how you submit your CPEs to ISC Squared. And it's an important part, right? So for some of you are going, well, I haven't passed my test yet, but you're going to have to do this in relation to passing that once you pass the test, you're going to need to update your CPEs. And we talk about this a lot on CISSP cyber training. Your CPEs are an important part because you go to all this work to pass the CISSP exam, but then you don't fill out the forms and you don't do the paperwork and then you lose your license or you lose your certification. And we don't want that. That's a terrible thing to happen. But so we're going to get into that today. And we're going to plan on just kind of going over how do you do this in a way that's most effective for you and what you're trying to accomplish. But before we do, I had an article I wanted to bring up to you all. And it's called The Hidden Cost of Cybersecurity Specialization: Losing Foundational Skills. Now, if you've all been paying attention to our podcast on a routine basis, one of the big factors that we talk about at CISSP Cyber Training is the fact around having specialization in the security space. And an important part of that is getting this knowledge so that you can then expand your security knowledge and increase your income because of this specialization. Now I saw this article and I thought, oh, you know what? These are some really good ideas that I was not necessarily completely connected with and thought it would be great to bring these up for you all to start thinking about this as you look to potentially specialize in cybersecurity. So one of the key things, there's about there's a couple key items that they said, there's four topics that they say are the biggest aspects you need to keep in mind. Well, the first thing that coming out of the gate is that it's not a bad idea to specialize. But specialization without broad context leads to poorer security outcomes. And I can see that, right? If you are in a position where you're getting into just a new area and you don't really have the context around the security as a whole, as a bigger picture, you could lose sight of some of the most important aspects around security. So one of the key problems I defined is that it's a loss of big picture understanding. So if you go strictly into those niche roles, okay, cloud security, IAM, without learning those key systems, it can cause some trauma. And trauma is right, because you know what? It happened to me. One example was that I actually was looking to put in a product and I specialized in an area, and I realized after I got through to this that the company wanted to change their perspective on what they're trying to accomplish. So they went from a broad brush enterprise version thought process to a more of a coffee barista, everything is untrusted environment. And that changed things dramatically on how I architected this piece. And I basically got caught flat-footed, and I ended up having to re-figure out what I was going to do and how to make the best thing work here. So again, loss of big picture understanding can be a big factor in this. Poor risk prioritization. Without understanding the business and its critical assets, you can struggle to desire to determine what matters most for the company. And you can treat risks as an abstract instead of something operational, mean operationally meaningful. So it's an important part. You don't totally understand the risk because you are getting very focused on a niche area. So again, that comes back to the part where you have to understand the bigger picture and work yourself down to what is important. Over reliance on tools. We all see this way too much. There's way too much over-reliance on the tools. Buy a tool, throw it in there, it'll fix the problem. And the tool is helpful, but you really truly need to understand the risk-driven aspects around that. So then you get into the piece of misaligned investments. You spend money you shouldn't spend on some certain things. And then you have ineffective or inefficient programs. So again, over reliance on tools is another factor that they call out. And then the fourth one is weaker detection and response. Effective security will depend on knowing what normal looks like. And if you don't know what the normal is because you're very focused on a specific role, you can miss key aspects of it. So threat detection can be harder, incident response can slow down, and then pretension or prevention becomes more of guesswork and just kind of hoping that you find it. So the real hidden cost that they bring out of this is that their specialization is fragmented understanding, slower elective or slower and less effective incident handling, and then security programs that drift away from actual business risk. So again, you just really need to understand the overall goals of all these critical systems, mapping them to the real world issues, and then maintaining context across all your teams. All it comes down to is communication, right? If you are very niche in one area for security, make sure you're communicating across all teams. And just because you are that specialized person in that one spot does not mean that you should not try to understand the various aspects of each and every piece of your business. So you understand the business operations and you understand the