Man, if we have to vet CPEs, we have problems. There are so many opportunities in a year that if you get anywhere near the minimum, it is only because you don't want the administrative headache of tracking them.
Maybe ISC2 should vet it's CPEs more comprehensively - or have rules like no product name, and show multiple references in the press for the issue you want to talk about?
Yeah, case top point I lapsed my CISSP the first time around because I was very busy and had better things to do than track them. There is a huge opportunity, it's just how do you verify the quality of what's submitted and whether people were taking it?
When I say 'it's CPE's' I speaking more about the ones offered by ISC2 itself - just as an example rather than getting just one vendor or a vendor plus auditor to speak you could ask for people from 2-3 vendors in the same think about the problem generally and avoid spin/positioning.
Each January, I do 40 hours of webinars. That gets me in the compliance zone no questions asked. After that my DOD job requires me to do quite a bit of training each year. I also drive myself to obtain whatever cert I think will keep me on the leading edge of the IT/IA industry. This year,(2018) my CISSP CPEs are at 120 hours. That's above normal, but I frequently hit close to 100 hours. I may have to take two rather long classes totaling 80 more hours before this year is over 🙂
Having three, two of which overlap, CISSP and ISSAP with the HCISPP being a bit of an outlier means having to watch things a bit more closely. Generally I do the bi-monthly quiz and whatever webinar(s), SANS course work and "other" category training I am doing is generally more than sufficient to keep everything up to date.
Ironically, the hardest part is finding Healthcare security training worth my interest and can be difficult to find such that meets my own learning goals.