DONE: GCIH - What's Next?

valbizuresjr81valbizuresjr81 Member Posts: 14 ■□□□□□□□□□
Thanks to everyone who commented on my last post and congratulated me on the recent pass. Feel free to send me any messages if you have specific questions.

Now What? - I've been studying for the past month and I feel empty not having to force myself to do research. I spoke to my boss after passing the exam and he proposed a tempting offer.


We've been looking to change our QSA/ASV and have been getting quotes from a couple of companies. 3 years of full PCI testing - ASV quarterly scans, internal/external/site pen testing and remediation recommendations.

Price Tag: $180k+

Bosses Offer: Continue to get certifications and hone my skills so that I can perform some of the requirements myself. In 3+ years hire a security analyst to assist w/ my current job requirements which include:

Vulnerability Management
SIEM Management
Anti-Virus / Integrity Monitoring
WSUS Updates
Firewall Administration

So where do I go from here?

I'm currently Network+, GCIH certified. (Note: I feel like I skipped Security+ / GSEC)

Question #1 - Should I go after GSEC? Would it be worth getting in order to solidify my understanding of security best practices?
Question #2 - GPEN, GWAPT? Which one is harder? Should I take one before the other?
Question #3 - OSCP? I keep hearing this being thrown around recently as a trusted certification? Should I wait until after GPEN, GWAPT?

If I'm going to take my boss up on this offer, my goal is to become an ISA w/ a solid Pen Testing background by March 2016. I need to create a roadmap for him so I'm looking for advice of those who have walked this path before me.

Thanks in advance for your input.


  • LionelTeoLionelTeo Member Posts: 526 ■■■■■■■□□□
    If the company is paying for courses, take GPEN. OSCP is inexpensive and can be paid with own pocket money. GWAPT can be challenge. Although GPEN can be challenge as well, you can use the GPEN materials to reinforce your knowledge for OSCP.

    Career wise, aim for company that recognize OSCP or Web Application Penetration Testing, if a company don't look or recognize for either of this, there is a probability that they had mixed up vulnerability assessment role with penetration testing.

    I would recommend GCIA as it actually offers the best ROI in terms of books, course ware and good salary gain. However, if you are interested in Penetration Testing, then you should head directly for GPEN OSCP route and skip this.
  • zxbanezxbane Member Posts: 740 ■■■■□□□□□□
    I can't give my advice personally since I am not in this line of work but I just wanted to say this sounds like a great opportunity for you to pursue your goal while using the financial support of your current employer. I would recommend listening to posters like LionelTeo and NovaHax, they seem to be very knowledgeable about this career field.
  • ansel1261ansel1261 Member Posts: 24 ■■□□□□□□□□
    I personally feel that if you have your GCIH , that the GSEC is a step backwards and so does SANS. GSEC is a 400 level course GCIH is a 500 level course. If you are going to go for a general cert with a GCIH, go for the CISSP.
Sign In or Register to comment.