This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
Over the next decade, the integration of machines and the experts who wield them effectively into the practice of law will dynamically affect the careers of both practicing attorneys and the legal support staff community. The power of certifications undeniably accelerates earning potential and vertical mobility, provides greater sustainability and job security, and produces lawyers who practice with the cutting-edge skills and foundational knowledge necessary to compete in today’s data-driven legal services landscape.
In this two-part article, we present the key paths and the corresponding certifications available for lawyers — and nonlawyers — to pursue to help successfully administer a career in the legal industry in the coming decade.
There is no word in 2018 that has shifted more aggressively from corporate to social consciousness than privacy. Privacy as a profession is not entirely new, but over the last year privacy has been in the spotlight like never before. Privacy professional positions are becoming a staple for any healthy corporate legal operation, an invaluable area to support and practice at a firm and a growing arena for legal service providers.
At first, privacy’s sudden rise was in reaction to the harsh consequences for failure to comply with the looming EU General Data Protection Regulation (GDPR) deadline (May 25, 2018) for companies conducting business in Europe. More recently, Facebook’s highly publicized relationship with Cambridge Analytica has intensified a populist demand for awareness and action related to how a company handles data privacy. Awareness and action, however, are two distinct modalities, and only one certification program has aimed at solving both the challenge of privacy education as well as privacy solution operationalization.
The Gold Standard
The International Association of Privacy Professionals’ (IAPP) certification program has quickly become the gold standard for employers seeking instant validation of an individual’s privacy expertise. The first step in becoming a privacy professional is to understand both the domestic and foreign rules and regulations. Under the umbrella of the IAPP, there are five variations for Certified Information Privacy Professional credentials: 1) Asia (A); 2) Canada (C); 3) Europe (E); 4) the U.S. government (G); and 5) the U.S. private sector (U.S.).
To get GDPR savvy, the CIPP/E is the certification to get. Accreditations from this certifying body are one of the first things hiring managers ask about when soliciting and evaluating talent for privacy-related roles, specifically data protection officer or chief privacy officer positions. The core regional CIPP certifications are IAPP’s way of addressing the “what and why” of privacy, with knowledge ranging from understanding laws, specific geographic regulations and scoped allowances related to potential penalties for compliance failure.
To address the more actionable aspects of privacy, the IAPP offers advanced certifications, including the Certified Information Privacy Manager (CIPM), Certified Information Privacy Technologist (CIPT) and Fellow of Information Privacy (FIP) designations. Operationalizing privacy concepts like “the right to be forgotten” can at first seem ethereal, but taking this concept into practice is exactly what the IAPP seeks to accomplish by providing a standardized approach and framework that professionalizes the industry. None of these advanced IAPP certifications are specific to GDPR guidelines, but they are mission critical to developing and maintaining any privacy compliance program. The CIPM and CIPT address ways to manage and be accountable for privacy within an organization, including putting together a team, documenting process and preparing for audit.
Marrying the CIPPs and the CIPM/CIPT becomes invaluable for those looking to be leaders in the privacy field. Attaining FIP, the highest status, means an individual has earned a CIPP designation and a CIPM or CIPT designation and has three years of work experience during which data privacy has represented at least 25% of one’s job responsibilities. It is worth noting that an information security certification from the International Information System Security Certification Consortium, or (ISC)2, ISACA, IEEE or other information security associations will satisfy one year of the experience requirement.
A Growing Field
The IAPP boast 36,000 current members, 12,500 of whom have passed and maintain at least one of their privacy certifications. The IAPP started 15 years ago with fewer than 300 certified professionals shortly after its inauguration, almost all of who were chief privacy officers and lawyers. Now, talent hailing from all areas — from human resources to government officials and lobbyists — are rushing to become certified, because privacy is becoming an operational component of how businesses run and how new laws and policies are being created, adjudicated and litigated.
Privacy is a ripe area for lawyers looking to change their professional path, do something new and evolve their legal careers. Privacy is also an area that may commoditize quickly. The GDPR buzz may be a fad or a forever, and whether or not this trend subsides after May 25, 2018, will determine the sustainability of the spike in demand for privacy professionals currently raging through corporate America, the Am Law 200 and the global consulting firm community. One indication of privacy’s early onset commoditization is the increased utilization of contract consulting talent by all aforementioned hiring authorities.
