This is my first post, so apologies if I've ended up in the wrong spot!
I'm relatively new to information security, having worked in the area for about 2 years. I spent my first year and a half working for a large bank in threat and vulnerability management, mainly focusing on data in motion and data at rest. I ended that spell getting involved heavily in metrics, which led me to where I am now. I work in IT Risk Management at my current company and have been tasked with developing a metrics program for info sec. So far its going well, and I hope to use this as a platform to get myself into more of a management role relatively soon.
My educational background is a BA in History, MS in International Trade / Economics, and I'm just a couple of classes short of my MBA. My goal is to end up at the CISO or CIO level.
Now, for my real question, what certs should I be working towards right now? I know the CISSP is where I really need to be, but I'm still 2 years short on the experience required to get it. It's been suggested that I look at the GSEC, but I wasn't sure. Would appreciate all advice and feedback!