risk associated with doing that as well. So again, you really need to think about this hard as I have been stressing that niches are important and I truly believe that. But you need to also go into this with the attitude of the eyes wide open in that just because you start with a niche, niche, niche, you start with one area doesn't mean you're gonna stay in that lane. You're gonna want to open up and expand your knowledge and your capabilities beyond that certain niche area. Okay, so something to talk about. Again, the hidden cost of cybersecurity specialization, losing foundational skills. And this is from the Hacker News, and you go check it out. It's pretty good. All right, let's get started into what we're gonna talk about today. Okay, so how to submit CPEs to ISC Squared. Now, the big thing around this is you as you get your CISSP done and you complete that and you're looking forward to I've got my certification. I'm now super excited about this. I can't wait. But then you forget to do your CPEs. Yeah, my wife did this. I'll give you an example. So she has done continuing education and she was a nurse. And as a nurse, she was supposed to compete or complete her CPEs or continuing education credits for to maintain her nurse's license. Well, we got busy raising children after having seven total, but having three kids, my wife decided, you know what, I'm just gonna put my license on hold and I'll come back to it later time in the future. Well, the problem was that she didn't keep up with her continuing education education credits and her license went away. Now, the problem with that is she spent four years going to college to be a nurse, and then her license is gone, and she can't do anything with it. And then for her to get it back, she would basically have to go back to school and take another two years of schooling to be able to become a nurse again. Not a good thing. It's not something she wanted to do. So, same thing with your CISSP. You have gone through so much work to get your CISSP done, and now you need to continue with the paperwork, otherwise, it truly will go away. Now, you get time, right? And yes, time is also a valid thing, but it's also a bit of an enemy because you can forget in that period of time that you had to get it completed. So your CPEs, you have to have 120 CPEs per every three year life cycle, or life cycle, every cycle. You have 40 CPEs minimum per year, and then you need to have a 125 annual dollar maintenance fee. Now, I am perfectly guilt, I am guilty of this myself. I was going in and looking at my CPEs, and I went, oh dear lord, um, yeah, I did not do my CPEs for a while, and I need to get them done because you get busy doing other things, and then you realize, oh my goodness, yeah, I gotta get this taken care of. So we're gonna go through what you need to be considered about when you're doing your CPEs. So again, we talked about 120 CPEs in on a three-year cycle. So you're once you get your certification, then your clock starts to tick. And you need to start getting these continue education credits, and I'm gonna call them, they call it continuing professional education, but I'm just gonna call them continue education, just so you understand. You need to get these CPEs with every three years, and you need to build them up. And their goal is to get a minimum of 40 CPEs per year. Now, if you look multiply three times 40, what does that give you? 120. So that's the plan of what if you do 40 and you get the 120, hey, you're good to go. Not a problem. So then you have a$125 annual maintenance fee that you have to complete every year. So you get$125 each year. So when you come multiply that times three, you're looking at$375 over a period of three years. Now the max group A, and we'll get into group A and group B here in just a minute, but the max group A carryover CPEs is$40. So you can carry over 40 CPEs into the following year if you wish to do so. So if you get 80 done in one year and they're group A, you can carry those over into the next year. So, pro tip, one thing to think about is just aim for three CPE credits per month. Submit each podcast episode you listen to, and you can actually get that really quick. So I do four podcasts, actually, we do eight podcasts a month, and if that eight podcasts, they're about 30 minutes long. So, in that 30 minutes of eight podcasts, what does that equate to? About four hours, right? So that's not too bad. You could listen by listening to CISSP Cyber Training, you can get four hours of your CPEs done each and every month. So don't wait until your renewal deadline. Submit as you go. It's just an important part. And the goal I'm gonna talk about here in just a minute with CISSP Cyber Training is if you listen, my goal is to be putting these, what you need to put on your CPEs to be able to go and get credit for it. Make it as streamlined as possible so that all you got to do is go click, click, click, and you're in business. That's the ultimate point of all of this. So there are four CPE categories. You need to know where your categories belong before you can submit. You have education, contributions, professional development, and work experience. Okay, so it's education, attending training, webinars, courses, conferences, podcasts, consuming knowledge is education. And that can be either in group A or group B. Contributions, this