I currently work in InfoSec and am coming round to thinking I don't want to be here any more.
It seems to have become too much of a bandwagon weighed down by politics and hand-waving presentations by the same clutch of very senior people who, in the InfoSec world, are famous for being famous with their constant blog posts and interviews about nothing in particular. Similarly, like many other arms of IT the bandwagon effect has led to academic courses springing up like weeds and recruiters circling like vultures. I don't like that either.
I do feel like you just cannot hit the "big bucks" in InfoSec unless you hold some high office in London or the US, dealing with all that high office entails. Lots of politics and "influencing" people, usually constant "networking" at expensive conferences, spending half of your life on a plane jetting off to the Singapore and Johannesburg offices where you once again wave your hands and tell everyone how exciting and inspiring it all is etc. That's not for me as a career.
I keep seeing LinkedIn job adverts and constant recruiter spam offering a load of jobs very similar to my own, in places I don't want to live in a million years, paying what seems like a bit more than I'm currently on... except it qualitatively isn't. It wouldn't be worth it once you factor in the likely insane workload and the hassle and living/commuting costs in London and its environs.
On top of that, InfoSec isn't 9-5. You are basically expected to be constantly learning and basically living out Minority Report a lot of the time, always being at the top of your game. You are also expected to have a laundry list of expensive certs, only to be told by some second year ethical hacking student how useless your certs are and it's only for HR screening etc.
I just don't think the passion is there anymore and I've more or less had enough having gone around a few different security roles now. It is very difficult to figure out what I could or should be doing instead.