Don't just have a dedicated area, make it a place you want to work from. It seems obvious, but once you're working from home, it's easy to just cobble together a workspace in a room and call it an "office". Your office should feel comfortable, a place you want to spend a good amount of time in, but is not distracting. At the end of the day, it should also be a place you leave in favor of living life. I wrote about my home office just in case you want some ideas, https://medium.com/@9bplus/my-home-office-f531f662fc51. Been working from home for 2 years now.
“That’s one of the problems he seems to be grappling with: more money, generally, means less struggle, and if it’s struggle that made him, how does he find that going forward?”
I agree with your general sentiment, but if it were that easy, we wouldn't even be having the discussion. Nation states going after a campaign are likely to succeed, it's limiting the exposure if they do. To your point, there are a number of no-brainer processes or technologies to make those compromises difficult or severely limit the damage and many do not require much to put in place. You do need someone on-staff though constantly monitoring and enforcing best practices.
Campaigns should be finding ways to work with professionals from the cybersecurity sector, not looking for ways to bolster defenses on their own. The adversaries these groups face far exceed the norm when it comes to industry standards––your security admin from off the street is going to be no match for a well-determined government. You need seasoned professionals who have background across active incident response, defensive efforts, intelligence and general best practices to even stand a chance.
People who match the description above don't need to be found as much as they need a point-of-contact to campaign staff. Many of us are more than willing to dedicate the time and resources needed to advise those who wish to take security seriously, free of charge. The issue lies in the shared opaqueness of the two parties that must come together; neither know quite who to contact and both are unsure how to engage. We should not let a lack of understanding get in the way of protecting our (anyones really) election process.
The word "passion" is charged these days, but as someone who has successfully completed a number of long journeys (opensource projects, sale of company, 15 years of cardio, etc.), I think that has been the key to my success. In other words, you have to love what you are doing and then your interests will dwindle less.
Even with love, it can be difficult to remain focused. A trick I do when I run is to constantly recalibrate my goals as I am going. If I am having a hard time a few miles in, I tell myself to get to the next quarter and then the next until it's a half. Eventually it's a mile and I start again if I need to or expand scope. I will apply this same technique to life and have found it can be very useful.
If you've tried all of those, consider the process of abstaining from something or extreme focusing for a set period of time, say drinking alcohol or performing a 1 min plank every day for 30 days. I will do these exercises and the feeling I get from them is similar to the dragging feeling at the final 25% of a project. It conditions you to push through it because at the end of the day, it's only 30 days.
And I guess as a catch-all, if you really want to see it through, make that your goal––To complete one single project from start to finish, no matter what.
While it's expected a technology company dealing with communication would be the target of external threat actors, I think there's value in Slack being very clear that eliminating the risks from a strongly motivated actor is not completely possible. As commonsense as that would seem, most of the public do not have a strong grasp on these more advanced cyber actors. What's nice in being proactive is that it opens up a proper conversation prior to a breach (yes, I know they were breached before) and could get us closer to coming up with a better solution for dealing with these attacks.
The security market is insanely hot right now and will continue to thrive. From my perspective, we are reaching a point where security is seen as a commodity, not some optional process––everyone needs to know about security, even if they aren't working in the field. From a job perspective, schools are not able to keep up with the demand and even then, those leaving academics are not showing strong practical skills they can apply.
SysAdmin/SRE/Dev is the perfect sort of person to transition to security. You are going to think about how the system functions, what is running on top of it and how to ensure it stays online. When I interview candidates, I like see an alternative background as it means that person is going to bring a new perspective. "Security" as a job doesn't really make as much sense to me––you specialize in a given area (i.e. network background folks may maintain appliances, rule sets, detection signatures, etc.) and apply security to that area. I see your area as a means to solve a lot of security problems. Configurations, deployments, etc. can be checked in and accounted for with code instead of relying on people; there's massive power in that.
When it comes to certifications, I think there's two schools of thought. There's folks who look at the paperwork and make sure you can check the box, giving way too much value to certifications. For those who have been around a bit, they see the certification as practical, though no substitution for real-world experience. If you are being cost conscious, check out some of the free resources online for Network+[1] and Security+[2]. The important take away in those materials are not that you _need_ a certificate, but that you should understand the content and be confident in speaking out it.
