When I was a student, I participated in many cybersecurity competitions. And, honestly, for all of them, I fought with impostor syndrome. Actually, I take that back, I warred. From my first competition, the Collegiate Cyber Defense Competition (CCDC), where I was afraid to go outside of my comfort zone and break the mold that I’d set myself in, to the National Cyber League (NCL) where I was afraid to move up a bracket because I felt I didn’t belong there. I won’t even begin to touch on any of the other Capture-the-Flags (CTFs), or National Collegiate Penetration Testing Competition (CPTC). While I loved them all, but there was always an internal battle going on in my brain. Never once did it cross my mind that, as I learn more, I should be moving up. In the NCL, I attributed any flags and any success I had in that competition to either beginner’s luck or strictly my teammates. None of it was due to the hard work that I had put in. I used to think, and often still do, that my team was willing to keep me around for a few reasons:
- I’m a social nerd and that times have adequate conversational skills. That meant I was there to give the team some soft skills and I didn’t have to put my own technological skills to the test.
- At first, I was the token female and convinced that I was only there for diversity, as most of our competitive teams were all white males. I do not have either of those characteristics.
I was afraid of failure, and it often received questions about what I was doing in the major and what magic I worked to be so successful. These questions made by others fueled the fire of my impostor syndrome and for a short period of time, it became a self-fulfilling prophecy.
There were times when I wanted nothing more than to jump into the technical conversation and give my ideas or potential solutions, but I held back because I was afraid that, if I opened my mouth, my team would know I was the weak link and find somebody better to replace me. I made the mistake of downplaying my role at a previous job where I managed enterprise level applications as a high school junior and had taken Microsoft certified classes to ensure that I was knowledgeable about a particular product. The team put their trust in me only after I worked very hard to prove myself and show that I knew more than the current team member working on the software.
When it came time for the competition, my impostor syndrome came back in full force. I became very unsure of what I was even doing there and did not want to work as the subject matter expert (SME) for the software that I said I would. That day, I learned the importance of a pep talk, and how important communicating with someone else is when struggling with Impostor Syndrome. That day is one I will never forget because, even though I still broke a few things, I noticed how impostor syndrome had shaped my teammates view of me, and how that became a self fulfilling prophecy, and this was my first chance to step outside my comfort zone, and change what I saw, as well as what I thought others were seeing.
I’m going to be very blunt, impostor syndrome sucks. Nobody wants to feel lost in the professional world, or in the classroom, that they’ve worked hard to get themselves in.
Do I have this?
You might. For some, impostor syndrome comes in waves. There are days when you have a high, you are confident, you are strong, smart, and there are those days when you begin to question every decision you’ve ever made.
- Did I make the right call?
- Should I have asked that question?
- Do people think I’m an idiot because I’ve asked a question in a meeting?
These questions run through my head daily as I struggle with impostor syndrome on an hourly basis on a bad day. For those of you who are programmers, have you ever downplayed your own code by saying “I just copied and pasted from StackOverflow or I don’t really know why it works I just googled and threw something in”? Now, this may surprise you, but, most people, do not have the ability to Google and find the answer that you are searching for. While it is true that yes, any person can Google, but do they A. Know how to Google? B. Understand what resources to use in Google? and C. Do they even know how to describe their issue that requires googling?
Our careers are built on Google. Whether it be networking and learning how to subnet or using a subnet calculator, or somebody in cybersecurity learning the first bits of malware analysis from virus total or hybrid – analysis. Learning the tools and tricks of the trade that will lead you back to Google time and time again, are causing people to believe that they do not possess the knowledge to be a savant in their field, but these Google tricks are how others are succeeding. Googling day in and day out leads many to feel as though they are an imposter, I can confirm 100% this is not the case. In one of the most shocking moments of my life, I was speaking to a CTO at a conference, I asked him a question, and he said “I don’t actually know, whenever I need to do that, I just Google it.” I don’t think I listened to the next two talks I went to, I just thought about that sentence, and that was one of the first times I thought about how critical Google truly is to the Cybersecurity industry.
Somewhere out there, are some people with an incorrect set of beliefs. Cybersecurity, computer science, and any other technology related field do not exist solely for those born with an “innate talent for the industry.” All movies technology related fields have a completely different language and I can promise you that not a single person was born writing fluent Python or reverse engineering a binary without blinking an eye and being able to rattle off the names of the assigned ports. Everyone learns differently, but when we are all in the real world we all look to the same sources of truth. Google, our peers on forums, and sometimes, believe it or not our college textbooks.