is where you're authoring content, teaching, speaking, exam development, hosting podcasts, volunteering, all those things that are helping to grow the overall community. That is a contribution, and that is a group A or B as well. Professional development. This is the great things that make you who you are. Leadership training, management courses, software, not domain-specific items. So if you're going to take a class on how to be a better leader, how to do, I don't know, something that's fun and exciting to make you a better security person, then that would fall into professional development space. I took some courses uh at our local colleges many years ago around business development, and that would fall into the professional development. Now, that is group B only. You can admit a maximum of 10 you can have in any year around that aspect. So again, the ultimate goal is that you they want you to be focused on the on the security piece of this, but they also really want you to think about how do you may become a better person. Now, just because that it's set up for minimum of or a maximum of 10 CPEs doesn't mean you should stop there, right? I mean, just because you're reading a book and you go, okay, I read the book on leadership, okay, that counts as a CPE. Well, not really, but let's just say it does. You read the book on leadership and it counts as a CPE, you now are in a situation where you go, all right, great. I have maxed out my 10, I am no longer gonna do leadership. That's not a good idea, but something you can consider. Work experience, unique projects outside your day-to-day job that relate to the CISSP domains. So an example around this could be I did a project when I was uh working as a security architect related to intellectual property protection. It wasn't something that was in my job description and it wasn't something that I did on a routine basis. So I counted that, my work into that as work experience aspects. Now again, it's a group A only, and you can have a maximum of 10 on those as well. But an ultimate point is that you're trying to utilize your skills, and how can you utilize those to increase your CPEs? Now, so let's get into the overall group A and group B, because you heard me talk about them. What do they mean? So, what is the difference between those? And not all CPEs count the same. So the group A are the CISSP domain specific CPEs. You must relate to one or more of the eight CISSP domains. Now, at the writing of this or at the creation of this presentation/slash podcast, there were eight domains. Now we do know that ISC Squared is in the process of making changes to the various domains out there, and there is a possibility that some additional domains could have come up. I don't think they will. I think they'll just blend in AI and the different aspects within the current eight domains. But there is a chance that some of these domains may change. But based on that, of the eight domains that are out there, you have security and risk management, asset security, security architecture and engineering, communications and network security, identity and access management, security assessment and testing, security operations, and software development security. Those are the eight, right? So those are the eight that fall into group A. Group B, again, maximum of ten credits per cycle, does not have different, they they don't have anything that's related to the CISSP domains, like we talked about, leadership and management training, soft skills and communication courses, general IT or business courses, toastmaster, mentoring, or coaching. All of those f count towards the group B piece of this, but only 10 group B credits count towards your 120 total requirement. So again, they only want that's like 112th, right, of the actual use of the different types of skills is in this space. I I didn't tend to agree/slash disagree. I think maybe it could be a little bit more. Ideally, we want to know as security professionals, and if you're looking at this test from a security management standpoint, you need to really truly understand leadership. I mean, it's an important part of what you're doing. So maybe a little more emphasis would be good, but I'm not in control. So they're saying 10 credits per cycle is the max you can do in this space. Now, the step by step for submitting your CPEs. So step one through four, this is getting into the portal and entering all the details. Now you're going, what are you talking about? I'm just gonna be very transparent with you all. Um, yeah, getting into the portal and submitting CPEs is not the easiest thing in the world. It's a little bit convoluted. Um, I like ISC Squared and the C ISP is a great certification, but entering in your CPEs is not the most streamlined process. It would be great if it's like click, click, click, and you're done. There's a lot of stuff that kind of goes with it. So, first thing is you log into your portal. You go to isc squared.org and you sign in with your ISC Squared member credentials. That's the key thing. You're gonna have to have your CISP and you're gonna have to have your credentials to do this. You then click submit CPE. This is from your dashboard, and sometimes you have to go up in the upper right-hand corner. It's it's always not so simple, but it's it's it's there, right? You submit your CPE and