If you are looking to embark on a career in IT Security, then you can start as a system administrator with a solid understanding of administration and networking and then pursues certifications such as CISSP and CISM.
Next move on to an information security auditing role by taking the CISA, followed by information privacy and operational risk positions along with associated certifications (i.e., CIPP and CRP).
After gaining expertise in this feld, there are many options, such as moving into management, making a transition into business operations, leaving for another organization, or entering into independent consulting.
How does this sound?