Skip to main content

Things I Wish I Knew Before InfoSec - Part 1 - Imposter Syndrome

When we (Rookie and Mark) sit down and go into one of those self-reflective modes, we often talk about things we wish we knew and so we figured it’d be a good idea to share some of those things. Hopefully maybe one person learns from our failings :) So, without further ado, this is the first post in the series of “Things I wish I Knew”.

One thing, I (Mark) personally wish I knew about was imposter syndrome, which according to Wikipedia is:

a psychological pattern in which one doubts one's accomplishments and has a persistent internalized fear of being exposed as a "fraud"

From exams in school to sports competitions, each house move, big “stretch” projects, every new role and becoming a parent, I’ve always had the feeling that I’m not good enough. This typically results in me striving to prove myself constantly, which typically works out well but when it doesn’t, it causes:

  • me to burnout
  • colleagues or friends to become frustrated as I may not be giving them enough space to grow and develop

You will find many examples with a simple search on the Internet:

So why talk about this subject now?

On a series of recent 1-1s with more junior Rioters, I realised that being open about having “imposter syndrome” was incredibly beneficial. I have always tried to ensure that I have transparent and honest relationships with my reports, and knew many have imposter syndrome to varying degrees, however, Covid has emphasised how important it is to share my own vulnerabilities. For example, I was recently told that given I lead Security @ Riot, have a family and own a house in LA, I obviously have “my shit together”, lol :p After I picked myself up off the floor, I indicated that that wasn’t true and I explained some examples where I experienced “imposter syndrome” such as:

  • every day when I was sitting in my class in university surrounded by many people who were considerably smarter
  • asking my (now-) wife out
  • becoming a manager
    • actually every job move or promotion putting me out of my comfort zone
  • it took me 12 years to get my first pure InfoSec role (<3 Rito)
    • I often thought I wasn’t “l33t” enough or didn’t have a sufficient “offensive” skillset
  • moving to the US (fairly terrifying and took a long time to adjust)
  • buying a house
  • and right now, I feel I work with people much smarter than me or when I’m collaborating with folk well outside of my SME (which to be honest, as a security person, can be quite a lot given how broad our problem space is).

As soon as I empathised and explained to my colleague that he/she was not alone in these feelings, there has nearly always been visible relief and relaxation. It’s important to realise and communicate that “most of us, if not all, feel imposter syndrome regularly”, without that feeling, it’s much harder to develop and grow.

Now, back to the 1-1, it’s obviously very important not to leave it there but to reassure:

  • share your own vulnerabilities and worries
  • point out strengths (but not just faint praise, as this will come across as disingenuous) and
  • come together on a plan (e.g. challenging projects based on strengths but still challenging enough for growth, stuff to benefit mental health and self-confidence) going forward to support.

As a leader, this was just another lesson for me in being transparent, truthful about my own shortcomings or concerns, and being honest but kind in my advice. 

There are many people more talented with greater achievements than me in InfoSec, and one thing that’s very common from my experience is imposter syndrome.Having it is probably healthy as it is typically correlated with humility, of which we need more of, however, too much of it prevents us from truly achieving what we can. Most importantly though, imposter syndrome frequently stops us from asking for help, which ultimately prevents growth.

As a community/industry, we often discuss how we can make InfoSec more welcoming, one way is by being open on how we have been or still are affected by imposter syndrome, and where possible, share our failings like my good friend Adam recently did. So yeah, if you’ve got imposter syndrome, you’re not alone.

Thanks to Emma McCallAdam Comerford, Reza Nikoopour and Chris John Riley for reviewing this post.


Note:  Moved from my old site - securityleadership.ninja - originally posted on 2020-07-15.

Comments

Popular posts from this blog

MongoDB Authori(s|z)ation

Introduction Having answered numerous questions on the new and old authori(s|z)ation within MongoDB, I thought I'd write a short blog post explaining how things work as there seems to be some confusion. What's New Prior to version 2.4 , there was a very basic sense of "Role Based Access Controls" (RBAC) within MongoDB as there were only two roles - read readWrite which is quite limited. For example, if the user has "readWrite", that user is essentially "root" and the user can add/remove users as well as inserting data into the database, i.e. there is no role segregation. Version 2.4 added in the following 3 core roles - userAdmin dbAdmin clusterAdmin with a notable extension such that there are now 4 roles that apply across all databases - readAnyDatabase readWriteAnyDatabase userAdminAnyDatabase dbAdminAnyDatabase This increased RBAC is a significant improvement from a security perspective in MongoDB. It is imp

Being a Support Engineer @ 10gen - Part 1

There's a mis-conception around the role of a "Support Engineer".  As a clue, it's not what Urban Dictionary   says   - A person whose job is to answer calls from customers of a small- to large-sized company...... They are teathered to a their desk all day via phone headset........ phone jockeys usually hate their jobs.......they are are paid well enough..........until they completely burn out, and hate everyone.   and doesn't always involve this - Image Source: http://half-bakedbaker.blogspot.ie/2009/11/cannoli-and-broken-computer.html As you can see  here , there's lots of open roles in  10gen  and more specifically with 10gen, in  Dublin . I thought I'd write this quick blog to explain what Support Engineers actually do and why I joined 10gen as a "Support Engineer". I could be wrong but didn't Google come up with term " Site Reliability Engineer " to do away with the stigma associated with being a

Separate MongoDB Syslog by Facility

In my last post , I showed how you can set up MongoDB v2.2 to syslog its logs off to a remote syslog server. As my `tcpdump` snippets show, the syslog messages hit the syslog server tagged as "user.info", which means that they're assigned to the "user" facility with a severity level of "info". I've received a few questions regarding the possiblity of splitting out syslog messages by facility, however, as everything is currently sent to a "user.info" bucket, so-to-speak, this is not possibility. There is a current feature request for this capability and work will be done on this but if this is important for you, I'd strongly encourage you to vote for this feature. In the meantime, however, (whilst not ideal) you can still do some host filtering with rsyslog as outlined here .