(Note: I'm catching-up on a backlog after my little biking accident last week...)
There's been some silliness floating around the industry echo chamber lately. I saw one comment where someone attending a BSides event felt it was nice hanging out with a bunch of other security people who "weren't in it for a paycheck." Well, I'm here to break the bad news... most of us are getting paid to do this work. And, I highly doubt that you'd see many - if any - of us slogging it out day after day after day if we weren't somehow being compensated. Why else would anybody put up with the insanity and inanity that is this industry?
Now, that said, I certainly understand the underlying sentiment... one of disrespect for those who are "mailing it in" because it's "just another job." You can't really be successful in this industry if you're just coasting. However, putting aside that not-insignificant portion of the infosec workforce that falls under this "just another job" category, there's no real basis for criticizing people for liking the fact that they get paid for their work.
Instead of disparaging people for liking being paid for their work, I think we should instead be critical of people who aren't engaged or contributing. I think we can all agree that every mid-to-large-sized organization has a significant percent of personnel who simply aren't pulling their own weight.
It's actually a fascinating attribute of American business culture (other countries, too, I'm sure)... if you ever witness a "sinking ship" company first-hand, one thing you'll likely notice is a) a lot of deadwood hanging around, b) a very, very, very small number of "heros" trying to keep things going, and c) a lot of people bailing out. In an era where employers don't generally show their employees any loyalty, it should then come as no surprise when the talent leaves.
So, then next time you hear a complaint about how so-n-so is "doing this work for a paycheck"... please, ask the whiner: "what's so wrong with getting paid?" :)
"You can't really be successful in this industry if you're just coasting."
Well, define "success" before you say that. I mean, really, what is success? Making good money? Achieving Schneieresque renown (as much a matter of luck and timing as expertise - lots of really expert security people are NOT in the CNN Rolodex under "computer security")?
In my case success is making enough money to support my family and put my kids through college. And I work hard and innovate and produce good security output at work - but am I coasting? I don't go to conferences and I don't do a ton of formal professional development and I don't think about security more than my job requires, so maybe I am.
On the other hand, there's also the danger of being too fixated on trends. There are constants in the security industry, and there are trends, and some trends come and some trends go, but after a while the important bits settle out of their own accord. There are dozens of trendy little bits of knowledge I never learned - whatever Cisco's latest packet-filtering innovation might have been in 2009, or the new governance module that some company released shortly before being bought up by another company. But if those new tools are REALLY impactful, then they'll be widely adopted among the enterprises where I work, and I'll pick them up. I don't have the brains or the time to follow every new trend, tool, or academic analysis of the security industry. So am I coasting?
And finally that statement is demonstrably false by the Peter Principle, as many of us have no doubt seen. Boobs are placed in charge of things all the time, and many of them retire with honors. When I was at the U of Mn my boss's boss mismanaged critical projects to their extinction, but he kept working at the U til he retired. Now maybe that's civil service, but I know a couple of VP-level boobs right now who are having perfectly successful careers without a whiff of competency.
So while I certainly don't endorse slacking off or delivering substandard or poor-quality work, it must be acknowledged that in many cases it is perfectly possible to coast to success. Again, depending on what you define as "success."