This is a question I hear often, in a variety of forms that I won’t belabor here. It’s always difficult to answer in a short conversation. To be honest, the point of this post is really self-serving; mainly, to give folks I speak with an easy place to look that I can remember when having this conversation.
I could make an effort to answer this question, but frankly I think anything I could offer would be redundant and not as expertly versed as some people I respect that have already attempted to do so. Some conversations I had at RSA is what encouraged me to finally get something written.
Two people have done a really nice job with this subject. The first, in a somewhat older post from 2014, is Daniel Miessler. That isn’t meant to short his contributions in this space, far from it. This post just provides a really nice overview of getting into this field. His blog is also excellent and quite prolific.
Next is Lesley Carhart, a Digital Forensics & Incident Response (DFIR) expert, a self-described “Full Spectrum Cyber-Warrior Princess”, and an all-around thoughtful person. She has a terrific blog (and posts way more frequently than I do, though I hope to change that).
Of particular importance is the fact that she posts frequently to an advice section of her blog that often includes career guidance. To whit, here’s a link to several terrific posts on building an infosec career. I would encourage someone to start with the Chapters 1-3 Megamix.
I will post some follow-up thoughts on this subject, particularly a more specific consideration for folks wanting to learn more about identity & access management, but I hope this helps some people. Oh, and if you’re not following these folks on twitter, you’re missing out.