Skip to main content

Things I Wish I Knew Before InfoSec - Part 1 - Imposter Syndrome

When we (Rookie and Mark) sit down and go into one of those self-reflective modes, we often talk about things we wish we knew and so we figured it’d be a good idea to share some of those things. Hopefully maybe one person learns from our failings :) So, without further ado, this is the first post in the series of “Things I wish I Knew”.

One thing, I (Mark) personally wish I knew about was imposter syndrome, which according to Wikipedia is:

a psychological pattern in which one doubts one's accomplishments and has a persistent internalized fear of being exposed as a "fraud"

From exams in school to sports competitions, each house move, big “stretch” projects, every new role and becoming a parent, I’ve always had the feeling that I’m not good enough. This typically results in me striving to prove myself constantly, which typically works out well but when it doesn’t, it causes:

  • me to burnout
  • colleagues or friends to become frustrated as I may not be giving them enough space to grow and develop

You will find many examples with a simple search on the Internet:

So why talk about this subject now?

On a series of recent 1-1s with more junior Rioters, I realised that being open about having “imposter syndrome” was incredibly beneficial. I have always tried to ensure that I have transparent and honest relationships with my reports, and knew many have imposter syndrome to varying degrees, however, Covid has emphasised how important it is to share my own vulnerabilities. For example, I was recently told that given I lead Security @ Riot, have a family and own a house in LA, I obviously have “my shit together”, lol :p After I picked myself up off the floor, I indicated that that wasn’t true and I explained some examples where I experienced “imposter syndrome” such as:

  • every day when I was sitting in my class in university surrounded by many people who were considerably smarter
  • asking my (now-) wife out
  • becoming a manager
    • actually every job move or promotion putting me out of my comfort zone
  • it took me 12 years to get my first pure InfoSec role (<3 Rito)
    • I often thought I wasn’t “l33t” enough or didn’t have a sufficient “offensive” skillset
  • moving to the US (fairly terrifying and took a long time to adjust)
  • buying a house
  • and right now, I feel I work with people much smarter than me or when I’m collaborating with folk well outside of my SME (which to be honest, as a security person, can be quite a lot given how broad our problem space is).

As soon as I empathised and explained to my colleague that he/she was not alone in these feelings, there has nearly always been visible relief and relaxation. It’s important to realise and communicate that “most of us, if not all, feel imposter syndrome regularly”, without that feeling, it’s much harder to develop and grow.

Now, back to the 1-1, it’s obviously very important not to leave it there but to reassure:

  • share your own vulnerabilities and worries
  • point out strengths (but not just faint praise, as this will come across as disingenuous) and
  • come together on a plan (e.g. challenging projects based on strengths but still challenging enough for growth, stuff to benefit mental health and self-confidence) going forward to support.

As a leader, this was just another lesson for me in being transparent, truthful about my own shortcomings or concerns, and being honest but kind in my advice. 

There are many people more talented with greater achievements than me in InfoSec, and one thing that’s very common from my experience is imposter syndrome.Having it is probably healthy as it is typically correlated with humility, of which we need more of, however, too much of it prevents us from truly achieving what we can. Most importantly though, imposter syndrome frequently stops us from asking for help, which ultimately prevents growth.

As a community/industry, we often discuss how we can make InfoSec more welcoming, one way is by being open on how we have been or still are affected by imposter syndrome, and where possible, share our failings like my good friend Adam recently did. So yeah, if you’ve got imposter syndrome, you’re not alone.

Thanks to Emma McCallAdam Comerford, Reza Nikoopour and Chris John Riley for reviewing this post.

Note:  Moved from my old site - - originally posted on 2020-07-15.


Popular posts from this blog

Being a Support Engineer @ 10gen - Part 1

There's a mis-conception around the role of a "Support Engineer".  As a clue, it's not what Urban Dictionary   says   - A person whose job is to answer calls from customers of a small- to large-sized company...... They are teathered to a their desk all day via phone headset........ phone jockeys usually hate their jobs.......they are are paid well enough..........until they completely burn out, and hate everyone.   and doesn't always involve this - Image Source: As you can see  here , there's lots of open roles in  10gen  and more specifically with 10gen, in  Dublin . I thought I'd write this quick blog to explain what Support Engineers actually do and why I joined 10gen as a "Support Engineer". I could be wrong but didn't Google come up with term " Site Reliability Engineer " to do away with the stigma associated with being a

Start-Up Security

After many years in Security @ Riot Games and eventually putting the "s' out there, I recently decided to jump out of my comfort circle for a new challenge and joined a   start-up   (yes, I left a comfortable, stable job in a pandemic, lunacy lol). Now that I've been here almost 6 months, I wanted to share some findings because security at a start-up is significantly different.  When you join a start-up, there's going to be so much that you can do and it will be incredibly easy to "boil the ocean", and try to fix everything. At best, this guarantees failure for the Security team, at worst, alienation from the engineering and product teams. There are some obvious quick wins that a Security team can make without slowing down iteration and innovation speed, while also reducing risk: Auth  Partner with Engineering/IT/CTO such that there's alignment on Security owning all things "auth(n|z)".  As part of this ownership, you need to be prepared to resp

What's the point of (InfoSec) Certifications?

Quite recently, my GSE was up for renewal. I'm currently in the middle of transporting my family to another continent and I've slightly more responsibilities work-wise in 2016 versus 2012. However, given the effort and study that it took to get the cert the first time (and to a lesser degree the expense), I figured it was a no-brainer to renew. For me, I've always been a huge fan of the GSE and considered it the epitome of InfoSec certifications, much like the CCIE for (Cisco) networking. Personally, I learn better by "doing" and consider it as the evidence that someone knows their stuff so the "2-day lab" element in the GSE was a both a huge goal and challenge that I was excited about. I talked about the value of "doing" when trying to learn about yourself previously here with the infamous Security Ninja and here on my own blog so there's no point in repeating myself. When I did the GSE, I absolutely loved the hands-on lab mo