I have about 12+ years experience in infrastructure both as a consultant and FTE. Almost 2 years ago (wow time flies) I got my first opportunity to move into a Security admin spot in a small healthcare organization. I basically used my knowledge I built up over the years and applied it to implementing some security controls. I have experience building AD environments, server installs/migrations, client migrations, firewall installs/configs and implementing vmware architectures. It was easy enough to flip the switch to security and basically concentrated on that aspect of what I already know.
You don't necessarily need all that experience to start in IR, but it helps. It really depends on your role. In my current situation IR begins at the SOC where lower level analysts monitor network activity. They watch everything from the IDS/IPS logs to the client AV reports. They monitor for data out alerts as well. When they see something they cut tickets. If it is something major they mobilize the L2 IR teams and local site teams (Me) to coordinate the response. Usually the SOC folks are not exactly "level 1" skill wise, many have had a couple years in some area or another. It does make for a great entry level security position though.
Pen Testing, that takes a bit more work. Add years of experience either in Web App development or Infrastructure to keen knowledge of how to break things. You need to put yourself in the shoes of a malicious attacker. Look at the systems and say, hmm how would I go about bypassing a security measure? Can you simply use a technical means such as an SQLi vulnerability on an externally facing web app? Or do I need to craft up a clever phishing email to gain access to an internal system? The same thinking actually can be applied to the defensive side of things. In fact I don't really do much pen testing but I do look at the systems and say "if I wanted to traverse this network, what would be the best way to do it and not get caught?"
There are also the other items in InfoSec that really fall more under Infrastructure, but it is a good place to start focusing. Your basic compliance checks, Anti-Virus, patching etc... Backups will fall in this realm as well. After all, you may need to bring a system back to life for more reasons than hardware died. If it gets compromised, you will need to ensure you have some good backups to go back to and hopefully it will be prior to the infection. Most of this is Security 101 I guess. It really should be common sense that is baked into the checklists. But you can traverse from there into more Defense/Offense Security focused areas.
Like cd1zz mentioned, CISSP is a managerial cert. It may help you get in the door but it will not teach you some of the technical skills you will need to stay there. OSCP is a great program but not for the faint of heart, it is certainly not a Sec 101 course. If you have some funds take a look at GSEC cert and the SANS Security Essentials course. That will give you a pretty good general overview of the different platforms as well as some techniques and skills needed to move on in InfoSec. It covers a broad range of topics. Everything from Wireless hacking to developing a DR plan. If the cost is a bit out of your range (most have employers who will pay), then you can look at some of the much cheaper courses such as eLearn Security's offering. In fact that will prep you more for the OSCP than other courses. We have some reviews on the forums for OSCP, CEH, eCPPT and a number of other certs/courses.
InfoSec is a big world, lots of places to go, build on your strengths and go from there. On the way learn a bit about other areas, check out twitter and look for some of the popular InfoSec people. You can follow any of us and just follow who we follow. Oh and if you get a chance, try to attend a Bsides event, they are free conferences and more intimate than the bigger cons like Blackhat or Defcon. Did I mention they are free? Don also posts a number of updates for the event calendar, check them out and see if something comes your way.
Ok, that is it, sorry for the book.