What do you think this is?

Just thoughts of a restless mind...

(ISC)2 Learn - a new opportunity

In September 2018 (ISC)2 announced a Free GDPR course for members. What started as a single free course was very recently rebranded as the Professional Development Institute. The plans are for up to 30 (!!) new courses in 2019.

The courses

At the moment there are three courses available for free to (ISC)2 members. This is a great value provided by (ISC)2 and it is my understanding that they will be offered to be purchased by non-(ISC)2 members; a great thing although I could not confirm it.

I completed all three available courses and here is my review.

Building a Strong Culture of Security

image0 Creating a Security Education, Training and Awareness Program is probably the subject out of the three I'm most familiar with. A SETA program tries to affect the organization's security and move it to a more security-sensitive one. This course lays down this concept very nicely. The content of this course was refreshing and engaging. I found it to be very well organized. Maybe the great course could be improved by having less webinars and more engaging content.

I would strongly recommend this course to anyone planing to start a SETA program. Not only the knowledge provided will help you built an effective and efficient program, but also the discussion around cultural issues is a perspective you don't want to miss.

GDPR for Security Professionals: A Framework for Success

image1 I am quite familiar with GDPR but I followed the course with interest. I always suggested that GDPR is more an organizational / legal thing than a security one and the course confirmed my perspective. Due to my familiarity with the subject I didn't expect to learn much more. I have spent a fair amount of time with (ISC)2's webinars and articles that have appeared in the InfoSecurity Professional Magazine, so some content was duplicate for me. Still, the course provided interesting material and it builds nicely the information to create knowledge. Some minor content issues do not affect much the quality of the course; I would recommend it to everyone who is starting a GDPR program.

Is it late for such a course? Maybe yes or maybe not. A lot of the content is "lessons learned" from others who have implemented GDPR so not only you get a plan to start working with, but also some knowledge about what has worked and what not for others in their journey. My major objection is regarding the "knowledge check". These quizzes actually only check one's ability to find something in the regulation - I believe even a high school student could do that so it doesn't add any value.

DevSecOps: Integrating Security into DevOps

image2 The area of DevSecOps is the one I'm least familiar with out of these three. I found this course to be more polished than the others and more engaging. Obviously, due to my lower familiarity with the subject, it provided me with more information and knowledge than the other two. Unlike the other courses that build more than 30% of their content using (ISC)2 webinars and InfoSecurity Professional Magazine articles, this course does not. It utilizes a lot of content by external entities such as Puppy, Splunk and OWASP and seems to be better compiled.

I found myself mumbling several times "don't tell me! tell that to the developers". I will definitely use information from this course in my future engagements, but the fact is that I would like every DevOps person to attend this course so that we get to the same page without me preaching.


This is a great initiative by (ISC)2. I hope they do indeed offer these courses to non-members (or to associates / members without certification). There is great value there and one's experience / seniority level is not important; there are always subjects we could use more information about. I am eager to find out what other courses will be offered, and I'm sure that with the appropriate feedback any quality issues will be rectified satisfactorily.

We (ISC)2 members already had the Safe and Secure Online program, the excellent InfoSecurity Professional Magazine, the multiple events and webinars, the Vulnerability Central and others that I probably forget.

In my perspective (ISC)2 deserves every penny of my subscription. Even though there recently was a 50% raise (ouch!), I still think that the value provided is well worth the membership fees. I always recommend to my team members to plan ahead to be part of this organization. Now with this great extra offering, I will do so even more.