Your CISSP point has an is/ought flaw. It would indeed be nice if there was a sticker you could look for on a candidate to know if they were qualified to do security work. But that sticker does not exist. The competence of candidates with the CISSP sticker varies wildly, all the way down to barely- computer- literate. Over time, the top end of that range is trending downwards, as well, so to the extent it's a signal, it's a negative signal. (It's such a weak signal that I wouldn't make any kind of decision about it. There are very smart people that have CISSPs.)