A career in pen testing is a rare thing. Usually you start out with a career in a business consulting firm and somehow end up on the security team. Also, serious pen testing is often as much about physical security and general policy adherence as it is about software. A lot of what you need to learn is learned "on-the-job", in some job or another.
I would strongly recommend against planning specifically for a career in pen testing and instead prepare to to be a software and security guru/oracle at whatever firm your travels take you. If you really know your stuff (not just pretend), then you tend to get noticed and singled out for interesting work. If that what you enjoy, then that's a good thing. It also translates into highly marketable skills for future gigs. Small companies may have less of the interesting work to do, but you have a higher chance of getting picked to do it.
As suggested, security skills are acquired through experience rather than mental osmosis. Security is all about the "gotcha" that you wouldn't have caught unless you've been here before but on the other side of the fence. And there are plenty of (legal) ways to learn the trade. Open-source is always a useful place to start. Nearly everything of importance can be had for free once you have a decent computer. For example, virtual machines allow you to create complex network configurations without leasing hardware.
Possibly most importantly; spend free time around people who do things you want to learn about. People you work with, for example. Be friendly and try to be helpful, but make sure you're not annoying them. It's amazing what useful skills you can pick up if you keep your ears open, and many people just want someone who will listen to them. Also the personal connections are the most important factor in opening doors for new and interesting work.
Use your free time for something useful. Programming, reading, hardware hacking, etc. There's a reason you don't get into this field without enjoying what you do: it's because you wouldn't be here if you spent your free time doing something else.
As for languages: C is not optional, but it's a terrible place to start. It's unforgiving and unhelpful and drops you straight into the deep end. Python is both useful and simple, which makes it a pretty good idea. Perl is also arguably not optional, though it's slightly less simple. It's important to understand .NET and Java, but not critical that you're good at programming for them. Once you know how to program, new languages come much easier. But programming takes a type of abstract structural thinking that is very difficult for some people to learn. General IT security tends to deal heavily with Linux/BSD as IT people usually prefer them. But corporate security usually deals heavily with Windows for reasons anthropologists are still trying to understand.
As a side note, take what you hear on SN with something of a grain of salt. It's certainly an interesting show primarily because Leo is extraordinarily skilled at what he does. But Steve is as confident when he's wrong as he is when he's right, and his ideas and suggestions are a little off-kilter. I still listen to it for the news primarily because the alternatives are so painful on the ears, and in fact I've contributed an unusually large percentage of the featured "feedback". But still, bear in mind that the accuracy is only about as good as the average newspaper story -- you only notice where the mistakes are when you already know the subject matter. And I occasionally find myself shouting "no no no" at my computer when I listen to it. Though he's probably no worse than your average eccentric officemate.