I have been grappling with which IT Security Certification path to take for the past few months now. So when I came across this article I had to take a minute and read it. Incidentally I found this article while reading one of my favorite boards. I am what you would call a newbie to the world of IT Security. And so far I have done the following CEH(Certified Ethical Hacker), OSCP(Offensive Security Certified Professional) and the GPEN - Network Penetration testing.
Having completed the above courses, I now find myself at a cross roads and am uncertain which way to go. What I do know however is that I want to go further down the IT Security rabbit hole. So given my current state of affairs, that of being indecisive, I turned to a few friends for advice. These guys are seasoned IT Security professionals and I hold them in high esteem. Sure enough as the author mentions, they recommended that I do the CISSP, CISA and CISM. Nothing wrong with that, however I don't think I want to tackle those just yet. My inclination is more towards the technical side. I would really love to delve more into the hands on stuff. I am simply fascinated by the work of people like Jerimiah Grossman, Robert Hansen aka @Rsnake to name a few. And would would greatly love to pursue a path along those lines. Eventually starting my own consulting business.
The Y approach seems like something worth looking into given my intentions. As in the end, I want to achieve the best of both worlds i.e. managerial and technical certifications. For now though I will be trying to get some more technical certifications under my belt. I am currently eying the Sans GWAPT - Web Application Penetration Testing. Having come from a developer background this has definitely peeked my interest. The OSCE(Offensive Security Certified Expert) also looks interesting. I must admit that I am leaning towards the Sans certifications track, maybe ending up with the GSE. Sans has some great offerings. But they cost an arm and a leg and would probably require me selling my soul.