I graduated last year from an Informatics and Security degree program. This program was taken in a Canadian college. It equipped me with the basic security knowledge in all fields; networks, systems including both Linux and Windows, web applications and so on. We had extensive hands-on experience on penetration testing, setting up services in Linux such as DHCP, DNSSEC, web servers and forensic tools. We also learned how to audit Windows environments and how to learn basically any tool that has security intentions. Technically, this program gave me the understanding of security, governance and the technology.
Now I work in a company where I am the only security guy in the company. I hold the position of IT Security Engineer. This is what I generally do:
- develop and design Windows standards and GPOs upon best practices
- set up and manage web-filtering and proxy solutions
- implement and manage endpoint protection and spam filters
- write security policies and standards for everything (web applications, network, physical security, password, acceptable use ...etc)
- involve in designing the authentication mechanism via web, phone and in-person
- suggest design in secure automation of daily business processes
- helpdesk support when needed
As you can see, it is a wide-range fields that I am working with. I feel that I am being overloaded and I am losing focus on which path should I take. My manager sent me to ISO27001 LI/LA training and I passed both exams. Hence, I am ISO27001 Lead Implementer and Lead Auditor certified. This training has taken me into the governance side of Security. I love security and all of its part, however, I believe I am still young and would like to keep doing technical stuff, as I will get to the governance/managerial position later in my life when gaining possibly CISSP, CISM and so on.
Now I feel I can't be totally dependable in one major task. For example, I know how to build basic AD, DNS, Exchange, SQL, VM environments. I know how to perform basic penetration testing using Backtrack/Kali Linux and get the report done. I understand IPS/IDS technology but never had extensive hands-on with them. I am getting lost seriously.
I don't believe I want to go with network security (CCNA > CCNA Sec > CCNP > CCNP Sec). I think I am also poor with Windows Security administration (PKI, Certificates, IIS Security ...etc).
I also believe I don’t have the skills to be system/security admin, software security or database security administration or analyst, and not even a network security engineer. I am getting lost!
The question; what do you recommend me to do? Which certification path would improve my skills? Do you believe what I am doing in my company now is healthy for my future and skills?
I feel that I am giving all what I learned from university, but I am not gaining knowledge,valuable knowledge.
Please provide suggestions.