The GIAC Security Expert (GSE) is, from what I understand, the hardest certification to obtain from SANS/GIAC. In order to get it, you have to earn several other certifications, including "gold" ones where you have to write research papers.
http://www.giac.org/certifications/gse.php

But if you look closely at the link above, it seems that only 22 individuals currently have this certification, compare to tens of thousands owning a "normal" SANS/GIAC cert. This is obviously a very big cert to have!

But other than for personal knowledge, is it worth the time/money/effort? What if you put your energy on, let's say, CEH/CISSP/CISA/GPEN/OSCP/CCNA? I know these certs serve different goals, but combined, they are probably as time consuming than GSE.

It seems to me that, although owning a GSE (and all its sub-certifications) would be very good, having other certifications may be better for you because they are more "known" by employers.

Obviously, it all depends on what is your goal with certs. But I think that for most of us, it is to help us find the job we want to do.

What do you guys think?

That is certainly true!

But if you compare other certification paths, is it that valuable? Again, only 22 guys have it right now...

@mambru: I understand GSE very well and indeed, it's quite a achievement! But at the same time, it requires a fairely big chunk of your life. For a pentester for example, would it be better to follow another path?

and a big chunk of your economy as well

I don't agree with ziggy_567, IMHO GSE is a valid path for a Pen Tester. You could achieve it through certs like GPEN, GWAPT, GAWN, GREM which comprise essentials topics for a Pen Tester.

I'll be attempting this in 2011 with a (now ex-) coworker of mine. We're starting to put a blog together with notes, lab setups, sample captures, etc. It's mostly just rambling at this point though. I have a month or two of college classes I have to wrap up before I can commit a lot of time to it, but I'm going put an enormous amount of time into it starting in December or January. I'm pursuing this primarily because it's 1) a challenge, and 2) once you obtain it, you can renew all your GIAC certs by passing the GSE written exam once every four years.

Chris Mohan took a stab at it this year, and he's posted some thoughts on his blog: www.chris-mohan.com I can only imagine how excruciating the 30-day wait would be, ugh...

With all due respect, that is a very personal question! 

Like dynamik, I think it would be worth it for the challenge of it and the fact that I don't have to renew ALL my GIAC certs. All I have to do is pass the written every four years.

@dynamik

Please don't misunderstand me.  I'm not saying GSE can be build upon pen testing certs exclusively, I know GSEC, GCIH and GCIA are the core for GSE, but you can include GPEN, GWAPT, GAWN, which are directly related to pen testers. And GSEC, GCIH and GCIA comprises the basic skills any security guy should have, even a pen tester.

That's why I think GSE is worth the effort, personally I don't pursue certs because their renown, but because what they offer to teach me and skills I can acquire.

Hello H1t M0nk3y,

A resounding YES to your question: Is the GSE worth the time/money/effort?

I didn't do it for the glory, fame or to get a pay rise. I did it to learn and wow, did I learn.

I’m one of ziggy_567’s generalists, pretty much focused on the defensive side, but there are some super smart offensive guys that are GSE’s, so it is up to the person taking the exam to work out the personal value. The people taking the GSE with me were a very diverse group. The only real definition I would place on them is they are all driven, seasoned security professionals with a desire to test and push themselves.

I’ve got a number of other qualifications and always on the lookout for inspiring trainers and courseware to make me want learn. The GSE is a long term goal, rather short to mid-term one, so by all means take and excel in CEH/CISSP/CISA/GPEN/OSCP/CCNA etc, but once you completed them it is great to have somewhere else to aim for, should that be the path you want to follow.

As a career advantage, it definitely helps you stand out. If you’re going for a security role and the interviewer doesn’t know what a GSE is or says about your abilities, then I’d suggest you’re applying for the wrong role. Again this is a big picture, long term career certification.

My simple analogy; this is a CCIE/MBA for the security industry that is recognised as hands on ability. SANS is market leader for corporate security education and for good reason, in my opinion, so this level of testing and certification isn’t for everyone.  Other companies may come along and offer similar levels of exams, and I hope they do, but the security industry needs to have clear examples for non-industry people to differentiate ability and knowledge.
 
I know enough networking folk to realise that certs don’t make the engineer, it’s skill, knowledge, ability and experience that do. Practical exams test those four areas, so you prove firsthand that it’s not book or braindump smarts, and that’s praiseworthy in my book. The GSE has a soft skills component, so while it is a very technical exam, being a back office, exploit-coding god without impersonal skills means you’re likely to fail. It is vital to be a good, or even great, communicator as a security professional or your message fails on uncaring ears and you fail.

Money is a big issue, but I’d say any taught education costs. Once someone else stops paying for your education, you really have to be motivated to expend time and energy never mind the money. SANS is focused toward companies and organisations willing to pay for good training, so hopefully work will pick up the tab for most of the training. If you’re doing this out of your own pocket, do what I did – apply as a SANS work study volunteer:  http://www.sans.org/security-training/volunteer.php

I hope that lots of people step up and challenge the GSE exam, to better themselves, continually push the industry to keep current and give others something to aim for being. Like anything the more people that are GSE’s the more they’ll be in demand. Cisco’s CCIE program started in 1993, considered as one of the hardest exam certifications, has over 22 thousand certified CCIEs nearly twenty years on. You decide if this is due to people want to excel and prove their skills or market demand. Or both :-)

A minor correction to your original post, there’s 29 people who are GSEs - now ;-)