Say you want to be a hacker or stop the bad hackers as a career path. You like computers and want to get into the Information Security field. There are many paths and specializations. I will give my perspective and experiences in this post.
Love for computers and technology
In my early years, I loved playing games on the old commodore64, atari, Apple IIgs amongst other computers. Then the internet blew up and this www stuff began appearing. I got a 56k modem and was running a Gateway 486. I learned the ins and outs of Windows 95, registry, settings, viruses and more. I wanted to learn more. I went into the Air Force and started providing computer support. Not just software, but hardware. i learned Windows NT, Exchange, and early implementations of Active Directory and Windows servers. I always wanted to learn more and more. I was happy and enjoying learning how software and Operating systems worked and didn't work.
This is a good starting step. Everyone now days have technology. They have smart phones, laptops and work on them every day. Some have interest into how things work. Kids learn where settings are, even how to code and troubleshoot computer problems. You may have even seen where kids have figured out how to break into teacher computers by guessing usernames and passwords.
Specializing into a field or Generalize
After I got out of the Air Force, I worked installing Unix based Firewalls and various types of Windows servers around the world. A love for Unix/Linux grew. Command line was awesome. No fumbling gui and quick response output. I later became a Firewall administrator and soon after a Security administrator, to include IPS/IDS administration. This turned into password cracking, vulnerability scanning, remediation, AV/HIPS administration and more. Security became my number one priority and passion. Many things were learned and shared amongs co-workers. Learning of system weaknesses and vulnerabilities and how to prevent them. So to speak of specialization, later, I became a Network Security Specialist. I worked in a SOC type environment and logging became the big thing. SIEM and enhanced Vulnerability management became a primary duty. Attack patterns, vulnerabilities and event monitoring were amongst the activities we performed.
To gain more insight, training was really important. SANS provides great training and I was able to attend the Intrusion Detection, Penetration Testing and Windows Forensics classes. I also at this time studied and obtained my CISSP. I had previously obtained my CCNA while in the AF as well as MCSE in Windows NT (old skool). These certs were important in obtaining my next position as a Security Consultant/Penetration tester. The change into pentesting was not an easy one. When you start in a specialization you tend to be entry level and salary is appropriate to such. So this transition was a bit hard, but worked out well. Getting experience is important in the position you are in. For example. While working in the SOC, i performed more than vuln scans. I ran some internal pentesting activities where I could to enhance my skills. Kali Linux and other tools were commonly used.
Importance of Experience
I later moved onto another pentesting gig and gained more experience and with constant work on testing, projects and clients. Variety of types of pentesting exists. There is Social Engineering, Phone SE, Physical tests, WiFi Tests as well as the typical external/internal network tests. This is not even taking into account Web Application or Mobil app testing.
Again, training is always a plus such as Social Engineering Training from the guys at SocialEngineer.org, as well as OSCP training.
Experience is always more important and what counts. Wether you go above and beyond in your job and take on extra security type work, or you continue gaining experience from entry level and move up in the ranks, experience needs to be obtained. Certs and training can help you get into the door, even setting up your own hack lab can definitely benefit, but real world action is what proves you can do the work and get hired.
A plus for any security practitioner is to be able to code and create your own tools. If you can gain notoriety for creating a tool, this is also something employers will look at.
I forgot about a College Degree
I see Degrees and Certifications as similar tools that can be used to get your start in an entry level position, whether it is IT or InfoSec. When I went to school, Computer Science was the only program that was relevant. Now there are Information Security degrees and more specialized programs. I have looked into some, even if to just get my piece of paper, but it is all stuff I already have knowledge on and I would rather spend the money and specific training programs.
So Degrees are good to get a basic foundation, but in my case, on the job experience and training was able to get me all I needed to start off.
So to sum it up, learn how systems work, then how they are broken, then how bad guys do so. Gain experience in the desired position of your choosing. Use certs, lab experience, education to get your foot in the door. Once you are in, work hard to learn more and more. Keep up as best you can with the latest threats and attacks.
Finally, never give up. Patience is sometimes required and things may not always go your way. Keep at it, keep improving and ask for guidance and help from those you look up to.