Contract staffing and engagement of independent consultants is often an early indicator that a vertical is moving toward consolidation or commoditization. The IAPP has seen registration numbers in the last 12 months for the CIPP/E exceed its flagship offering, the CIPP/US, and new registrations could potentially double its certified membership base by 2019. That influx of certified privacy professionals into a job market hungry for GDPR expertise has allowed organizations to augment their human capital with talent-on-demand. Exacerbating this trend toward contract privacy professionals is the disconnect between many corporations’ valuation of privacy positions versus the individual privacy experts desired bill rate and compensation.
A Look at Compensation
Since 2005, the IAPP has been conducting a biannual salary survey, and the results are compelling. According to the surveys, the average base salary of a privacy professional has always gone up — until 2017. Additionally, the average mean has gone down in the most recent survey — from $145,000/year to $123,000/year in the United States. The reason for this decline is that in the past, privacy was practiced by few attorneys at even the largest Fortune companies. Today, privacy has expanded to include more personnel, causing an industry-wide reduction in mean salaries, collectively. Consider that Facebook alone has over 200 full-time privacy professionals on staff. This is a testament to the growth of an industry, and there are undeniably more privacy jobs available than ever before for new entrées to the vertical; however, the rate of pay may not be accelerating uniformly across all levels of privacy expertise.
Notably, the IAPP’s 2017 salary survey also records the average base compensation of a U.S. data protection officer at $148,000/year in the U.S., €95,800/year in the EU and $72,400/year in Canada. For seasoned job seekers deeply proficient in privacy, this is extremely low. Yet for some corporations, this feels aggressively high, especially for those that have never had a DPO and see the cost of privacy talent dropping more broadly in the survey.
As a result, organizations are exploring contract talent augmentation at a lower annual rate of spend for the corporation, but a higher temporal rate for the individual expert. These augmentations can be hourly (rates may vary from $150/hour to $400+/hour depending on scope, skill and time sensitivity), in the form of annual managed service contracts (DPOaaS) or more simply flat-fee pricing for allocated time commitments (six weeks to six months). All of these models share the same assumption: the privacy contractor’s services are not needed 40+ hours per week, 52 weeks a year. Ultimately, these contractors are required for significantly less time and can handle multiple privacy contracts concurrently.
If this trend continues, certifications in privacy will become even more valuable, if not required, by hiring managers. In any contract-centric staffing market, certifications become the primary mechanism for employers to immediately distinguish and validate skill sets related to the desired expertise. For privacy, the IAPP has quickly cornered the market and its certification programs are what separate instant client interest from skeptical consideration based purely on previous experience.
Though there are many other similarities, this nuance is one element that privacy, and the contractors within it, absolutely share with the much more commoditized (though more matured and expansive) legal vertical known as e-discovery.
Far from dead and hardly yesterday’s news, the e-discovery industry continues to be flush with opportunities, specifically for the middle-market talent in its ecosystem. Electronic discovery, unlike privacy, has not benefited from mainstream media’s adoption of its vernacular. Where privacy is becoming a word the average American understands and feels affected by, e-discovery remains a term primarily used within the legal community. However, e-discovery has been maturing as a profession and industry much faster and for far longer than privacy, cybersecurity, AI or blockchain.
As a result, hiring managers increasingly desire to strategically utilize contract staffing to supply the additional layers of service required during the peaks and valleys of high-intensity litigation. This keeps overhead costs at a minimum during what is considered normal transactional business patterns. With the e-discovery industry commoditizing on talent, as they have with processing/hosting/review, certifications have become essential for individuals looking to distinguish themselves in a sea of professionals fighting for full- or part-time opportunities.
Just as the IAPP currently dominates as the accepted certification standard for privacy, the Association of Certified E-Discovery Specialists (ACEDS) enjoys a position as the singular source for functional domain certification in e-discovery. The ACEDS, a BARBRI professional association, is a non-tool-specific educational certification program with a core purpose to educate and elevate those desiring to validate their skills and knowledge in the e-discovery space. Lead by industry luminary Mary Mack (who also boasts other functional domain certifications like the CISSP, explored later), ACEDS has grown from hundreds of members in 2010 to thousands of members in 2018.
