If you listen to security podcasts, webinars, and panels, you probably have come across the term “imposter syndrome.” If you are not familiar with the term, it is defined as a psychological pattern in which an individual distrusts their abilities or accomplishments and has a persistent mental fear of being exposed as a “fraud.” Despite evidence of their capabilities and knowledge, individuals experiencing this condition remain convinced that they are scams and should not receive accolades for their accomplishments. Individuals with imposter syndrome incorrectly attribute their success to being lucky, attest their success to being a con artist with faux intelligence, or believe that they have perpetrated a ruse over other individuals.
Imposter syndrome is very real in technology communities, and it has come into focus in cybersecurity communities because it is impossible for a single person to be a true expert in everything cybersecurity related. Just like a medical doctor, a cybersecurity professional can have a broad range of medical knowledge, but, in practice, they focus on one medical discipline or another, like radiology or internal medicine.
You would not allow a general practitioner to perform open heart surgery, just as you would not want a forensics expert performing the network and operating system hardening of a new infrastructure. For doctors, their skills and knowledge are monitored and tested at every step along their medical journey. This creates reference points and a plan that one must follow before becoming a physician of any type.
For cybersecurity professionals, outside of a few industry standard certifications, there are no formal paths required to becoming a professional in the cybersecurity industry. In fact, many individuals excel at being experts without an ounce of formal training. They speak publicly, participate in panels, and have even written books without a single security certification or suffix attached to their name, like CISSP. This opens the question: when does someone become an expert in cybersecurity, and how do we overcome the self-doubt that leads to imposter syndrome?
We know a doctor is a doctor because they finished medical school and passed all the required exams to become accredited. How do we know someone is a cybersecurity professional and that they have proof to overcome the mental duress that causes imposter syndrome? From our perspective, a touch of self-doubt is healthy. It helps drive you harder to ensure you are an expert in your area of concentration and truly an expert to the best of your abilities. Depression, however, is a killer. If you are feeling low, uncertain, and have low self-esteem, the results can be devastating. When you exhibit signs of self-doubt and depression together, in our opinion, you have the traits necessary to exhibit imposter syndrome. In all the years I have worked in cybersecurity (20+ now), I have never met anyone suffering from imposter syndrome who was not also depressed.
Unfortunately, outside of a person’s personal opinion about themselves, imposter syndrome has another, more modern effect on individuals. It is when others have branded you an “imposter.” This syndrome is the personification of another person’s prejudice or jealousy to label someone else as an imposter. It is the accuser’s disbelief that the victim could actually achieve the results they obtained, and the accuser is labeling them a fraud, creating self-doubt, to undermine their work or mental well-being in lieu of celebrating their success. This is the most serious set of circumstances for someone who is susceptible to imposter syndrome. And, based on the recent discussions I have seen on panels, webinars, and chats, this practice occurs quite frequently to discredit the speaker (expert). When it does occur, the accuser is truly the one with esteem issues – not the speaker!
Imposter syndrome is an actual condition affecting cybersecurity professionals. One version is self-induced and the other instigated based on malicious intent.
Some cases of impostor syndrome can be effectively managed or cured with personal mental health improvement. However, in cases where an individual’s credibility is being unduly and maliciously attacked or undermined, that’s when it’s important for the cybersecurity community to step up and provide support to others. While this may sound controversial, negative attacks should not be allowed to go unchecked, and actions could easily include deleting negative demeaning posts, blocking the user or even respectful constructive responses to the attack. Negative responses to an attack just play into the accuser’s game and should always be avoided. Always take the high road when responding to an attacker, and remember, your results are your own. If you are honest with yourself, self-reflective, humble, and periodically seek out the counsel of your peers, you can avoid imposter syndrome, or at least recover from it.
So, what does this have to do with cloud security? If you consider how new the cloud is and how fast and broad innovation is happening, it is impossible to know everything about it. There truly is no one that is an expert regarding “everything” cloud. Choose your discipline in the cloud, become an expert for that component, and accept that if someone accuses you of being an imposter, or if you have guilt of your own, it more than certainly is unfounded.
And just for the record, the authors of this book are not experts in the cloud. However, we do have high confidence in our knowledge of cloud attack vectors and how to mitigate them. If you don’t believe us, please start reading this book again. This is not “Yesterday’s Enterprise” in Star Trek: TNG.