I've seen a few tweets over the last few days about #infosec certs being gatekeeping - and I agree with a caveat.
Today I had a call with an asshole manager who wants to hire people and he also took an "anti-cert" position. I think the truth is (as always) more complex (thread)

First, yeah, demanding new hires have a cert is gatekeeping. It really is. Demanding an expensive cert is, arguably, discriminating against people who are already under-represented. One of the themes in the twitter debate is that you shouldn't ask for SANS certs because of $$$$

Digression: I am biased. I believe they are 100% value for money even at full price. However, there are many options where you can get cert'd without paying ~$7k. WorkStudy or challenge the cert for around £1200. This puts them on a par with most other certs.

Anyway, I agree saying "you need cert X for this job" is gatekeeping, but I don't agree it is a consistently bad idea. Like lots of things, it can become bad, but that's largely at the hands of asshats who will make anything bad.

Realistically is there even a way to eliminate gatekeeping from the hiring process?
We can, and absolutely must eliminate some forms of it & minimise the potential for misuse, but at a basic level if you have 1 vacancy, you need some way to prevent all but 1 person entering.

So as an example - and more relevant to the asshole manager I was talking to today:
You want to hire a new security person for role X. You decide you don't think certs have value and you wan to keep the applicant field wide open. Sometimes this is genuinely good.

Out goes the job advert and you get 100 applications. Initially, you think this is great but now you have to go through each one - with no short cuts remember because your idea is to assess each one as an individual. Let's say you give them 5 minutes each, that is 1 entire day.

But you persevere. Your paper sift has eliminated 60 of the applicants. You are gatekeeping and likely to have eliminated groups that are under-represented in your organisation because you've hired based on your biases. But this isn't always totally bad, so let's carry on.

You have 40 people to whittle down via an interview now. This is progress. Let's assume you manage to dovetail everyone so you can almost back to back - with 30 minutes before & after to prep/take notes. Now you've spent two weeks on this task alone.

If all goes well, you will have your actual candidate now.

Win.

However, you, as a manager burned through 11 working days to achieve this.

Your company may not view this as a win.

If you hire one person ever, this is still probably workable. Your HR department may be unhappy with your approach as chances are high that you aren't well versed with employment law and they will worry you've said/done something wrong. But it can be done.

Now let's change it. You are the manager of a team of 15 security people. Chances are most will stay ~2 years, so you are going through this a LOT. Probably in the region of 5 -8 times a year. 10 - 16 weeks a year JUST ON HIRING. Nothing else.

This completely breaks down. If an organisation is prepared to pay you to spend 16 weeks interviewing for new security people, I am sorry to say but you work for HR, not security.
It is simply wasteful to use a security person in this way so it gets "outsourced."

This is where it becomes complicated.

You are an expert. You know what questions to ask and what key phrases to look for in a candidates history. You know how to spot a bluff and where a bluff matters.

But you aren't selecting people any more.

Now you need someone in HR or an external recruiter to turn that 100 people into a significantly smaller number for you to interview. Ideally 2 - 3.
For entry-level roles you might get 200 applicants.
You need a way for the non-expert to whittle the list.

As an anti-cert advocate, you might suggest key phrases in the work history or previous employers who "add value" to a career.
After your 3rd interview, you will realise people lie like you wouldn't believe. Now you are interviewing 100% unsuitable candidates.

Now we come to the solution the world currently uses.

You need something where a 3rd party certifies that a candidate has achieved a predefined standard of ability.

What 3rd party you pick and which standard is your choice. But it is a cert.

You can be a lazy asshat and demand CISSP for entry-level roles, but that just shows your ignorance, not the candidates.

You can say you don't want "expensive" certs because you feel that reduces the ability for low-income groups to apply. But think carefully about this.

People make massive sacrifices to get a cert, degree, masters, whatever. Devaluing it isn't removing barriers. Its the same when I see people mocking particular certs because they are [easy|stupid|irrelevant]. This may be true for YOU but someone is proud of their achievement.

Telling someone from a super low-income background that they wasted $6k earning a cert is not being inclusive. Telling someone that the cert they spent months working towards is "useless" is not being inclusive.

So the upshot is that it is complex. Getting hiring right is hard work. If you take a simplistic approach it is probably wrong.
That said, you can't help but gatekeep. It's literally what you are trying to do. Find a way that works for your organisation.

If you are small enough to interview every candidate, do it - you might find some gems. If not set realistic criteria. Dont ask for a CISSP for entry-level pentsters and don't make your SOC Analysts hold OSCP. Be sensible and be fair.

If you really aren't comfortable with this, have a way for URMs to bypass some of the filtering stages. This is a better way to be inclusive as it still rewards effort.

Caveat - make sure you have HR involved with all this.

Postscript: the discussion with the asshole manager wasn't me applying for a job - thankfully. I was trying to help him solve his hiring problems. I wouldn't work for him as an employee.