Connect with us

Hi, what are you looking for?


Management & Strategy

‘Brain Weasels’: Impostor Syndrome in Cybersecurity

There are several attributes that tie the cybersecurity community together–namely our collective passion for solving complex problems in order to reduce harm – but one has stood out prominently over the years: impostor syndrome.

I’ve spent a significant amount of time at cybersecurity conferences and networking events, in different Slack groups, and in both the go-to-market and more technical communities. There are several attributes that tie us together – namely our collective passion for solving complex problems in order to reduce harm – but one has stood out most prominently over the years: impostor syndrome.

There are many clinical definitions for this, but since I am not a clinician, I’ll simply share my own experience. For instance, I often suffer from crippling self-doubt even in areas in which I know I have codified, quantitative evidence that I have done the right things, or even have notable success to show. I have nightmares that I’ve been “found out” and people realize I have no idea what I am doing. And the worst, my self-worth can start to feel shaky when I believe that for (enter myriad of insecurities here) I don’t deserve any achievements I have earned.

When this happens I often turn to my closest friends to help snap me out of it. Sometimes these things trigger because of a bad day, other times they are situational. My dear friend Mark Bagley, a veteran product and engineering executive in our industry, actually taught me the term “brain weasels” and even visualizing these fears as little weasels with personalities and their own style (similar to internal family systems therapy, or IFS, if you’re familiar) helps significantly.

I’d still prefer these weasels go away. I know most of us would.

Of course, impostor syndrome applies to people far beyond cybersecurity, but why is it so prevalent in our industry? I asked my friend and former colleague, Dr. Stacy Thayer, a cyberpsychologist with a specialization in the security industry.

“This is an industry where the roots are built on extreme technical prowess and that ‘rockstar mentality.’ We’re also an industry that’s designed to pick things apart and seek vulnerabilities and find flaws to improve security; so, naturally sometimes we can’t help but to turn that mirror onto ourselves,” Dr. Thayer said.

I know that my impostor syndrome comes from the ways that I’m sometimes treated because of the work that I do. I recently discussed this with Dennis Fisher on his podcast, about how even after 24 years in this industry, I still have people tell me that I do not belong in cybersecurity, or I am not truly in the industry, because I can’t code or reverse engineer or insert hands-on technical skill here. Never mind the fact that you cannot be a successful go-to-market professional in our industry without having some technical comprehension, but the divide is wide.

Dr. Thayer spoke about this, too. She agrees that there is a lot of “technical gatekeeping” in the security industry. “For those who might be afraid they’re not technically excellent, then there becomes a cycle of anxiety and self doubt about whether you belong, whether you have the technical expertise, whether you even need the technical expertise, and is it actually the technical part that makes you strong at your job?” she said. “It’s definitely changed over the years and we’re moving toward a more inclusive community but there’s been a lot of gatekeeping and people can’t help but feed their impostor syndrome.”

Advertisement. Scroll to continue reading.

I will say, and I did also say to Fisher, that for every person that tries to put me and others like me into a box, there are phenomenal members of the deeper technical community who have taken us under their collective wing to teach us because they know, in the end, this industry and the community are an ecosystem that have to operate together if we are going to do what we need. And that includes helping each other with our mental health.

The key word here, of course, is community. And there is a delineation between the industry and the community, even if we sometimes use them interchangeably. The industry is often thought of as the vendors and other types of organizations that provide solutions to solve security problems. The community represents an aligned think tank of all kinds of cybersecurity profiles who engage with each other to share information and provide visibility into attacks, vulns, and risk and how to address attacks, vulns, and risks. Of course, many in the community are employed in the industry, hence the fuzzy delineation.

Dr. Thayer is convinced that the community itself, despite the common challenges that any large and diverse group of people may face, is key in helping others to address impostor syndrome and tame those pesky brain weasels.

“Relying on the community helps; pay attention to some of the bigger voices in the field who are mentors to many, yet have also boldly talked about their own moments of doubt,” she said. “Everybody, even the people we may see as top of their game, who experience rejection or simply have a hard day, get hit with their insecurities and fears. We do need to create more safe spaces in the community to talk about these issues, but they do exist.”

I have leaned on the community when I have felt overwhelmed in the face of my own brain weasels. Sometimes I’ll text a few friends just to check in; sometimes I’ll say, “I am spiraling and my cats and I are going to end up living in a box somewhere.” It really depends on how severe. But any time I have reached out to friends in the community, they have caught me.

Other things to consider:

  • Are you burnt out? Perhaps take a day or two off to re-center emotionally or play with your kids or do sensory deprivation therapy or walk around the block and get some air.
  • Are there other factors in your life that are causing self-doubt that are seeping into your work brain and giving energy to the brain weasels who love to introduce fear? Sometimes, simple paper lists separating the causes can help.
  • Are you dealing with a long-term layoff situation and struggling to find a job, or recently laid off and facing the terror of the unknown? You are not alone (I was here very recently). Band together with others in the situation and use your voice to help them and they will do the same.
  • Are you sad because your talk was rejected at a conference? Or did you fail a code test? Was there a vulnerability discovered in a product you are responsible for but, of course, could never fully secure on your own? You’re still amazing. Full stop.
  • The list goes on, and on, and on…

Cybersecurity is a tough industry with a lot of pressures and a lot of black holes to stumble into. Whether you are a SOC analyst or a reverse engineer or a salesperson or a customer advocate, you’re dealing with a lot of pressure around problems that could mean the safety of humans or the viability of organizations. I think at the very bottom line, giving yourself grace and accepting that this is just your brain lying to you, and that you are good enough (insert Stuart Smalley here) can temper the impostor syndrome.

Of course, the doctor (Thayer) says it best: “Normalize impostor syndrome and embrace it, speak up about it, raise your hand and express your doubt and not only will you receive support, but you may also help someone else quietly suffering.”

Related: Burnout in Cybersecurity – Can It Be Prevented?

Written By

Jennifer Leggio is the owner of Moveable Feast, a firm specializing in cybersecurity go-to-market, business operations, and leadership. Her ventures over the last 24 years include startups emerging from stealth, build-to-exit, build-to-grow, and rebuild-for-strength strategies. Beyond business, Jennifer has embarked on unique self-improvement journeys, applying her many lessons to leadership coaching, team building, and mentoring, for the humans behind the technology and processes that reduce cyber risk. Between consultancy, agency, and in-house work, she has supported a bevy of great companies at startup and high-growth to exit stage, and is most proud of Fortinet, Sourcefire, Flashpoint, and Claroty. Renowned for her tenacity, strategic vision, and no-nonsense approach, she also prioritizes calculated risks to disrupt the status quo and enhance diversity and inclusion in technology. She has relentlessly advocated for ethical marketing programs and the protection of security researchers, speaking on these and other topics at numerous conferences.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Kim Larsen is new Chief Information Security Officer at Keepit

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem