Note: This is first quick draft – further editing needed.
Most of newcomers to the security industry they tend have that security imposter syndrome, well I know it from first hand experience, as I was one of them. It is hard to shake it off, the sooner the better, otherwise it will stay on forever, is it good or bad?
First let’s get the definition right, according to the Dictionary.com — https://www.dictionary.com/browse/impostor-syndrome, impostor syndrome is anxiety or self-doubt that results from persistently undervaluing one’s competence and active role in achieving success, while falsely attributing one’s accomplishments to luck or other external forces.
Another good definition snatched from Stu Hirst’s presentations below
What is Imposter Syndrome? @stuhirstinfosec Impostor syndrome (also known as impostor phenomenon, impostorism, fraud syndrome or the impostor experience) is a psychological pattern in which an individual doubts their accomplishments and has a persistent internalised fear of being exposed as a “fraud”
I have been in the game since 2007, that’s about 14 years and counting (I don’t intend to leave this space for now and the foreseeable future 🙂 ). In the beginning, everything was new and the security concepts seem alien to me, and on top of that I was to ensure that the bank systems are secure. so was a bit of a tall task, and I needed to learn quick and provide assurance to the management that I knew what I was doing. So you can see how that came about.
Most of security practitioners, are not native security professionals, otherwise if you served in the military or police force, where most of the security controls/concepts where borrowed from, either from logical or physical security point of view. Hence, it is not a coincidence that most military men and women after retirement (active service), it is easy for them to transition into cybersecurity (civilian life).
Whilst the knowledge gap is massive, you will need to comeup with a strategy, plan however your call it to combat this. So how did I come out with a plan?
- Have a plan – My plan was to do a security certification every year, it doesn’t mean i have to pass the exam, whether fail or pass, it means that i have acquired the knowledge. I think when you fail, you learn more, so at least i can confess that i have failed most of the exams i have attempted on the first try, but that set me good from knowledge.
- Don’t afraid to try and fail – You need to understand that if you don’t experiment or try, you wont make progress. Of course, in any experiments there will be failures and success. SO there you go, you will fail anyway, so why don’t you try.
- Read more books – Reading a book is one thing, but taking action from the books is the next most practical thing you can do. Once you have identified the list of books you need to read, make sure you make an actionable plan to implement the ideas from the book. It doesn’t matter if the book is technical or not, you should be able to try to try in a virtual environment or fictions made up company e.g. when doing a risk assessment.
- What you do in your space time counts the most – I always believe in trial and errors, experiments, making mistakes and get something out of that as lesson learn or invention (whatever that maybe). If you take this as your key principle and setup e.g. a LAB if you are a pentester, trying new exploits, or if you are a Security GRC SME develop and test new models, will be a good way to enhance your skills. In addition, I would say read more and put things in practice, that’s the best way to learn and build confidence.
- Get involve in a community – There are number of security communities outthere for difference audience, and you can find them in LinkedIn or Professional Association such as ISACA, etc. Get involved and be active, and see how other security professional get on with their lives both professional and personal if they can to share.
I hope what I have discussed above make sense, and will help you to shake off that impostor syndrome, if not, please read some wise words below from Stu Hirst, one of the vets in this field.
Here is a link to one of the people i greatly admire in the security space, Stu Hirst, as I have been closely following up his rise in the corporate ranks as he grew into a house hold name, we tend to call them thought leaders. I first met Stu when he was working at SkyScanner as InfoSec Manger in Edinburgh, and now works at JustEat as Director of InfoSec.