CISSP certification: Are multiple choice tests the best way to hire infosec pros?

July 4, 2016

Want a job in infosec? Your first task: hacking your way through what many call the “HR firewall” by adding a CISSP certification to your resume.

Job listings for security roles often list the CISSP (Certified Information Systems Security Professional) or other cybersecurity certifications, such as those offered by SANS, CompTIA, and Cisco, as a requirement. This is especially true in the enterprise space, including banks, insurance companies, and FTSE 100 corporations. But at a time when the demand for good infosec people sees companies outbidding each other to hire top talent, and ominous studies warn of a looming cybersecurity skills shortage, experts are questioning whether certifications based on multiple choice tests are really the best way to recruit the right people.

“I give that bit of advice to listeners who ask me for career advice to get their foot in the door,” Jerry Bell, who runs the Defensive Security podcast and leads the internal security strategy team for a large global IT services company, told Ars. “Indeed [I do] describe it as getting through the ‘HR firewall.’ So, I suspect this is common advice given and used by many people.”

David Shearer, CEO of ISC2—trademark stylised as (ISC)2—the organisation that certifies CISSPs, told Ars that with more than 107,000 CISSPs in over 160 countries, the certification “has become almost a de facto standard for chief information security officers around the world.”

Read full story…