Skip to main content

Things I Wish I Knew Before InfoSec - Part 1 - Imposter Syndrome

When we (Rookie and Mark) sit down and go into one of those self-reflective modes, we often talk about things we wish we knew and so we figured it’d be a good idea to share some of those things. Hopefully maybe one person learns from our failings :) So, without further ado, this is the first post in the series of “Things I wish I Knew”.

One thing, I (Mark) personally wish I knew about was imposter syndrome, which according to Wikipedia is:

a psychological pattern in which one doubts one's accomplishments and has a persistent internalized fear of being exposed as a "fraud"

From exams in school to sports competitions, each house move, big “stretch” projects, every new role and becoming a parent, I’ve always had the feeling that I’m not good enough. This typically results in me striving to prove myself constantly, which typically works out well but when it doesn’t, it causes:

  • me to burnout
  • colleagues or friends to become frustrated as I may not be giving them enough space to grow and develop

You will find many examples with a simple search on the Internet:

So why talk about this subject now?

On a series of recent 1-1s with more junior Rioters, I realised that being open about having “imposter syndrome” was incredibly beneficial. I have always tried to ensure that I have transparent and honest relationships with my reports, and knew many have imposter syndrome to varying degrees, however, Covid has emphasised how important it is to share my own vulnerabilities. For example, I was recently told that given I lead Security @ Riot, have a family and own a house in LA, I obviously have “my shit together”, lol :p After I picked myself up off the floor, I indicated that that wasn’t true and I explained some examples where I experienced “imposter syndrome” such as:

  • every day when I was sitting in my class in university surrounded by many people who were considerably smarter
  • asking my (now-) wife out
  • becoming a manager
    • actually every job move or promotion putting me out of my comfort zone
  • it took me 12 years to get my first pure InfoSec role (<3 Rito)
    • I often thought I wasn’t “l33t” enough or didn’t have a sufficient “offensive” skillset
  • moving to the US (fairly terrifying and took a long time to adjust)
  • buying a house
  • and right now, I feel I work with people much smarter than me or when I’m collaborating with folk well outside of my SME (which to be honest, as a security person, can be quite a lot given how broad our problem space is).

As soon as I empathised and explained to my colleague that he/she was not alone in these feelings, there has nearly always been visible relief and relaxation. It’s important to realise and communicate that “most of us, if not all, feel imposter syndrome regularly”, without that feeling, it’s much harder to develop and grow.

Now, back to the 1-1, it’s obviously very important not to leave it there but to reassure:

  • share your own vulnerabilities and worries
  • point out strengths (but not just faint praise, as this will come across as disingenuous) and
  • come together on a plan (e.g. challenging projects based on strengths but still challenging enough for growth, stuff to benefit mental health and self-confidence) going forward to support.

As a leader, this was just another lesson for me in being transparent, truthful about my own shortcomings or concerns, and being honest but kind in my advice. 

There are many people more talented with greater achievements than me in InfoSec, and one thing that’s very common from my experience is imposter syndrome.Having it is probably healthy as it is typically correlated with humility, of which we need more of, however, too much of it prevents us from truly achieving what we can. Most importantly though, imposter syndrome frequently stops us from asking for help, which ultimately prevents growth.

As a community/industry, we often discuss how we can make InfoSec more welcoming, one way is by being open on how we have been or still are affected by imposter syndrome, and where possible, share our failings like my good friend Adam recently did. So yeah, if you’ve got imposter syndrome, you’re not alone.

Thanks to Emma McCallAdam Comerford, Reza Nikoopour and Chris John Riley for reviewing this post.


Note:  Moved from my old site - securityleadership.ninja - originally posted on 2020-07-15.

Comments

Popular posts from this blog

Being a Support Engineer @ 10gen - Part 1

There's a mis-conception around the role of a "Support Engineer".  As a clue, it's not what Urban Dictionary   says   - A person whose job is to answer calls from customers of a small- to large-sized company...... They are teathered to a their desk all day via phone headset........ phone jockeys usually hate their jobs.......they are are paid well enough..........until they completely burn out, and hate everyone.   and doesn't always involve this - Image Source: http://half-bakedbaker.blogspot.ie/2009/11/cannoli-and-broken-computer.html As you can see  here , there's lots of open roles in  10gen  and more specifically with 10gen, in  Dublin . I thought I'd write this quick blog to explain what Support Engineers actually do and why I joined 10gen as a "Support Engineer". I could be wrong but didn't Google come up with term " Site Reliability Engineer " to do away with the stigma associated with being a

LinkedIn Emails

Receiving mails via LinkedIn is an interesting experience. For example, how many folk actually personalise "contact requests" - from what I see, less than 1%. I typically try to because I think it shows some thought has gone into the request and it's friendly, but then "manners" on the Internet is a very different thing to the real world, right ;-) Anyway, to the point of the blog post. In early November (2012), whilst I was preparing my Security Onion presentation for IrissCon  (why did I bother when my MBP died on-stage), I received a very interesting and personal email via LinkedIn. The email came from a "Senior International Belief Instigator" (let's call him the SIBI - to save me typing) at Riot Games and the email was literally awesome, it hit many of the key points that you'd hope for in a recruiter email but it also had a wonderful tone. In my ignorance, I knew of League of Legends but not Riot (yes, I am embarrassed by that). I r

WAF versus DPI Firewall

This is a question, I've frequently been asked in recent years and in the last month, o n one of the internal mailing lists, in my old company, the following question was posted – In simple terms, what tasks is a Web Application Firewall (WAF) able to do that a Deep Inspection Firewall can't and why ? by one of my colleagues. Many of you may be surprised (I know I was initially) but this question still comes up an awful lot. Having answered the email (as a warning, I went into a lot of detail and plugged the awesome Security Onion ), I was requested to write a technical blog on the subject, but as I left the company soon after, the blog was never published. Therefore, to save me answering the question again, I thought I’d publish it so I can just reference the link in future J