.jpeg "pike_head_(1).jpeg")
We are celebrating the 20th anniversary of the GIAC Security Expert (GSE) certification this year! As someone who is has been a fan of GIAC/SANS for more than 20 years and lucky enough to be an employee for almost 18 of those, now seems like a good time to discuss how the GSE has evolved since it was introduced.
After a trip through the Wayback machine, I unearthed a couple of blog posts about how the GSE got its start in 2003:
Introducing the GSE, from David Hoelzer (GIAC Director at the time)
I still remember the moment I read that second post from June of 2003, because I was studying for my GSEC at the time. I thought to myself, “Wow – Lenny and John are nothing less than modern day heroes! What a wonderful achievement! What a wonderfully difficult and complex thing the GSE must be – I cannot imagine!”
A few years later, I found myself working at GIAC and tasked with helping to create the next version of the GSE— for me, a dream job with a Herculean challenge!
The GSE went through many revisions from 2006-2019. The earliest of those were on the rough side compared to where we ended up. The labs got better over the years as the technology and talent got better. I earned the GSE myself in 2013 when a new version of the lab was introduced. By the end of 2019, we had six GSEs on staff and GIAC had certified 255 GSEs over the course of 16 years.
However, as the industry grew and evolved, the GSE wasn’t scaling well. Those relatively few candidates who were willing to deal with the logistics of a live lab that only ran twice a year at SANS US-based conferences had to wait 45 days for their lab results. We tried to grow the program to meet demand, but there were ever increasing logistical and technical challenges with delivering a live lab, and we were worried about scaling the quality.
And then 2020 happened and the entire world was locked down. COVID kept GIAC from running a live lab in 2020 and 2021. All that time, we were building a backlog of unhappy candidates to whom we could not deliver a live lab. Would this spell the end of the GSE program? Some thought so.
Yet, most of us felt that GSE must go on. The simple fact is a far greater percentage of GSEs have gone on to be thought leaders and difference makers in cyber security than any other credential. What could be more in alignment with our mission at GIAC/SANS than that? All of us who had skin in the game (held the GSE) felt that the GSE must survive, and so we began to innovate and think about how we might be able deliver a lab remotely – not only to solve for COVID, but maybe to solve for scaling problems for the future of the program.
Many GIAC employees are very technical, with extensive backgrounds in cyber security. We have often come up with CyberLive content (GIAC’s hands-on practical testing environment) that is too difficult or too challenging to use for standard GIAC certifications exams. That got us thinking… What if we set our most technical people free to create GSE-level content in the CyberLive environment? Could we create GSE-level content in CyberLive?
After some internal debate, senior management gave us permission to try it. After all, we had to do something to flush backlog in the GSE queue. Without doing something, the alternative would be effectively pulling the rug out from all of those who were waiting since COVID shut things down.
By the end of our experiment, we created the best, most difficult content to appear on any version of the GSE…. ever. We alpha tested the content internally with existing GSEs, and we all thought it was at least as difficult as the old lab while being better, more thorough exams to boot. We then beta tested throughout all of 2022, using two large very cohorts from the existing GSE queue. The content performed even better than we imagined, both statistically and psychometrically.
Satisfied with the content of our new GSE lab, we went back to an idea that had previously been on the table to address two primary concerns:
Existing GSEs felt like there were not enough of them for the credential to have enough presence in the market to make a difference. They wanted us to figure out how to market the GSE, and that also meant we had to be able to scale it.
People who never attempted the GSE, including many SANS instructors, felt like it wasn’t relevant to them or their career path. Penetration testing, digital forensics, and cloud security were not part of the content, and there was no room for it to grow.
We realized that we could create GSE-level content for any technical domain where we already have a CyberLive certification. We don’t have to be limited to those older domains that gave rise to the content in the old GSE lab. The field has changed in 20 years, and it was time the GSE changed, too.
Furthermore, it is no longer possible for a single person to be an expert in every aspect of cyber. The challenge we were now left with was, how can we add new content to the program as we go forward in a way that protected the spirt of the GSE. This brings us to the genesis of the Applied Knowledge exams (noted with the letters “GX-” which stand for “GIAC Experienced”
The idea here is that a true expert (at least in the GIAC/SANS sense of the word) has real hands-on chops and will be able to demonstrate technical depth in multiple areas of cyber security. The exact areas don’t matter as much, as those change over time. What matters is being able to demonstrate the ability to solve hard problems that exist in our field.
Each Applied Knowledge/GX- exam is a potential component of a new and improved GSE lab that can be delivered remotely. After all, required GX- lab components (depth) and Practitioner certifications (breadth) are earned when the GSE is awarded. While our initial launch includes three already-released Applied Knowledge exams, we intend to release more Applied Knowledge exams as we go forward in time. Each one will cover GSE-level content in a different domain, allowing experts to create a GSE that matches their own career, while also ensuring that those who earn the GSE are the best in the field.
