I’ve spent a significant amount of time at cybersecurity conferences and networking events, in different Slack groups, and in both the go-to-market and more technical communities. There are several attributes that tie us together – namely our collective passion for solving complex problems in order to reduce harm – but one has stood out most prominently over the years: impostor syndrome.
There are many clinical definitions for this, but since I am not a clinician, I’ll simply share my own experience. For instance, I often suffer from crippling self-doubt even in areas in which I know I have codified, quantitative evidence that I have done the right things, or even have notable success to show. I have nightmares that I’ve been “found out” and people realize I have no idea what I am doing. And the worst, my self-worth can start to feel shaky when I believe that for (enter myriad of insecurities here) I don’t deserve any achievements I have earned.
When this happens I often turn to my closest friends to help snap me out of it. Sometimes these things trigger because of a bad day, other times they are situational. My dear friend Mark Bagley, a veteran product and engineering executive in our industry, actually taught me the term “brain weasels” and even visualizing these fears as little weasels with personalities and their own style (similar to internal family systems therapy, or IFS, if you’re familiar) helps significantly.
I’d still prefer these weasels go away. I know most of us would.
Of course, impostor syndrome applies to people far beyond cybersecurity, but why is it so prevalent in our industry? I asked my friend and former colleague, Dr. Stacy Thayer, a cyberpsychologist with a specialization in the security industry.
“This is an industry where the roots are built on extreme technical prowess and that ‘rockstar mentality.’ We’re also an industry that’s designed to pick things apart and seek vulnerabilities and find flaws to improve security; so, naturally sometimes we can’t help but to turn that mirror onto ourselves,” Dr. Thayer said.
I know that my impostor syndrome comes from the ways that I’m sometimes treated because of the work that I do. I recently discussed this with Dennis Fisher on his podcast, about how even after 24 years in this industry, I still have people tell me that I do not belong in cybersecurity, or I am not truly in the industry, because I can’t code or reverse engineer or insert hands-on technical skill here. Never mind the fact that you cannot be a successful go-to-market professional in our industry without having some technical comprehension, but the divide is wide.
Dr. Thayer spoke about this, too. She agrees that there is a lot of “technical gatekeeping” in the security industry. “For those who might be afraid they’re not technically excellent, then there becomes a cycle of anxiety and self doubt about whether you belong, whether you have the technical expertise, whether you even need the technical expertise, and is it actually the technical part that makes you strong at your job?” she said. “It’s definitely changed over the years and we’re moving toward a more inclusive community but there’s been a lot of gatekeeping and people can’t help but feed their impostor syndrome.”
I will say, and I did also say to Fisher, that for every person that tries to put me and others like me into a box, there are phenomenal members of the deeper technical community who have taken us under their collective wing to teach us because they know, in the end, this industry and the community are an ecosystem that have to operate together if we are going to do what we need. And that includes helping each other with our mental health.
The key word here, of course, is community. And there is a delineation between the industry and the community, even if we sometimes use them interchangeably. The industry is often thought of as the vendors and other types of organizations that provide solutions to solve security problems. The community represents an aligned think tank of all kinds of cybersecurity profiles who engage with each other to share information and provide visibility into attacks, vulns, and risk and how to address attacks, vulns, and risks. Of course, many in the community are employed in the industry, hence the fuzzy delineation.
Dr. Thayer is convinced that the community itself, despite the common challenges that any large and diverse group of people may face, is key in helping others to address impostor syndrome and tame those pesky brain weasels.
“Relying on the community helps; pay attention to some of the bigger voices in the field who are mentors to many, yet have also boldly talked about their own moments of doubt,” she said. “Everybody, even the people we may see as top of their game, who experience rejection or simply have a hard day, get hit with their insecurities and fears. We do need to create more safe spaces in the community to talk about these issues, but they do exist.”
I have leaned on the community when I have felt overwhelmed in the face of my own brain weasels. Sometimes I’ll text a few friends just to check in; sometimes I’ll say, “I am spiraling and my cats and I are going to end up living in a box somewhere.” It really depends on how severe. But any time I have reached out to friends in the community, they have caught me.
Other things to consider:
- Are you burnt out? Perhaps take a day or two off to re-center emotionally or play with your kids or do sensory deprivation therapy or walk around the block and get some air.
- Are there other factors in your life that are causing self-doubt that are seeping into your work brain and giving energy to the brain weasels who love to introduce fear? Sometimes, simple paper lists separating the causes can help.
- Are you dealing with a long-term layoff situation and struggling to find a job, or recently laid off and facing the terror of the unknown? You are not alone (I was here very recently). Band together with others in the situation and use your voice to help them and they will do the same.
- Are you sad because your talk was rejected at a conference? Or did you fail a code test? Was there a vulnerability discovered in a product you are responsible for but, of course, could never fully secure on your own? You’re still amazing. Full stop.
- The list goes on, and on, and on…
Cybersecurity is a tough industry with a lot of pressures and a lot of black holes to stumble into. Whether you are a SOC analyst or a reverse engineer or a salesperson or a customer advocate, you’re dealing with a lot of pressure around problems that could mean the safety of humans or the viability of organizations. I think at the very bottom line, giving yourself grace and accepting that this is just your brain lying to you, and that you are good enough (insert Stuart Smalley here) can temper the impostor syndrome.
Of course, the doctor (Thayer) says it best: “Normalize impostor syndrome and embrace it, speak up about it, raise your hand and express your doubt and not only will you receive support, but you may also help someone else quietly suffering.”