I find this feature of our certification renewal, and not just the 40 points, drives me to push the envelope.
Do you have a monthly goal? 10+ 20+ 30+?
The underlying question is really, "How hard do you push yourself to be at the top of your game in this field?"
I prefer taking up training for myself and do training for others, read the Info Sec magazine, and engage in other ways to get CPEs and also how to improve to deliver the best.
It really depends. One year I had a lot of job turmoil and moving houses to deal with so I only got the minimum that year. If I take 2-3 masters courses then I easily have 90 right there. If I know that I will not be able to attend school then I work to earn some every month. I try not to let a qtr of the year go by without earning something AND more importantly submitting them.
I keep a folder with some kind of printout in case I get an audit request for a particular CPE.
Ha. I keep an audit folder too. Security people right?
I like being pushed and I use these cert renewals to motivate me. Because sometimes life doesn't naturally provide that motivation.
It's good to have some padding, in case some are invalidated, because, oh I don't know you turned up for class tired and emotional.
But I'd generally try to treat them like Strunk and White and keep them down, brevity the soul of wit etc.
In the interest of the threads reporting last year with ISC2 I submitted 45 A and 48 B.
Given the responses so far, I tend to fall on the low side - usually just a little more than the required. I'm sure if I thought of every possible CPE, it could be a lot more. Good security folks are always learning and to some extent always teaching, which I think is part of the thinking behind the CPE. However, a good CPE on paper isn't always a good CPE in practice and vice verse. Particularly vendor presentations are quite suspect. I probably have at least 40 hours of just vendor time a year, but rarely do I count any of it as CPE. Most vendors I find to be selling snake oil. Some vendors are very good and educational, but usually the education only happens after the presentation, when you get past the marketing drivel, but again, I find most vendor presentations to almost fall into the category of anti-education, often simplifying a problem and overselling their solution.
But what if your snake is like really, really rusty...?
Yeah, this I think is a challenge. Despite working for a vendor, I tend to find little value in vendor presentations for education because mostly they are sales pitches, and are just being repurposed for CPEs. Now that's not to say that they are bad per se(a world with no sales or marketing people would need to radically shift its economic model or we'd all starve), but it does mean there is an enormous amount of assertion and the message is the less interesting 'we fix it', rather then 'this is how you might approach it'.
The problem statement tends to be at the front and sometimes it's useful, but more often than not it's specific to the solution.
Maybe ISC2 should vet it's CPEs more comprehensively - or have rules like no product name, and show multiple references in the press for the issue you want to talk about?