Sadly, in the cybersecurity industry we have many aggressive people who are afraid to show any vulnerability or admit a lack of knowledge. These people also suffer from imposter syndrome, however, most choose to deal with imposter syndrome by attempting to assert dominance and establish themselves as a person of higher intelligence to feel better about themselves. This way of dealing with imposter syndrome is not only unhealthy, but leads to a terrible environment for both sides. The aggressor with imposter syndrome who has asserted dominance has created a high stress environment for themselves as they can never admit that they too have things that they do not know for fear of being thought of as less. The victim, who has been belittled by this aggressor is either experiencing feelings of imposter syndrome, or has felt their imposter syndrome be reinforced and they are more likely to feel as though they are a fraud and someone knows. It’s terrible for both sides and hard to build a relationship whether professional or friendship after experiencing this.
Computer science, cybersecurity, information technology, software design, software engineering, and networking are all careers comprised of geniuses who suffer from imposter syndrome. Anybody in these careers has imposter syndrome due to the fact that all of these are so broad that not any single person will have all of the answers for everything in their field. One of the scientific greats, Albert Einstein once said “the exaggerated esteem in which my life work is held makes me very ill at ease. I feel compelled to think of myself as an involuntary swindler.” Once I realized Einstein suffered as well, I was less upset as this showed, that for some, no matter what you do, you may always have these feelings, but you are still able to to achieve greatness.
I don’t think anybody is wrong to feel this way. It is natural in our industry, and rather than try to hide it, we should work through it together. I have experienced firsthand what happens when you throw a bunch of people with imposter syndrome together and try to make it work. Those who have a dominant personality will often band together, those who do not, will often isolate themselves and be less inclined to work with everyone as a whole. This past year, I left my cybersecurity team and lost most of the friends I had with it because I was so determined to prove to them that I am not a failure and I can make it in the industry, and that I am smart. Having joined the other side of every prior competition, I have been watching students struggle with imposter syndrome as well as watching the professionals handle imposter syndrome, or struggle.
So, how do I beat this?
Whenever I am questioning myself, I think about my knowledge. I like to ask myself these questions and either write it down or type it up each time I begin to have begin to feel imposter syndrome. One. What do I not know? Two. Why do I not know this? Three. Am I sure I do not know this? Four. What can I do to learn what I do not know?
Next, I start to think about what I know and what I do well. I then answer the following questions. One. What was the last thing that I accomplished? Two. What am I currently working on? Three. Am I perfect? The answer to this last question should always be no because, nobody is perfect and every once in a while we forget that.
For some, it’s hard to admit that they either do not know everything that they should or are unable to put everything that they have learned into practice. For most of us starting out in the industry, we have spent countless hours in a classroom environment learning about perfect scenarios, small-scale environments, and edge cases that we have been told are very rare and may not need to know ever again. Now that we are in the industry, or at our first internship, what ever first real world learning experience may be, this outside world is a slap in the face. Those scenarios most likely will not always apply as everything changes from company to company, hell, everything changes from department to department in most companies. Legacy code, software, and hardware do exist. It is not always possible to magically patch or upgrade or make something a bit faster just because that’s the way it should be.
As a quick example, the Microsoft registry is filled with vulnerabilities. By logic in both the cybersecurity and software engineering fields, the Microsoft Registry in both accessibility and format should no longer exist. That is a guarantee vulnerability in any Microsoft system there will never be a perfect environment where nothing is habitable or breakable as long as the registry exists. Would we be able to function without the registry? Would we be able to write software for further secure systems if something goes wrong? Not a chance. It might be imperfect, but it is the best solution available. Just like imposter syndrome, you may not be perfect, but you were chosen for reason.
Now, here’s the hard part, it’s time to change your thinking. And I will be completely honest, this is where I struggle the most and this is where I see my friends struggling because it’s hard to flip the switch from the negative “why am I here? How did I get here? This must be some error… I don’t belong here.” To a more positive “I have chosen the field where I will always be learning, and this is going to be an uphill battle because I am not perfect, this industry is not perfect, but we’re going to build each other up.” Whenever I am working on changing my thinking, I like to speak with those who are above the totem pole from me, as well as my peers. I always like to hear from management, a no holds barred truth, because I do want to improve, but I also feel the need to know where I currently stand. For my coworkers and peers, like to get their insights as well as their feelings about how they have struggled with this or are currently struggling why they believe they’re struggling and what we can do to help each other.
I think I may have said this about 70 times now, but imposter syndrome is hard. Nobody will fault you for having imposter syndrome, but with a change of beliefs each and every single time the feelings come up, I notice myself struggling less and less on a daily basis. I hope that you will find some semblance of success, however small, just from knowing you are not alone.
Best of luck, my friends.