The ACEDS program requires a biannual recertification, which is aimed at keeping everyone current and also connected. Like the IAPP, ACEDS’s mission is not just education, but also social networking and professionalization of a community. Participation in ACEDS is meant to be ongoing and intended to cultivate careers over long periods by constantly providing timely resources for professional development. However, hiring managers in e-discovery, unlike privacy and other aforementioned legal technology niches, place a significant importance on not just functional domain certification but also software-specific certifications, namely in Relativity.
There is no denying that Relativity (kCura has now rebranded based on its core product) is the dominant technology used for hosting and review in the e-discovery industry. The flagship certification in the Relativity portfolio is the coveted Relativity Certified Administrator (RCA). In 2012, there were only 239 professionals in the world with an RCA. There are now over 1,700 RCAs in the global e-discovery workforce. This massive acceleration in accreditation of the community in one specific product has focused the evaluation and hiring of talent largely on the skills associated with that technology. However, only 1% of global users hold an RCA. While the unique value and professional leverage the RCA has for its certified users and their employers are far from diluted, more and more attention is being drawn to specialties in the Relativity certification ecosystem.
Where the RCA was once an assurance of differentiation that equated to potential for a higher compensation or billable hour to a client, the RCA is now broadly considered the foundation of expected proficiency to win business and better job opportunities. The power to clearly stand out as an individual or an organization will soon lie in the advanced certifications being offered in several core areas of niche expertise.
There are a total of seven Relativity specialty certifications available to users (note some of the acronyms are unofficial, though often used on resumes): Relativity Certified Sales Professional (RCSP), Relativity Certified User (RCU), Assisted Review (RAR), Analytics Specialist (RAS), Processing Specialist (RPS), Infrastructure Specialist (RIS) and Project Management Specialist (RPMS). Combining an RCA with two specialty certifications earns you an “Expert” status. Combining an RCA with four additional specialty certifications earns you a “Master” status. The RCSP does not count toward Expert and Master status. Talent openly markets their Relativity (and CEDS) certification holdings on resumes and LinkedIn profiles with the certifications placed proudly after their name, much like an esquire for attorneys. Being Joe Smith, Esq., is great, but being Joe Smith, RCA/CEDS/Esq., is far more powerful.
Relativity has added many new specialty certifications in recent years to help professionals not only use the tool better, but also draw connections to the larger concepts previously reserved for functional domain training and certification. For example, Relativity now has a Project Management certification intended to integrate the EDRM from a Relativity perspective. This means the designation distinguishes itself from the RCA by focusing on the process for engaging users on the proper applications or utilizations of the software based on real-life hypotheticals that demand a command of Relativity workflow.
Relativity has also integrated processing of data into their technology to compete with other popular processing tools and their corresponding certifications, like Nuix, LAW and Venio. Relativity has an analytics specialty certification to compete against tools and certifications like Brainspace.
The most significant takeaway while maneuvering through the sea of software certifications available in e-discovery is that, for better or for worse, hiring managers who are looking for plug-and-play skills will almost always use software certification to quickly parse talent, especially for contract opportunities. In a study conducted by TRU Staffing Partners in 2017, about one-quarter (26%) of the candidates submitted to jobs asking for Relativity experience had an RCA. Almost one-third (31%) of the candidates who then received interviews had an RCA, and a whopping 40% of the candidates who received offers for these jobs had an RCA.
It is important to note that a software certification like the RCA is not a replacement for a foundational certification like CEDS. Instead, these certifications complement each other. However, if you are an e-discovery professional looking to transition out of e-discovery exclusively and into a tertiary discipline like cybersecurity, there may be more synergy and parlay ability through broader functional certifications than tool-specific ones. Part Two of this article will explore the exploding arena of cybersecurity, where there is currently a 1.5 million-person talent gap in supply versus demand. Professionals in e-discovery and privacy may be ripe to transition into security. Part two will also provide a road map on what certifications can assist an individual or organization reinvent or repurpose its talents.
Jared Coseglia is the founder and CEO of TRU Staffing Partners, an Inc 5000 Fastest Growing American Company 2016 & 2017 and National Law Journal’s #1 Legal Staffing Agency. A member of our Board of Editors, he has over 15 years of experience representing thousands of professionals in e-discovery and cybersecurity throughout the world. Contact him at firstname.lastname@example.org.