Don't just have a dedicated area, make it a place you want to work from. It seems obvious, but once you're working from home, it's easy to just cobble together a workspace in a room and call it an "office". Your office should feel comfortable, a place you want to spend a good amount of time in, but is not distracting. At the end of the day, it should also be a place you leave in favor of living life. I wrote about my home office just in case you want some ideas, https://medium.com/@9bplus/my-home-office-f531f662fc51. Been working from home for 2 years now.
“That’s one of the problems he seems to be grappling with: more money, generally, means less struggle, and if it’s struggle that made him, how does he find that going forward?”
I agree with your general sentiment, but if it were that easy, we wouldn't even be having the discussion. Nation states going after a campaign are likely to succeed, it's limiting the exposure if they do. To your point, there are a number of no-brainer processes or technologies to make those compromises difficult or severely limit the damage and many do not require much to put in place. You do need someone on-staff though constantly monitoring and enforcing best practices.
Campaigns should be finding ways to work with professionals from the cybersecurity sector, not looking for ways to bolster defenses on their own. The adversaries these groups face far exceed the norm when it comes to industry standards––your security admin from off the street is going to be no match for a well-determined government. You need seasoned professionals who have background across active incident response, defensive efforts, intelligence and general best practices to even stand a chance.
People who match the description above don't need to be found as much as they need a point-of-contact to campaign staff. Many of us are more than willing to dedicate the time and resources needed to advise those who wish to take security seriously, free of charge. The issue lies in the shared opaqueness of the two parties that must come together; neither know quite who to contact and both are unsure how to engage. We should not let a lack of understanding get in the way of protecting our (anyones really) election process.
The word "passion" is charged these days, but as someone who has successfully completed a number of long journeys (opensource projects, sale of company, 15 years of cardio, etc.), I think that has been the key to my success. In other words, you have to love what you are doing and then your interests will dwindle less.
Even with love, it can be difficult to remain focused. A trick I do when I run is to constantly recalibrate my goals as I am going. If I am having a hard time a few miles in, I tell myself to get to the next quarter and then the next until it's a half. Eventually it's a mile and I start again if I need to or expand scope. I will apply this same technique to life and have found it can be very useful.
If you've tried all of those, consider the process of abstaining from something or extreme focusing for a set period of time, say drinking alcohol or performing a 1 min plank every day for 30 days. I will do these exercises and the feeling I get from them is similar to the dragging feeling at the final 25% of a project. It conditions you to push through it because at the end of the day, it's only 30 days.
And I guess as a catch-all, if you really want to see it through, make that your goal––To complete one single project from start to finish, no matter what.
While it's expected a technology company dealing with communication would be the target of external threat actors, I think there's value in Slack being very clear that eliminating the risks from a strongly motivated actor is not completely possible. As commonsense as that would seem, most of the public do not have a strong grasp on these more advanced cyber actors. What's nice in being proactive is that it opens up a proper conversation prior to a breach (yes, I know they were breached before) and could get us closer to coming up with a better solution for dealing with these attacks.
The security market is insanely hot right now and will continue to thrive. From my perspective, we are reaching a point where security is seen as a commodity, not some optional process––everyone needs to know about security, even if they aren't working in the field. From a job perspective, schools are not able to keep up with the demand and even then, those leaving academics are not showing strong practical skills they can apply.
SysAdmin/SRE/Dev is the perfect sort of person to transition to security. You are going to think about how the system functions, what is running on top of it and how to ensure it stays online. When I interview candidates, I like see an alternative background as it means that person is going to bring a new perspective. "Security" as a job doesn't really make as much sense to me––you specialize in a given area (i.e. network background folks may maintain appliances, rule sets, detection signatures, etc.) and apply security to that area. I see your area as a means to solve a lot of security problems. Configurations, deployments, etc. can be checked in and accounted for with code instead of relying on people; there's massive power in that.
When it comes to certifications, I think there's two schools of thought. There's folks who look at the paperwork and make sure you can check the box, giving way too much value to certifications. For those who have been around a bit, they see the certification as practical, though no substitution for real-world experience. If you are being cost conscious, check out some of the free resources online for Network+[1] and Security+[2]. The important take away in those materials are not that you _need_ a certificate, but that you should understand the content and be confident in speaking out it.
If the red/blue side is more your style, I can't recommend enough to check out the Offense Security courses [3]. The tool set is free, the course is reasonably priced, it's a lot of fun and will give you real-world experience that is far more favorable than the standard certificates. Skip the whole CEH program as it has a poor reputation.
You mention six figures, but don't provide a scale, so it's hard to know how much a pay-cut you would potentially take. That said, security pays well and it's not uncommon to see salaries in the ranges of $100-200K even with less experience. All salaries are relative, but in general, a lot of my peers are not exceeding 200K on the base, though clear a lot more when factoring in other incentives like stock, or bonus.
Background: Been in security my whole career (started in networking and morphed into security) totaling close to 15 years. Like you, I have a set of skills outside of security (sys admin, networking, dev) and it's played in my favor a lot. Reach out to me direct if you have more questions!