Here's a little bit about my journey to actually get into information security, in a full-time role.
I was working as a construction safety supervisor, not really feeling fulfilled with my career, when I decided to go back to college (for the 3rd time). Previously, I had explored several options and determined that if I were to return to school, it would be for a computer-related degree, with the intent to eventually work into InfoSec Management somehow. So I began a Computer Science Bachelor's program, on the way toward my goal.
Graduation was looming and I knew that it would be a good time to jump careers, so I applied for a few positions, a couple of which were internships. One of the internships I applied for, was for an InfoSec position. When I got the call, though, it was a QA manager instead. While not my ideal fit, I decided to take the opportunity anyway, while expressing to my new manager my desire to work on anything security-related that he had. Doing one better, he had me work hand-in-hand with one of his engineers who spent about 50% of his time with vulnerability testing and other Security/QA activities. This experience whetted my appetite and I began my job search in earnest.
Unfortunately, as many have experienced, it can be very difficult to begin a career in InfoSec. Most positions require some experience (generally more than the ~4 months I had as an intern). Fortunately, I did get a job as a QA Analyst, with a different company.
While working in QA, I did everything I could to incorporate security into my job. I made it a part of my annual review goals, I worked on security awareness in the QA team, to try to move a little bit towards the security side of the house and I studied for and passed CompTia's Security+ exam (which had been a goal of mine for awhile, at that point). It was around this time that I finally met one of the members of our company's security group. I asked him if he was a CISSP and if, when I took and passed the test, he could/would endorse me. He mentioned that he had his CISSP and that we could discuss it, when appropriate.
Little did I know that my combination of activities had highlighted that I was very interested, to the right people. A few months after getting my Security+ certification, I was approached and asked if I was interested in applying for an internal security position. Naturally, I was very excited. When the job opened, I applied, interviewed with the team and accepted the offered position, as an Information Security Analyst.
So while the route was anything but simple for me, it did have elements common to others who have entered the field. First, in everything I did, I professed my affinity for InfoSec. Second, I assessed my strengths and weaknesses, and began working on shoring up my weak points with education. Third, I got certified. Fourth, I gained experience in an area of IT (in my case QA).
I then set my sites on getting the ISC2 CISSP certification. But more on that, another time.