CDPSE - new privacy cert from ISACA

anthonx

@csjohnng
Submitted my application this morning.  I guess this answers my question.  Lets see how it goes.  Thanks!

https://support.isaca.org/app/answers/detail/a_id/974/kw/Privacy%20Certification

Secondary and Tertiary audience include:

• • IS/IT assurance professionals tasked with assessing privacy practices and compliance with policies/regulations

anthonx

Anyone else submitted their application?

cyberguypr

I just paid. Working with my verifier and hoping to submit by end of week. 

charismaticx

It looks like their taking about a month to process the applications. 

Ashenwelt

Due to this thread I sent in a "did my application get processed".  The email is saying 5 weeks. This thread is kind of leading to paranoia on my part lol.

charismaticx

ISACA finally approved my application and I received my CISM certification yesterday. Talk about a long wait. 

AverageJoe

Hmmm... thinking about this and might apply for CDPSE.  It's been a very long time since I became a CISM, so not tracking how ISACA currently processes applications.  How does verifier receive verification request?  

Years ago, I think for my CISM it was a hard copy form that I walked in to my boss to complete with a pen, but thinking it's probably more automated now.  Does verifier have to log into a system, answer an e-mail, or something else?  My current boss isn't too technical, so want to make sure I'm able to get ahead of his questions and make him aware of what he'll need to do for the verification process.  

Thanks!

H-bomb

AverageJoe said:

Hmmm... thinking about this and might apply for CDPSE.  It's been a very long time since I became a CISM, so not tracking how ISACA currently processes applications.  How does verifier receive verification request?  

Years ago, I think for my CISM it was a hard copy form that I walked in to my boss to complete with a pen, but thinking it's probably more automated now.  Does verifier have to log into a system, answer an e-mail, or something else?  My current boss isn't too technical, so want to make sure I'm able to get ahead of his questions and make him aware of what he'll need to do for the verification process.  

Thanks!

The process has not changed. It is still a .pdf that the verifier needs to digitally sign (:

AverageJoe

H-bomb said:  The process has not changed. It is still a .pdf that the verifier needs to digitally sign (:

Thanks!  Ya, I went ahead and started the process and was surprised to see it's still very much the the same.

AverageJoe

I went ahead and uploaded my application yesterday, so we'll see what happens.  I received an automated e-mail in response saying it was received and that it's expected to take four to five weeks.

anthonx

My application took a little more than 2 weeks from uploading my application to getting certified.  I just recently got certified yesterday.  In my second week of application, I received an email that I met the qualification.  It was followed by another email just minutes apart that instructed me to download the application.  The 2nd email must be automated and was sent in error.  It also happened to other guys I know.  

cyberguypr

Yeah, that workflow is busted. I submitted paperwork on 7/1 and just received the "you qualify" email followed by the "step 3 email". Hopefully they use my $695 to fix it.

cyberguypr

Update: cert fully granted today 7/13.

Ashenwelt

cyberguypr said:

Update: cert fully granted today 7/13.

Me to.  Granted today.

AverageJoe

Congrats to both of you!

Unknown

This content has been removed.

AverageJoe

cyber_security said:

Is that correct?

Your application has you indicate the areas of privacy experience you have (3 domains).  Your verifier then has to confirm that experience.  

It does not appear to me to be a very rigorous criteria since there's no room on the application to expand on or explain your experience, but there is an expectation that you have experience within those domains.  

Since my application is pending, I'm still not sure yet if there's any additional scrutiny beyond what the form shows.

Ashenwelt

cyber_security said:

Had a look at this if I understand the process correctly, ISACA are selling the certificate to get the name of the exam out there and buying the certification does not show you have learnt any of the material but you have paid for the certificate and you have passed some of their other exams that don't really cover privacy in much detail anyway.

Is that correct?

Not really. What they are trying to do is the same as most certifications (ISACA, ISC2, Microsoft). You grant it to people who are qualified and then get them to help make test questions and have solid professionals as cert holders. Most people I know who have this have (myself included) certs like CIPP, CIPT, FIP, etc.

csjohnng

cyber_security said:

Had a look at this if I understand the process correctly, ISACA are selling the certificate to get the name of the exam out there and buying the certification does not show you have learnt any of the material but you have paid for the certificate and you have passed some of their other exams that don't really cover privacy in much detail anyway.

Is that correct?

I would say Yes and No.
Yes, as an "applicant",  if you "cheated" saying that you have the working experience of those domain (where you actually don't) and find someone to make false verification. But this act itself already violate the code of conduct of any certification body, no matter it's ISC2 or ISACA. And the end result is you are buying a certificate which you have no knowledge and experience.
No, as a professional, you honour and follow the code of conduct, as an applicant, you have the knowledge and experience and you paid for the certification and perform the necessary verfication to get certified in CDPSE

Unknown

This content has been removed.

