Impostor syndrome was added to the Merriam-Webster dictionary in 2020, reflecting growing awareness of the condition and its far-reaching consequences. But what exactly is impostor syndrome, how does it manifest in InfoSec or cybersecurity professionals, and, most importantly, how can we find constructive ways to move past it to focus on our professional development and achievements rather than perceived failings?
Definition & Origin
Impostor syndrome was first described in an academic paper from 1978 titled "The Imposter Phenomenon in High Achieving Women", though as research since has shown it doesn't exclusively impact women. According to the Merriam-Webster definition, impostor syndrome describes "a psychological condition that is characterized by persistent doubt concerning one's abilities or accomplishments accompanied by the fear of being exposed as a fraud despite evidence of one's ongoing success". Basically, you feel like an you're faking it at work, coupled with a side order of anxiety that you'll be exposed even if all evidence points to you being competent!
If that definition hits close to home you're certainly not alone. Feelings of not being as accomplished as your job title or salary would suggest, of not being on par with your peers, or just having no clue what you're doing are a frequently trending topic on LinkedIn and Twitter. Groups on these sites dedicated to InfoSec and Cybersecurity professionals show the effects of impostor syndrome are particularly disruptive, as these fields are rapidly evolving and it can be easy to feel lost.
Some of this may be general ennui, or may spring from natural feelings of trepidation related to taking on work above your current knowledge level. However, security professionals should be aware of how impostor syndrome can manifest in their careers and prepare to tackle it.
Causes for Cybersecurity & InfoSec Pros
Note: I'm in no way qualified as a psychologist or therapist. The observations below are anecdotal from my 15 years of experience in the InfoSec field, and are not designed to diagnose or offer any kind of treatment advice.
The fields of InfoSec and Cybersecurity are relatively new and rapidly evolving. This poses very particular challenges for us as professionals, and in my experience this dynamic nature gives rise to impostor moments like:
- No clear career paths in cyber: There is no clear entrance to this field or measure of an "expert", unlike other fields such as medicine or law with established academic tracks and achievements. Some of us got into security careers from related fields like IT, but many of us have completely unrelated backgrounds. Benchmarking your success is more fluid, which can make it tough to feel a sense of accomplishment - but you belong here even if your background is in psychology or linguistics or music!
- Ambiguity and dynamic environments: We're all familiar with that HR tagline of "fast-paced dynamic work environment", which is often code for "things change, we have no idea what you'll be working on, hope you're quick on your feet". Completely unforeseen vulnerabilities and attack vectors frequently disrupt our, making it hard to feel a sense of mastery when scrambling to deal with these new threats. Conventional wisdom today is obsolete in very short order, so you may find yourself in situations that demand learning new skills even though you're at a senior or executive level.
- Constantly-evolving skills required: When I started my career a three-tier app architecture with proper firewalls and an IDS was sufficient. Now I'm struggling to figure out how to secure microservices which don't support legacy security controls like host-based firewalls or IDS agents. It's tough to feel accomplished in your overall career when you repeatedly have to grapple with today's advanced skills being outdated in just a few years, leaving you constantly feeling like a beginner.
- Breadth of the field: I am a fan of Rafeeq Rehman's annually-updated CISO Mind Map. Over the years the number of items under the purview of a CISO (and the teams comprising InfoSec and Cybersecurity) has grown. Each box indicates something we should be familiar with, but also represents disciplines people spend entire careers doing. Mastering everything from hardware security to legal & compliance to incident response is an impossible goal - but acknowledging your lack of mastery isn't a confidence booster.
- High failure rate: We recognize that as defenders we have to be right 100% of the time, but an attacker only has to get it right once. Even the best defenses will fail, and we have to figure out how to deal with that - without losing our sense of accomplishment and worth.
Possible Solutions:Same note here as the "Causes" section: I'm neither a psychologist nor a therapist. If you believe you have any kind of mental or physical issues, please seek the help of a qualified medical professional.
We as modern human beings often feel less competent than we ought, and in a dynamic field like security the problem is more pronounced. First it's crucial to recognize the validity of your feelings. Ignoring problems isn't a good idea generally, though hyperfocusing on them is also suboptimal. You may be feeling out of your comfort zone for many reasons like a security incident, new and complicated problems, or just generally being overwhelmed (burnout in this field is a separate but equally as challenging issue).
- Acknowledge and probe why you're feeling like an impostor. Getting to that root cause can be helpful in formulating solutions. Below are some suggested starting points:
- Find mentors. Find a mentor, peers, and colleagues who can offer support, both within the security profession and from other fields. Law and personnel security are not technical issues, so building relationships in legal or HR can be helpful. Mentors can be useful simply as a friendly ear or sounding board rather than as a solution provider, and don't discount mentors from other fields. I had an amazing learning experience with a stage performer who talked about dealing with rejection after auditioning. The coping skills described were highly applicable to dealing with the aftermath of a security incident, when a well-designed control was inadequate despite best efforts and doing all the right things.
- Be a mentor. Sharing your skills and knowledge is a valuable boost to your own self-confidence, and can be a powerful learning tool. Explaining something to others is one of the best ways to integrate it into your own knowledge.
- Know your limitations. Learn to build teams/coalitions to round out your own low-skill areas, and recognize that nobody can be an expert across all aspects of security. We deal with securing the entire business from bare metal all the way up to complex multinational business processes. You can't have decades of experience in all disciplines, but you can build teams and mentorship connections with people who do. Understanding the basic importance of all security disciplines is sufficient, and it's more important to have access to resources and relevant expertise when needed. Life is an open-book exam, so don't pressure yourself to have all the answers all the time!
- Learn to fail. Focusing only on outcomes and not on the skills acquired won't leave you fulfilled, because you can't win all the time. Failing doesn't feel great, but it is incredibly valuable. Focus on what you learned leading up to failure, like new skills acquired performing a project or circumstance which kept you from succeeding. The only real failure is not obtaining any learnings from a defeat. Learning what not to do in the future can be more powerful than achieving a goal, especially when success is due to happenstance rather than your actions.
- Continue learning. The world is evolving rapidly. Information systems and services, digital devices, and totally new business models spring up almost daily, and it's easy to fall behind. Seek opportunities to learn and develop new skills which interest you, and you'll be well positioned to take on new challenges. When you feel overwhelmed by a new situation, try reframing it instead as an opportunity to expand your skills and knowledge. Eureka moments can be a powerful tool against impostor syndrome!