If you want to work in IT security you'd probably need to work at the sharp end first for a while. Probably try to move away from the help desk into sysadmin type roles. It would be hard for you to advise on the secure way to do things if you haven't done them ever before. Reality is often a long way from theory in these things and what might be the most secure way to something in theory might not work in reality.

I work in Information Security which covers IT security but all information including paper as well.
I came from a background where I worked in small companies so I had exposure to a little of everything. Sysadmin work, web designing, bit of programming, firewalls, Linux and Windows etc etc. You need to know a bit (often a lot) about everything.

Books, I read O'Reilly as well.
I've only done one course which was ISEB Information Security Managament Principles. Good introduction to infosec if that's your bag.
My work is mostly audit, compliance, policy and procedure writing. But I'm getting sent on a firewall course soon not because I need to be able to administer the firewalls but because I need to be able to make sure that the firewall guys are working properly.