Unknown

This content has been removed.

Ashenwelt

cyber_security said:

I do not think that is what they are trying to achieve here, there is far more effective ways to get exam questions created. 

But not to build the core of people in it.  From my understanding that is how CISM and CISSP were done as well.  I could be wrong, but that is my understanding.  I know Microsoft flat out has granted certifications in the past and actively has gone after people to write the next gen questions.  You need to remember this is a very small pool of people they are digging into, not a broad group like IT security is today (or immense like sys admins or networking).

But we shall see what the value is in the future.  The value today is not really something very quantifiable for a new certification.  The value will be seen in a few years.

Unknown

This content has been removed.

csjohnng

cyber_security said:

csjohnng said:

cyber_security said:

Had a look at this if I understand the process correctly, ISACA are selling the certificate to get the name of the exam out there and buying the certification does not show you have learnt any of the material but you have paid for the certificate and you have passed some of their other exams that don't really cover privacy in much detail anyway.

Is that correct?

I would say Yes and No.
Yes, as an "applicant",  if you "cheated" saying that you have the working experience of those domain (where you actually don't) and find someone to make false verification. But this act itself already violate the code of conduct of any certification body, no matter it's ISC2 or ISACA. And the end result is you are buying a certificate which you have no knowledge and experience.
No, as a professional, you honour and follow the code of conduct, as an applicant, you have the knowledge and experience and you paid for the certification and perform the necessary verfication to get certified in CDPSE

Although that says to me that you think having experience in a subject means that it is fine to then give someone a different qualification. Imagine if that logic was followed for other certifications. I have the CISSP, CISM is similar here's some money now can I have the certificate. 

I may just be looking at it wrong but seems very strange to me, I would not even know what to say to someone who tells me they gained this certification that way? "Congrats you check cleared and you have experience in the area" I mean they did no learning to gain the certification. 

Not to argue, that's why in some way I would say yes and no.
First, ISACA call "early adoption", some program/certification would call "grandfather". This means next year after March 2021, to get CDPSE you will need to take the exam (like CISA, CISM) there is no different. Whether to take this or not ( with knowing there is early adoption or "grandfather"), this is one's choice.

If you believe ISACA is doing the right thing (by making early adoption in this way) and you have the knowledge, experience and spare money, then grab the opportunity.
if you don't buy this idea, leave it, that's a rational choice.
Whether this certification is "useful" or has "value" or not, I would say in time it (the market) will tell.
if you see my title, I have chosen my path ( I am not saying/judging who is right or wrong). Worst case for me is losing the $699 ( every year after, I still have a choice to renew the certification or not).

I recall like scrum, in early day like certified scrum master (CSM), where you only need to take the course without exam, you are a CSM and later it will require passing the exam.
After some time, PSM come out because the founder left CSM and make scrum.org and promote real scrum.

AverageJoe

I think you hit the nail on the head if the value is just to get some more letters after your name buying the cert is 100% good idea if you are looking to learn and expand on privacy buying the cert is not the way to go. Its probably one step up from brain dumping. 

Way different from brain dumping... brain **** are against the rules established by various certifying bodies, so if you use brain **** you're breaking a rule... probably against a specified code of ethics, maybe even a breach of contract.  Applying for this new ISACA certification while it has no exam is nothing like that unethical behavior.

IMO, certification is never about "looking to learn"... certification is all about an organization's recognition that an individual has met qualifications specified by that organization.  That's it.  ISACA is setting some introductory qualifications and has a road map to how they will add more criteria (an exam).  

And especially CISSP, CISM, and similar exams (now to include CDSPE), by virtue of their experience requirements, are NOT focused on applicants learning.  They're focused on applicants who already have experience across specified domains.  And their exams are meant not to be fact checkers or memory busters, but rather tests of how knowledge is applied.  

The idealist in me would counter your premise by saying:  what value is there in a certification that you have to study and prepare for when certifications should be recognizing what you already know and do?  Not what you studied just to take a test.  In the real world, though, I know both extremes are impractical.    

csjohnng

cyber_security said:

Ashenwelt said:

cyber_security said:

I do not think that is what they are trying to achieve here, there is far more effective ways to get exam questions created. 

But not to build the core of people in it.  From my understanding that is how CISM and CISSP were done as well.  I could be wrong, but that is my understanding.  I know Microsoft flat out has granted certifications in the past and actively has gone after people to write the next gen questions.  You need to remember this is a very small pool of people they are digging into, not a broad group like IT security is today (or immense like sys admins or networking).

