Setting up a metasploitable VM and learning to harden it against its myriad vulnerabilities is a decent practice for the linux sysadmin side of infosec. You can also use it to home-bake CVE exploit scripts to get your feet wet with network programming/scriptingStudy everything on OWASP. You'll need to know programming to order to understand the mistakes programmers make that enable common security problems. You should also learn about being a linux sysadmin so you can understand the mistakes sysadmins make that enable common security problems.
the 1-2 year security degrees that don't involve programming/advanced compsci courses can generally be summed up as "use a firewall/antivirus/vpn, don't use default configs/directories/passwords, encryption good, the majority of the time " deleting" a file doesn't delete shit except an MFT entry , and of course "does this REALLY need to be connected to the internet?""People will tell you you don't need to learn programming to succeed in cyber security - and I imagine it's true for some cyber security roles - but just having a solid practical application / web development background will take you extremely far in those roles just in having the context to understand what's going on. The biggest consumer of cyber security employees are software companies, and if you know what the hell is going on with software dev you are going to be far more marketable.
I've had to work on windows machines a couple of times mainly for firewall configurations but getting familiar with windows is good but not as important as linux though.Windows is not important.
If you're not already competent enough with Windows to basically understand all the user-facing stuff, then you shouldn't even be looking into InfoSec. You should be starting out in a tier 1 helpdesk position.If you don't have the ability to deal with the number 1 desktop OS, one which is used by users (aka security vulnerabilities) at work, there's a gap in your knowledge.
Programming, networking, scripting, database management, system administration... plus keeping up with all of the CVEs and exploits (exploit-db) are all pretty necessary.Depending on where you wanna lean to, it may be necessary to know some programming, as it allows you to catch malicious code.