you add a new CPE activity that you're gonna do. Now you choose the category in which you're going to be part of this. This is education, contributions to the profession, professional development, or unique work experience. So you're gonna click on that. Now, I will say that if you're listening to podcasts, education is probably the key factor you're gonna focus on because that's listening to podcasts. Now, I will do the contributions of the profession because this is doing this podcast is outside of what I normally do, and it's to help grow you all out there. Obviously, there is some sort of my financial gain in it, but for the most part, it's to help you all be successful in security as well as passing the CISP exam. And then entering activity details. This is where you'll enter in the activity name, obviously the CISP podcast. Now, I would recommend, and we'll have this on the different where different places on my site and on the podcast itself, where you will just copy the name of the podcast. So in this case, it would be focused on submitting CPEs. You put the start and end date, credit hours, obviously 30 minutes equals a half an hour, and then you move from there. Now, this is a big boy and girl system. If it is my podcast, it is 35 uh minutes long, then I would anticipate you would go and and put it down as 30 minutes. If I ended up being about 40 minutes long, and you go, you know what, I'm gonna put it in an increments of 45 because it's every 15 minutes, I'll put it in that increment, then you put it at point, whatever that is. Right? So you're gonna have there's gonna be some level of understanding around this. Uh the precision is important, uh, but also having specificity is the best. You wanna make sure that you're putting it in correctly, and you want to make sure that you're putting it efficiently efficiently and honestly. So a quick conversion, right? We're talking in 30 minutes is a half of a CPE, 45 minutes is 0.75, 60 minutes is point is one minute or one CPE, 90 is 1.5, and 120 is two. So that's just kind of a quick reference of how you should break this down. Again, you have to use the best judgment. You will get audited if they say that you know you said I watched, I listened to or watched a 15-minute video, and I said a lot 1.2 or 1.5 hours of CPEs. They do audit this. So if you try to lie about it, um, it will bite you. What I've learned, because I'm a gerber, uh, I if I and I tell my children this if you go and do something that's incorrect, you will get caught. You will. It's just a matter of time. You won't, it won't happen right away. Maybe it will, but in most cases it doesn't happen right away. But you will be found out. And when that happens, then you gotta go and do a bunch of other fun stuff, and that's just not fun. So just do it right the first time, and then you don't ever have to worry about it. It's easy peasy, lemon squeezy. Number five, select the relevant CISSP domains. Now choose the domain or the activity that it relates to. Now, if you have multiple certs through ISC Squared, you'll want to pick the right cert that you have, and then you want to select the relevant domain for that. But that's where you would do this. Now, step six, you want to upload your supporting documentation. So, this is such as certificates, receipts, meeting minutes. If there's no proof at all, maybe write a write a word description of what you learn. I would highly recommend that you add some context to it. Uh, don't just go, I went to a audit or I went to go to a meeting on blank. Okay, that you that will work. It will in the minimum, but it if it would probably flag to be audited. I would look to put in probably around anywhere from a 200 to a 250 word description on what you learned. And in reality, with Chat GPT, you can put the bullet points into any sort of LLM and it will come up with a 250-word description for you just fine. Uh, the the ultimate point is you want to have to be able to defend what you actually created, what you actually went to, and and call it to that. You want to review and submit, double check all the fields and hit submit. CPEs submitted with evidence are often auto-approved within minutes. Uh, I have submitted some podcasts that people have said to me, uh, for example, well, I say, for example, I created a couple of training organiz training programs when I was with the colleges, and I submitted some of that that was outside of my normal job duties, and they audit it and they said, Well, we want to see the presentation that you created. And I did. I submitted the presentation and they were good with it. So the point of it is that they're trying to see that you are not just throwing something out there to be able to get your CPEs done. They will call you out on it. Track your progress, log into it, uh, and monitor your running total. Keep an eye on it, don't wait like I just did. And some manual submissions will take longer, anywhere from four to six weeks, to appear, depending upon if they have to go in and do some looking. I've had them go and say it's in an audit status and probably been about the the longest for me, it's been probably three to four uh days, is about it. It hasn't been any longer than that. But you want to keep your documentation because you want to retain all proof of any CPE activities for the la at least 12 months beyond