For years I've tried to figure out good advice to this question, but I've never been able to successfully articulate it. Here's attempt++.<p>There's two things that would be helpful to know before providing advice, and they might not be things that you even know the answer to yet; but it's worth considering.<p>First, what are your reasons for being interested in security. Is it because it's a good job market? Or because you think it sounds cool? Or, god forbid because you think of it as a higher calling? There's nothing inherently good or bad about any of those three choices (except people who believe the third one I find unbelievably tedious to be around), but it definitely effects what advice I'd give. I'm going to assume it's the second one (based on the way you worded your question).<p>Secondly, security is an ever-expanding field, and in particular, the domain knowledge for each piece of it is starting to take up all available volume in any person's individual skill-bag.<p>At the risk of somewhat oversimplifying, you can pretty much carve out a full and successful career in infosec in any of the four fields: network security, application security, incident response, general-purpose security practitioner.<p>Each of those requires skills that are very different than the other 3, and each can be a totally fulfilling choice to make (most of us have wound up in a specific specialty and probably don't enjoy working in one of the other 3, but don't let my or anyone else's distaste for one of them sway you).<p>Network security is what it sounds like. It's basically the people who do penetration tests. At the bottom end of that field, it's the people who click "run" on a Nessus scan. At the higher end, it's the people who come up with interesting research around protocol vulnerabilities and exploits. Like any field, the vast majority of people aren't at the high end. Without passing judgement, Network security was the first piece of infosec to start to become commoditized, thereby making it probably the least desirable from a financial perspective. This isn't true at the high end, but then again, it's never true at the high end.<p>It's probably where the majority of people start out, regardless of where they end up. You can thank the mid-90's era of terrible system security and compliance audit requirements for that.<p>Application security is probably the most applicable for people who have a development background (although again, at the higher end of network security, you are writing code, and exploiting other people's code). It started as a field in pretty much the late 90's. My company saw the writing on the wall that network security was going to become more and more commoditized and we shifted our focus to application security. For most of my career, that has predominantly been web application security. Other places do work on "native-applications", embedded systems, etc. It really depends on the firm. Application security has become more and more important as more and more of people's lives have shifted to include doing things online. Again, not trying to make a value judgement (although as someone who has worked mostly in AppSec, I'm definitely biased), but it's where I would place my bets for at least the foreseeable future career-relavence wise.<p>Incident Response has only really come into the limelight the past 5 or 6 years. It's been a thing since the 80's, but it was mostly ignored while people tried to convince themselves that they could build secure systems that would actually keep attackers out. The thinking around that has started to change (although in some cases just as an excuse by security people to absolve themselves of responsibility for doing a shitty job). Incident Response will probably never go away, because it's sort of the existential reality of doing business with machines that have to trust one another. Currently, it also commands the highest premium money-wise (but those halcyon days won't last forever).<p>Incident Response tends to attract the most "higher calling" people, so be careful about that. People who enjoy it will try to sell it to you as being "detective work", tracking down intruders, gathering evidence, and keeping them out of your systems. People also describe tiny, rat-infested NYC apartments as being "homey fixer-uppers".<p>Incident Response is usually the highest stress of any infosec job (although that, like everything else I've said will vary from place to place). It's the field most likely to wake you up at 3 am on a Friday morning and make you head to the airport on no notice to go help someone whose network is currently being lit on fire by undergrads at a research university for some foreign country. Some people enjoy that pressure, and the reactive nature of the work (you never know where you'll be going from day to day).<p>Lastly is "general-purpose security practitioner". This role is almost exclusively someone who work in the security group at a company who has nothing to do with security. You might think that it's a combination of all the other roles (the Bards of infosec), and while that can be slightly true, it's more the people who have to deal with all the non-technical parts of security. Security within a company is mostly concerned with compliance, audits, and policies. That's the stuff that the general-purpose security practitioner works on. As part of that, they might occasionally run a Nessus scan, or set up an application in WebInspect (or be woken up at 3am when an incident occurs), but they will spend the majority of their day reading and writing word documents, and having meetings with the marketing team trying to get them to stop using Dropbox to send all their sensitive corporate documents back and forth.<p>There's other variables too, like whether you work as a consultant, or work for a security product company; but in general if you work in Infosec, you'll be doing some combination of these four things. I haven't said anything about cryptography, because really there's very little overlap between the crypto industry and the infosec industry (to both of their detriment, I suspect).<p>I actually think anyone in Infosec would probably benefit from spending time in all of those roles, not just to get a better sense for them, but also to help challenge their assumptions. I also think security people can benefit greatly from going between being a consultant (where you potentially help lots of companies very little) and working internal to a company (where you potentially help one company very much).<p>So my advice is figure out which of those things sounds the most interesting and start down that path.<p>I don't really recommend doing CTF's unless you like doing CTF's (they have almost nothing to do with anything you'd actually be doing in the field).<p>And don't get a CISSP unless you opt to work in the general-purpose security practitioner field (even then, only do it if you have to). It's actually a negative hiring signal at almost any place you'd actually want to work.