In the end, the outcome of the changes is a GSE that is more robust and flexible than ever before. Both the data and my 18+ years of experience with the GSE and testing support this. Now take a look at the below tables comparing the Fall 2019 version of the GSE lab to what we are offering going forward:
Requirements
| GSE Pre 2020 | GSE as of 2023 |
Lab / Applied Knowledge Exams | 1 four-part lab required (15 hours) | 4 four-hour exams required (16 hours) |
Entrance Exam | Required | Not required |
Practitioner Certifications | 3 - 6* | 6 required |
*Note: Previously, Practitioner Certifications could be substituted for Gold Papers and vice-versa, so the minimum was three Practitioner certifications plus two Gold Papers.
Content
| GSE Pre 2020 | GSE as of 2023 | |
Labs | Focused on advanced, technical content built on a superset of GSEC, GCIA, and GCIH | Focused on advanced, technical content built on a superset of GSEC, GCIA, and GCIH, GCFA, GPEN and more |
Difficulty | Very, Very hard | Very, Very hard - in fact a bit harder than the historic lab |
Incident Response Report | Required – 25% of lab time. | None – Replaced with hands-on, technical content |
Updates/Currency | Manual labs were difficult and time consuming to update, so updates weren’t done very frequently | Content can be added/removed easily, which allows the new exams to be much more current with changes in the field |
Exam Length | Way more tasks than most people can fully complete in allotted time | More tasks than most people can fully complete in allotted time |
Feedback | None solicited or accepted other than occasional one-off e-mails | Ability for candidates to comment on each item; is tracked just like standard exams. |
Testing Logistics
| GSE Pre 2020 | GSE as of 2023 | |
Delivery | Candidates must travel to a live lab offered only twice per year | Proctored live and online |
Availability | Lab limited to 30 individuals 2x per year | Virtually unlimited capacity |
Convenience | Somewhat challenging to extremely challenging, depending on candidate’s lifestyle and location in the world | Much easier for all |
Results Notification | Emailed 45 days later | Automated, near instantaneous |
Risk | With the old lab if you were very good in some areas but not quite at the GSE level, you got nothing for all your effort, time, and money | With 4 distinct exams replacing the lab, if a student excels in some domains but still needs to improve in others, they can be recognized for where they are already excellent as they continue to improve their skills in other areas. |
Quality
| GSE Pre 2020 | GSE as of 2023 | |
Test Reliability** | Relatively low due to low number of scored items | Much higher due to higher number of scored items (25 per domain) |
Scoring Consistency | Errors, subjectivity, and bias possible to manual scoring and written report | Automated scoring is state of the art in consistency |
Psychometrics | Limited item performance data had to be manually tracked by hand | Reliable and built-in just like every other GIAC exam |
Versioning | Relied upon individual with golden VM images | Centrally managed and built-in just like every other GIAC exam |
Inter-Rater Reliability | Inherent concerns with written report and manual scoring of lab exercises | No concerns with automated scoring |
Lab Testing Consistency | Occasional problems in the live lab environment with hardware, software, or cabling caused an inconsistent experience for a minority of candidates. Although accommodations were made onsite, this was suboptimal | Our CyberLive lab VM images are stable and reliable, ensuring that every candidate gets the same experience |
Test Environment Risk | We never had a catastrophic failure where we had to send everyone home, but that risk was always there. We did have several complete failures of the lab at the individual level over the years. Those poor souls went home empty handed (other than a free ticket to the next lab offering) | Catastrophic failure risk is minimal, and if there is an Internet outage, standard GIAC policies apply |
**Test reliability is the definition of how consistent a measure is of a particular element over a period of time, and between different participants. https://www.psychometrictest.org.uk/test-reliability/
Market Presence
| GSE Pre 2020 | GSE as of 2023 | |
Relevance | Limited to the cyber defense focus of original pre-requisites (SANS retired one-third of those original six courses) | Designed to scale as technology changes; as we introduce new GX- exams no technical person in cyber will be able to say the GSE can’t be tied to what they do |
Scalability | Limited by the size and number of live labs we could offer | Limited only by the number of people who have the skills to pass the exams |
Difference Maker | Although many GSEs went on to make big names for themselves in cyber security, their meager number limits how much good GSEs can do | More experts in the fight will be able to win more cyber security battles |
Market Awareness | The GSEs who certified on this version often complained that most employers are not aware of what the GSE is | With scale limits removed, we can now educate the industry on how GSEs can help improve security teams |