But we shall see what the value is in the future.  The value today is not really something very quantifiable for a new certification.  The value will be seen in a few years.

I think you hit the nail on the head if the value is just to get some more letters after your name buying the cert is 100% good idea if you are looking to learn and expand on privacy buying the cert is not the way to go. Its probably one step up from brain dumping. 

As for the core of the people in it, if the entire core is built on people that paid to be in it I don't think that would inspire me or fill me with confidence that is a good cert to go for. 

I think if a cert is seen as difficult to achieve and has a select group of people that worked hard to pass the exam that would be the cert people would be attracted to.

The value of a certification is not about how "difficult" to achieve but measuring the appropriateness and objectively of such candidate's capability as required or perceived by the industry.
For example I put this in 1 extreme: the certification is extremely  "difficult" to achieve where virtually "no one" can achieve this certificate, does this attract people to take or does this sound interesting to the public./industry? I guess no.

Brain **** is another topic which involve code of ethics and the ability for the certification body to detect such activity, but even one can certify successfully with the help of brain ****, I don't he/she will be successful in the future / his career , at least in rare cases.

Also, certification is NOT education or something to "learn", it's a process to prove you are capable. Ideally speaking if you are confident enough you can just go straight to take the exam without any study/learning because you believe you are well qualified. When you prepare/learn for the exam, it's because either there are "gaps" (and you would like to close this gaps as much as you can) or you would like to refresh your memory / knowledge. All of my exam or certification preparation are less than 2 weeks except CISSP which I spend for roughly a month time.

Remember (at least I consider this myself) certification is not the end, rather it's the beginning of one's professional journey.

I won't get hire just because I am a holder of CISSP, CISM, CGEDIT or CDPSE (it may get me a ticket for interview), employer would consider your certification together with your actual experience as a total package.

Unknown

This content has been removed.

Unknown

This content has been removed.

Unknown

This content has been removed.

AverageJoe

cyber_security said:

If the CDSPE is just focused on applicants that already have the experience, I would expect they will just leave it as no exam and let anyone with the experience apply?

The "experience" they require is also a big red flag for me most of the exams that they use to waive experience is security focused anyone who knows anything about privacy know they are different and you should never say I have security experience so can do privacy. The fact that ISACA thinks that is worrying. Also, I imagine the way they check the other experience people claim is not that great.

I always learn something from the certification I am taking sure I know the subject but always either learn or refresh some knowledge, I am amazed you would question the value of a certification that you have to study and prepare for.

I don't see why you would you expect the certification requirements to remain static, especially when ISACA already says they intend to add an exam.  

I didn't say I question studying for an exam.  I said the idealist in me thinks you shouldn't have to.  I also said that's impractical in the real world.  Some certifications require experience, some don't.  ISACA and (ISC)2 do; CompTIA does not.  

Based on your comments so far, I'd guess you haven't considered the experience requirements for the CDSPE early adopters or the CPE requirements for ongoing certification.  To me it'd make more sense if you were criticizing those specific requirements when questioning the validity of being experience-based instead of only focusing on that there is no exam at this time.

I haven't seen anything that suggests ISACA thinks "anyone" with security experience "can do privacy."  No, security and privacy are not the same thing.  But there is certainly overlap and in many organizations the information security and privacy functions are held by the same section, office, or even some of the same exact people.  I've been in several organizations where that was the case.  That doesn't mean all IS folks are experienced with privacy, but I'd certainly expect a subset of them to be.  That subset is who I think this early adopter program really targets.  

Honestly, I just don't see why you're so troubled by this.  If you've spent any significant time working privacy you almost certainly know there is overlap with information security, yet you don't want to acknowledge that overlap.  Instead you're focused on not everyone overlaps.  Okay.  Sure. 

Hypothetically, if ISACA, were to say anyone with CISM or CISA will get first dibs on a new Python coding certification if they have the requisite experience, would all CISMs and CISAs qualify?  Nope.  Some certainly have no experience with Python, but it safe bet that some subset of those certificate holders can affirm and be verified as having Python coding experience.  That doesn't at all suggest that all CISMs and CISAs have Python experience.  Nor does ISACA's current offering suggest that all CISMs and CISAs have privacy experience.  

To me it sounds like you're just stuck on "no exam" and can't get past that, and that's okay.  Based on your concerns, it sounds like you just plain don't seen legitimacy in any non-exam based certifications.  That's fine.  Only time will tell if it has value for others.