your certification expiration date in case of all the the ISC squared audit, etc. So this includes screenshot, confirmation emails, certificate, certificates, all of that stuff will count towards it. So it's an important part. Again, you want to track your CPEs. They want to know that you're actually doing what you say you're going to be doing. So important part. So, as an example for this podcast, you can go at education, right? We talked about education. That's the category. The group would be group A. And the domain-specific content in this area is could be related to any of the different domains we have because we're we've talked about all of them in some form or fashion. You want to have the credit hours to be probably about a half an hour. I'm just doing this as we go. So I'm assuming it's gonna be about 30 minutes in length. Now it could be a little less, so you're gonna have to make a change to that if it is a little less than 30 minutes, but it's probably gonna fall in about that. And then a domain, select the specific CISP domain covered in today's topic. In today's topic, we're gonna be focused on all of them. So you can select something in relation to any of them because it's all covering that. Or it can fall into group A and the non specific domain topics as well. So there's just different areas. But now if you go and listen to some of the other podcasts that I've had, I'll get into domain seven, domain six, domain five, any of those you just Pick the specific domain that I'm calling out, and then then from there you are in good shape. Documentation would be a screenshot of the episode or the podcast. That's pretty much it. I would say, in reality, I put a link, a hyperlink to where they're at. Um, that usually helps out just fine as well. Um, and if I just put the name of the podcast in there and then I listen to it. So you it's really kind of comes down to you on how you want to do it, what is best effective for you and your lifestyle. So here are some common mistakes to avoid and don't let these trip you up because again, they will just take time. The submission process takes a while. So waiting until the last minute, submit as you go, right? So you need 40 CPEs per year to do this. So spread it out across the year. Don't wait till the last minute like I am doing. Forget to save documentation. Again, keeping screenshots, certificates, receipts for 12 months plus after the expiration is an important part. If you are doing podcasts or any sort of videos on YouTube or anything like that, then make sure you have you keep the videos and you actually keep the presentations. If you have the presentations, that is more than enough. The videos tend to be a little bit much for them to upload. Uh so I would just focus on if you have the presentation created. Uh, entering hours instead of credits. So it's again, you want to make sure that you want to have the amount of credits based on the time. So instead of putting in 60, which is that would be like 60 minutes, uh, you would put in 1.0. Again, don't you don't want to enter that in. It'll flag on you, it'll say, Whoa, you did 60 hours? That doesn't make sense. Um, so it it will most likely give you an alert or a flag on that. But if not, if you end up putting in, let's just say you you wanted to do like a 0.3 and you put in five, okay, or you put in a 0.5 and you put in five instead. Um, that will probably allow it to go through, but they will most likely audit you on that aspect, especially if you say it's a podcast. Sorry, so the if podcasts aren't typically five hours long, um, other than the video that I have on rapid review is out there, it's about I think it's six hours long. Um, but most of them are not that long in duration. Uh, miscategorizing group A and group versus group B. Again, podcast episodes on CISP domains is group A under education. General topics would fall under the group B pieces of this. And then forgetting to pay your annual maintenance fee, they will remind you, they'll say it's coming due. They ping you and say, hey, you haven't paid. Um, you will need to pay that and get that up to speed. Again, it's going to cost you about 400 bucks over three years. Now, that's a lot of money, it's not wrong, but you can make the money up just with the CISSP certification and the opportunities that will come your way because of it. So, again, to avoid some of these common mistakes that many people, including myself, have done. Okay, so that's all I've got for you today. Again, bottom line here is when you're looking at your CPEs, don't wait till the last minute and get on it right away. If you're still studying for your CISSP and you're going, well, this doesn't really pertain to me, it'll pertain to you faster than you realize. And you're gonna get your certification and you're gonna be ha ha, and then you'll be dealing with CPEs. And so again, you want to come back to CISSP cyber training because I can, any time you listen to a domain and you get new knowledge around that domain, you can submit it for your CPEs. And so it's really, really cool. Okay, I hope you all have a wonderfully, beautifully blessed day, and we'll catch you all on the flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training, and you'll find a plethora or iconicopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.

Contributor

Shon Gerber

Host