How to shake off the security imposter syndrome

Note: This is first quick draft – further editing needed.

Most of newcomers to the security industry they tend have that security imposter syndrome, well I know it from first hand experience, as I was one of them. It is hard to shake it off, the sooner the better, otherwise it will stay on forever, is it good or bad?

First let’s get the definition right, according to the Dictionary.com — https://www.dictionary.com/browse/impostor-syndrome, impostor syndrome is anxiety or self-doubt that results from persistently undervaluing one’s competence and active role in achieving success, while falsely attributing one’s accomplishments to luck or other external forces.

Another good definition snatched from Stu Hirst’s presentations below

What is Imposter Syndrome? @stuhirstinfosec Impostor syndrome (also known as impostor phenomenon, impostorism, fraud syndrome or the impostor experience) is a psychological pattern in which an individual doubts their accomplishments and has a persistent internalised fear of being exposed as a “fraud”

Why Imposter Syndrome Isn't Bad: How to Conquer Self-Doubt | TechTello
source: https://www.techtello.com/imposter-syndrome/

I have been in the game since 2007, that’s about 14 years and counting (I don’t intend to leave this space for now and the foreseeable future 🙂 ). In the beginning, everything was new and the security concepts seem alien to me, and on top of that I was to ensure that the bank systems are secure. so was a bit of a tall task, and I needed to learn quick and provide assurance to the management that I knew what I was doing. So you can see how that came about.

Most of security practitioners, are not native security professionals, otherwise if you served in the military or police force, where most of the security controls/concepts where borrowed from, either from logical or physical security point of view. Hence, it is not a coincidence that most military men and women after retirement (active service), it is easy for them to transition into cybersecurity (civilian life).

Whilst the knowledge gap is massive, you will need to comeup with a strategy, plan however your call it to combat this. So how did I come out with a plan?

  1. Have a plan – My plan was to do a security certification every year, it doesn’t mean i have to pass the exam, whether fail or pass, it means that i have acquired the knowledge. I think when you fail, you learn more, so at least i can confess that i have failed most of the exams i have attempted on the first try, but that set me good from knowledge.
  2. Don’t afraid to try and fail – You need to understand that if you don’t experiment or try, you wont make progress. Of course, in any experiments there will be failures and success. SO there you go, you will fail anyway, so why don’t you try.
  3. Read more books – Reading a book is one thing, but taking action from the books is the next most practical thing you can do. Once you have identified the list of books you need to read, make sure you make an actionable plan to implement the ideas from the book. It doesn’t matter if the book is technical or not, you should be able to try to try in a virtual environment or fictions made up company e.g. when doing a risk assessment.
  4. What you do in your space time counts the most
  5. Get involve in a community

I hope what I have discussed above make sense, and will help you to shake off that impostor syndrome, if not, please read some wise words below from Stu Hirst, one of the vets in this field.

Here is a link to one of the people i greatly admire in the security space, Stu Hirst, as I have been closely following up his rise in the corporate ranks as he grew into a house hold name, we tend to call them thought leaders. I first met Stu when he was working at SkyScanner as InfoSec Manger in Edinburgh, and now works at JustEat as Director of InfoSec.

Author: kinyoka

A certified Information Security professional, with demonstrated experience spanned more than 10 years in financial, banking, consulting, and payment card industries in managing Information Security System Management ISMS. A post graduate degree holder in Information Security Management (M.Sc); Certified Information Security Manager (CISM), Payment Card Industry Qualified Security Assessor (PCI QSA), SABSA Chartered Security Architect (SCF), ISO 27001 Lead Auditor, CREST Registered Technical Security Architect (TSA), CREST Registered Penetration Tester (CRT), and a member of ISACA. Demonstrated to be reliable, trustworthy, and meticulous person; working in a controls-focused environment, multinational, and multicultural organisation over the years and gained a good understanding of what is required of the Information Security professional. . Specialties: ISMS based on ISO/IEC 27001/2 Payment Card Industry (PCI) DSS - QSA led services - PCI Scoping, Gap Analysis and Formal Assessment (RoC) IT Governance, Risk and Compliance (GRC) Management Cyber Security Penetration Testing Enterprise Security Architecture Technical Security Architecture

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s