I would say that you're on the right track so far.
When you're ready to start branching into security specifically, there are many roads you can take, but you first need to decide on which branch of security you're going to focus on.
- Defensive Security (aka Blue Team)
- Offensive Security (aka Red Team)
These are the two main "branches" of security. There is plenty of overlap in each branch, but you'll be focusing on skills that are specific to their respective branches.
With Blue Team, you'll focus on implementation of tools/tactics/procedures geared towards building a fortified network system. This includes things like Threat Modeling, Defense-In-Depth strategies, monitoring (SIEM/Logging/IDS), Antivirus, EDR, Mobile security, Cloud security, Incident Handling/Response, Disaster Recovery, etc.
Blue Team certs include: CySA+, CASP+, GSEC, CFR, ECIH, CCNA Cyber Ops
With Red Team, you'll focus on implementation of tools/tactics/procedures designed to test a network system's defenses by acting in the same manner as a true threat actor would. The Red Team findings would then be utilized by the Blue Team to "fix the weak spots", thus enhancing their security posture.This includes activities like Vulnerability Assessments and Penetration Testing/Ethical Hacking.
Red Team certs include: Pentest+, C|EH, OSCP, eCPPT, GPEN, CPT
I hope this helps.