Hello H1t M0nk3y,
A resounding YES to your question: Is the GSE worth the time/money/effort?
I didn't do it for the glory, fame or to get a pay rise. I did it to learn and wow, did I learn.
I’m one of ziggy_567’s generalists, pretty much focused on the defensive side, but there are some super smart offensive guys that are GSE’s, so it is up to the person taking the exam to work out the personal value. The people taking the GSE with me were a very diverse group. The only real definition I would place on them is they are all driven, seasoned security professionals with a desire to test and push themselves.
I’ve got a number of other qualifications and always on the lookout for inspiring trainers and courseware to make me want learn. The GSE is a long term goal, rather short to mid-term one, so by all means take and excel in CEH/CISSP/CISA/GPEN/OSCP/CCNA etc, but once you completed them it is great to have somewhere else to aim for, should that be the path you want to follow.
As a career advantage, it definitely helps you stand out. If you’re going for a security role and the interviewer doesn’t know what a GSE is or says about your abilities, then I’d suggest you’re applying for the wrong role. Again this is a big picture, long term career certification.
My simple analogy; this is a CCIE/MBA for the security industry that is recognised as hands on ability. SANS is market leader for corporate security education and for good reason, in my opinion, so this level of testing and certification isn’t for everyone. Other companies may come along and offer similar levels of exams, and I hope they do, but the security industry needs to have clear examples for non-industry people to differentiate ability and knowledge.
I know enough networking folk to realise that certs don’t make the engineer, it’s skill, knowledge, ability and experience that do. Practical exams test those four areas, so you prove firsthand that it’s not book or braindump smarts, and that’s praiseworthy in my book. The GSE has a soft skills component, so while it is a very technical exam, being a back office, exploit-coding god without impersonal skills means you’re likely to fail. It is vital to be a good, or even great, communicator as a security professional or your message fails on uncaring ears and you fail.
Money is a big issue, but I’d say any taught education costs. Once someone else stops paying for your education, you really have to be motivated to expend time and energy never mind the money. SANS is focused toward companies and organisations willing to pay for good training, so hopefully work will pick up the tab for most of the training. If you’re doing this out of your own pocket, do what I did – apply as a SANS work study volunteer: http://www.sans.org/security-training/volunteer.php
I hope that lots of people step up and challenge the GSE exam, to better themselves, continually push the industry to keep current and give others something to aim for being. Like anything the more people that are GSE’s the more they’ll be in demand. Cisco’s CCIE program started in 1993, considered as one of the hardest exam certifications, has over 22 thousand certified CCIEs nearly twenty years on. You decide if this is due to people want to excel and prove their skills or market demand. Or both :-)
A minor correction to your original post, there’s 29 people who are GSEs - now ;-)