I see loads of folks who want to get into my field. Writing this down so I can have a place to send anyone interested. Here’s the short version, for any age:
Get your Certified Ethical Hacker https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/
Reason: You have to do something that allows you to think like an attacker. Depending on your background, you may not need this, but most folks will want to get into the mindset a bit. And use your powers for good. If you find yourself drawn to doing sketchy stuff, stop a bit and think. Unless you’re going to be a loner always, there are few secrets amongst security people. Your background will be extensively searched. If you apply for a cleared position, that’s another whole thing. They will find stuff you did early in your life. It may matter. Be advised.
Learn about networks.
Reason: The CEH will do some of this, but you want to know how the pipes work before working on the plumbing. As the old Orange Book said, the only secure system is the one not connected to anything. So it behooves one to know how those necessary connections work.
Specialize. The field is huge, and the days of starting out as a sort of generalist are long gone. AppSec, red team, network security, IAM, compliance, anti-fraud, cloud security (and on what platform?), security project management, and the list goes on. All of them are deep sub-fields now. You need to ind one and go deep.
Reason: It’s just too broad to do what most of us old-timers did and do all of it.
Get the certifications for the job you want.
Reason: Certs can take lots of time and energy away from doing security and prototyping things. It can be a diverting game to get lots of them, but you want to find out the ones you need for your potential job and get those. Ask after what would help. If you want to go to work for AWS, better get them AWS security and architecture certs!