CISSP certification: Are multiple choice tests the best way to hire infosec pros?

Want a job in infosec? Your first task: hacking your way through what many call the "HR firewall" by adding a CISSP certification to your resume.

Job listings for security roles often list the CISSP (Certified Information Systems Security Professional) or other cybersecurity certifications, such as those offered by SANS, CompTIA, and Cisco, as a requirement. This is especially true in the enterprise space, including banks, insurance companies, and FTSE 100 corporations. But at a time when the demand for good infosec people sees companies outbidding each other to hire top talent, and ominous studies warn of a looming cybersecurity skills shortage, experts are questioning whether certifications based on multiple choice tests are really the best way to recruit the right people.

"I give that bit of advice to listeners who ask me for career advice to get their foot in the door," Jerry Bell, who runs the Defensive Security podcast and leads the internal security strategy team for a large global IT services company, told Ars. "Indeed [I do] describe it as getting through the 'HR firewall.' So, I suspect this is common advice given and used by many people."