If the red/blue side is more your style, I can't recommend enough to check out the Offense Security courses [3]. The tool set is free, the course is reasonably priced, it's a lot of fun and will give you real-world experience that is far more favorable than the standard certificates. Skip the whole CEH program as it has a poor reputation.
You mention six figures, but don't provide a scale, so it's hard to know how much a pay-cut you would potentially take. That said, security pays well and it's not uncommon to see salaries in the ranges of $100-200K even with less experience. All salaries are relative, but in general, a lot of my peers are not exceeding 200K on the base, though clear a lot more when factoring in other incentives like stock, or bonus.
Background: Been in security my whole career (started in networking and morphed into security) totaling close to 15 years. Like you, I have a set of skills outside of security (sys admin, networking, dev) and it's played in my favor a lot. Reach out to me direct if you have more questions!
During the early part of high school, a few friends and I began attending community college night classes for subjects we got exposed to in our day classes. By the time I graduated, I was half-way through a AAS degree and considered continuing locally a no-brainer.
Ended up transferring 70 credits or so over to a four-year institution 1 year after graduating high school and managed to walk away with a BS degree earlier than my peers and with no debt. Without community college, there's no way I would have achieved this; I owe a lot to that part of the system.
For many years, I felt like an imposter because of my community college background. The irony in it all though was that for a much cheaper, often more flexible schedule, and sometimes better teachers, I walked away with a lot of the same opportunity as my peers. Naturally, my "network" wasn't filled with ivy-leaguers, but I'd later rub shoulders with them in my employment and be considered equal.
Unfortunately, the legal process has not caught up with the speed in which malicious actors can conduct their attacks. In some cases, infrastructure is used for merely a few hours before swapping to something new. It's a constant game of wack-a-mole and without the provider's help, there's no way to stop it.
I'd assume so. More potential fake "subscribers" mean more bounced email and higher volumes which could be used as a early warning indicator for spam or reputation flagging. Slightly related, but I've noticed countless delivery issues with Mandrill, Mailchimp's transactional service. Their portal claims messages have been delivered, but many organizations relay back to us that their message never made it past the mail gateways.
I'd like to see OVH take a stronger stance on actioning abuse requests for hosts serving malware before hearing about some paid protection offering. For those not fortunate enough to deal with OVH, if you report abuse, your information and report often find their way directly to those committing the malicious actions - the "customer". This results in the actor simply removing their content to appease OVH and then continuing business as usual. In the face of clear evidence, OVH will often cite privacy issues for why they can't or won't take action. At this point, anytime I see their infrastructure in an investigation, I know it's a waste of time.
On the privacy side, I could see concern from those using the extension. When the site is not found in their database, the full HTML of the page appears to be submitted to the servers and processed. This is a bit of what you would expect, but may present some concern for cases where a new site is submitted and PII is sent to WhatRuns servers.
Planes work wonders for development too. After several trips and being on a deadline, I built my dev environment to be offline friendly (cached data, local libraries, etc.). Airports became the most productive locations for me because I could shut everything off and just focus on finishing the development work. Not having an answer at my fingertips ended up being a fun constraint too.
If you take the offer, do yourself a favor and bake some extras into your employee contract or add them into the deal. Not sure of the terms, but if you need to stick around, don't underestimate how long a year is when handcuffed. Ask for a delayed start, X% bonus and a hefty salary. Even though you didn't exit at some insane rate, you can't ignore you have a skillet or at the very least, accomplished something most have not; that's worth more than your average salary. Once you're locked in, it's a lot harder to adjust and it can leave you frustrated.
I've done a significant amount of research on these threat actors. Despite the high tech exfiltration method and nation state support, researchers were still able to easily find their infrastructure. Satellite communications were encrypted via self-signed ssl certificates. Using internet scanning, we could track their IP addresses and associated domains using the SHA-1 of their certificate (map certificate to hosting IP). Happy to answer questions, but you can also read more here. https://blog.passivetotal.org/snakes-in-the-satellites-on-go...
I wouldn't quit without a firm idea of what you want to start; leaving your current role without an idea is likely to leave you more bored and questioning your decision. Having sold a company and worked at Facebook (not Google, but a great place), I'd suggest a long travel where you disconnect and think about what you want. As others have mentioned, you're young (29 here) and have plenty of time to work it out.