For starters, it would be nice to learn how to correctly write the name of the specialty according to the rules of the Russian language :)
In general, IT security specialists in the Russian Federation are usually divided into two categories. The first - write all sorts of papers, regulations, access cards and so on. That is, they are engaged in the usual bureaucracy. And the second - as a rule, specialists of a high category - whether they are programmers or administrators who are well versed in the technology stack at the technical level, vulnerabilities in which they are going to close.
So first think about whether you need it. If you are inclined towards the first category, then go to a specialized university, then through your acquaintances, get yourself a place. With some luck, they will find a place for you to rake papers in the office.
If you are leaning towards the second, then first you should understand the technology stack well - be it web, or mobile applications, or something else. At least to the level of understanding of deep processes and fundamentals. And there, decide for yourself - will you want to go to information security specialists after that ...

Nowhere.
These specialists are not needed in such a number, and even more so in the capacity in which they are trained.
A higher education is useful for a programmer. But not necessary.
It matters for easier obtaining work visas to Europe, it matters when working for the state. enterprises.
In fact, it's not necessary.
I never showed my diploma to anyone.
The knowledge acquired at the university was rarely used. 95% of that knowledge has never been useful at all in 20 years.
The industry is developing very quickly. The fact that 3 years ago was just giving the first hopes today is already in the whole mainstream. Well, how, pray tell, will they be able to teach you this knowledge (I don’t speak at the right level), but how can I teach it at all, if the teacher himself still needs to master it somehow.
The most useful thing in the university is the atmosphere. This atmosphere is amazing.
But not the knowledge itself. In addition to a small amount of basic knowledge that can be obtained in 1-2 years, there is no other benefit.
The university should push you to read "best practices" - that's the best thing the university can do.

About practical safety, if we generalize and not be sprayed, we can single out the following areas.
1. Research, research.
2. Setting up/implementation of information security tools.
3. Security analysis/pentest.
4. Development of information security tools.
Each of the directions implies a certain (huge) layer of necessary knowledge. Choose what interests you and study.

I myself have been working as an information security specialist for 6 years. As mentioned above, you need to have a very good knowledge and understanding of the operation of systems, without education and knowledge of English it is difficult. They asked me for a diploma purely for show, but anyway, without it, it’s hard to get a job in a serious organization, not necessarily a state one. I myself am a teacher by training.

The topic of mobile development security is now even more relevant than web security... After all, we already store all data only in our smartphones and in the clouds...) And this is a tasty morsel for hackers. Although the basics and errors are the same: sql, permissions, weak passwords, etc.
The tower is needed for companies, but they will never give real knowledge. I know from my students! They have a lot of theory, but almost no practical knowledge and skills...