The field of information security is vast. Which direction do you want? Penetration testing? Or to be an information security engineer (introduce products for information security, etc.)
. In both cases, you need to know the methodologies and common practices for work. For pentest e.g. OWASP, OSSTMM etc. Tyk Well, also own tools for work (distributions similar to Kali and the like).

The sphere of information security is about the same as the sphere of IT - the monster oblo is hugely mischievous :) It is full of directions, sub-directions ...
- People who test software for holes - this is information security
- People who reverse viruses to decipher "photos" - this is information security
- People who write firewall rules, set up proxies and decide who to let in - this is also information security
- People who sit at the NSR monitoring, at the access control and video surveillance terminals - and this is information security, although often the routine is transferred to simple security
- People who write policies, guidelines and rules - and this is also information security.
What do you want?

How to gradually develop in the field of information security?

The sphere of information security deals with not quite technical things. In this area, the main thing is
1. Jurisprudence and documentation - develop all the rules, approve, convey to employees, attract management, and so on.
2. External perimeter - checkpoints, locks, magnetic cards, accounting for incoming / outgoing, monitoring and recording
3. Software - organization of domain policy, access rights, control of all internal resources and access to them, software updates, organization of all work of all projects security (for example, introduce mandatory scanning of all products with some kind of analyzer, prohibit the use of open passwords in configs and force everyone to do this).
If you are interested in the technical part, then it does not differ at all from normal administration and development - there are simply new requirements that need to be implemented. And so - information security is more about the organization and implementation of various requirements.

in fact, what was written above refers to IT security.
according to isaka, IS is primarily governance, and firewall settings are the task of IT security, consider IT personnel. The custodians themselves must provide the required level of security, and the information security department should monitor and assess risks.
you can read RACI from Kobit5

I agree with the CISSP wording about the 8 big areas of information security:
1. Information security and risk management (Security and Risk Management)
2. Information asset security (Asset Security) is about the life cycle of data, information and types of access control.
3. Design and development of information security systems (Security Architecture and Engineering)
4. Communications and network security (Communication and Network Security)
5. Access and identification management (Identity and Access Management)
6. Assessment of security tools and methods for their testing (Security Assessment and Testing)
7. Security Operations
8. Development of reliable / secure software in terms of information security (Software Development Security)
www.rohos.ru/2018/10/risk-management-in-cissp-cert...
You have the most experience at 6, 8.
- So study topics 6 and 8 thoroughly.
- learn English
- If you can learn another topic on cybersecurity at your current place of work, act.
Otherwise, change jobs.
- Gain experience in 2 more topics
- Get CISSP certification
Good luck.