The first thing to learn is to ask the right questions . Incredibly useful skill.

1. Download Kali Linux

learn the main threats, attack vectors and how to defend against them. For this, google is helpful.

The UK will not be superfluous to read. Know what happens. In addition to the Criminal Code, the Civil Code will also come in handy, especially in terms of trade secrets and copyright, trade secret laws and all these latest crazy laws - about instant messengers, VPN, etc. This is if you aim specifically at IB.
There are many highlights - "white hats", reverse engineers, cryptologists... However, if the office grows to the point that you need a separate person for IS, you will have to deal with everything at once - in fact, just like in the administration :) Set up firewalls, issue certificates , manage corporate proxies and access points, engage in monitoring. Why monitoring? And everything - hardware, software, mail, employees ... The topic of the NSR is now incredibly flooded.
You also need to have damn strong nerves ... The situation when you read the correspondence of a chamomile girl with the reception and suddenly discover that she is not a chamomile at all and is ready to play "chamomile" with you for a trip in a car - for an IB-shnik not something outstanding, but a banal routine ... And the hardest thing is not even to experience such a "revelation", and then look at it as if nothing had happened.

If you have the funds, I recommend taking information security courses (for example, Zero Security A from PentestIT), I personally got a tangible boost in development.
If not, look for testing techniques and perform them on the example of test resources.
Links to techniques:
https://www.owasp.org/index.php/Main_Page (WEB)
www.pentest-standard.org/index.php/Main_Page (For networks)
Kali Linux has all the necessary tools.
Practice resources can be found here:
www.amanhardikar.com/mindmaps/Practice.png