I do security full time in the 'real world', so I'll kinda describe that route.....and how I got there.

Experience is worth more than anything else in the security world. A formal education helps (if only to instill some basics), but is definitely not a requirement. You can learn a lot by breaking your own personal machines all the time. If you're interested in certifications, I'd recommend the SANS training and certifications.....they're fairly complete and most of the certs are challenging enough to prove yourself.

My own personal career path involved first getting my foot in the door doing tech support and basic administration. (I had done the same sort of work at an ISP prior to this) After busting my hump for a while, showing everyone who mattered that I was a hard worker and a quick learner, they started promoting me up the chain. All the while I spent much of my free time studying concepts and questions that I ran across at work and implementing them in my home network. My employer also was very supportive when I asked to attend conferences and training, which has been very helpful. (I'd recommend LISA and SANS) After years of working through this whole process I'm now in charge of corporate security.

Bottom line: In the security landscape, the material you need to know is definitely NOT static. You need to be constantly learning and experimenting.

--Ben