8 The threat of impostor syndrome

This chapter covers

• Understanding what impostor syndrome is, why it’s important, and who experiences it
• Examining yourself to identify the causes of your impostor syndrome
• Avoiding or overcoming impostor syndrome
• Objectively recognizing and celebrating your achievements

Until now, we’ve focused the bulk of our attention on preparing for and landing that first job in cybersecurity. Now it’s time to start looking at the forces that could work against you after you’ve landed that first role. Reading various studies from the medical, psychological, and career development industries, you’ll find that an estimated 70%-85% of people experience a phenomenon known as impostor syndrome.

As we discussed in chapter 2, the cybersecurity industry suffers from a lingering rockstar culture. With so many large events, well-recognized personalities, and wide ranges of expertise, impostor syndrome is particularly common in this field as well. All right, you ask, what is impostor syndrome, and why should I care? Well, it is time to answer some of those questions and more.

8.1 Defining impostor syndrome

A lot of discussion occurs within the security community, at conferences and on social media, about people experiencing impostor syndrome and its negative impact. It’s a real issue that threatens to derail the career aspirations of many in this industry. To combat this phenomenon, we must first understand what it is and why it is important, and recognize whom it can impact.

8.1.1 What is impostor syndrome?

In the simplest of terms, impostor syndrome is the belief that your accomplishments aren’t as valuable or impressive as others perceive them to be. It’s a sense that you are not as qualified to do the things you are doing as others believe you to be. This is an internalized state of mind. Many people who experience impostor syndrome describe a fear of being discovered as a fraud. In the professional sense, people look back on their accomplishments and qualifications and tend to minimize their importance or relevance.

Impostor syndrome within cybersecurity can also come down to questioning your breadth of knowledge in the field. Figure 8.1 illustrates how we often perceive our own knowledge in comparison to those around us working in the industry.

Figure 8.1 A graphical representation of how impostor syndrome colors our view of our own knowledge in comparison to others

As you can see, it is not uncommon for individuals in our industry to believe that everyone around them has a far greater knowledge of cybersecurity than their own. This sometimes results from the human tendency to collectively combine the knowledge we see others share and then attribute that collective capability to everyone else. We then recognize that our knowledge overlaps—but is only a subset of—that larger collective.

However, this is not true, nor is it at all realistic. In reality, the comparisons of our own knowledge to those around us are much more like figure 8.2.

Figure 8.2 A graphical representation of how cybersecurity knowledge is distributed among members of the industry

The reality is that everyone we see around us has their own subset of knowledge, but no one knows everything there is to know about cybersecurity. They could not; it would not be possible.

Additionally, as you can see in figure 8.2, each person’s knowledge overlaps with others’, including our own. At the same time, not everyone’s knowledge overlaps with everyone else’s. Additionally, clear differences exist between each person’s base of knowledge, and each person has a unique knowledge set they bring to the table.

While the overlaps in knowledge create depth in our capabilities, it’s the unique areas that drive the myriad of perspectives that make cybersecurity stronger as a whole. This is an important concept to understand as you work to combat your own experience of impostor syndrome.

8.1.2 Why do we care about impostor syndrome?

Well, this is all great information, but what does this have to do with career success in cybersecurity? Impostor syndrome is a powerful force that can have a detrimental effect on your career progression. The impacts of impostor syndrome are far-reaching and diverse. But in the end, the toll they take on us from both a motivation and mental health perspective cannot be understated.

Perhaps one of the more obvious damaging effects is that the fear of being discovered a fraud holds us back from risk taking. When a person undervalues their accomplishments or minimizes their legitimacy, a gap is created in self-confidence. If an opportunity to advance their career should arise, they may choose to forego that opportunity, feeling that they are not qualified and that if they pursue it, they will be found out. This is a particularly common impact that is well-documented in various studies of the phenomenon. It is important to recognize that impostor syndrome affects us in this way so that we can take steps to combat it rather than let it hold us back.

Impostor syndrome can be detrimental to mental health as well. Imagine the scenario in figure 8.1: believing that all your peers have a tremendous wealth of knowledge that you somehow lack can generate crushing levels of anxiety. Consider how overwhelming it would feel if you believed you had to gain all that knowledge to make your cloud as big as everyone else’s. The perceived task would be monumental and almost unachievable. The resulting impact can damage not only your desire to pursue future opportunities but also lead to a disdain for your current role. In the worst-case scenario, it could lead to you abandoning your career path in security altogether.

Another mental health impact from impostor syndrome can be self-loathing. If we see ourselves as inescapably underqualified, we may begin to view that as a flaw in ourselves. Indeed, this feeling is often expressed in studies and even more informal discussions on social media. It can become a vicious cycle, in which our feelings of inadequacy lead us to demean ourselves, which leads to further feelings of inadequacy, and so the cycle continues.

Again, this unfortunate perspective can lead to abandoning a career path altogether if left unchecked. As a result, it is important that if you are to be successful in your pursuits, you recognize and actively work to combat these influences.

8.1.3 Who experiences impostor syndrome?

If you look at articles and published papers on the topic of impostor syndrome, you’ll quickly discover that this phenomenon is experienced almost universally. Regardless of people’s career stature, knowledge levels, or public image, almost everyone reports having some level of experience with impostor syndrome. As stated earlier, many studies suggest anywhere from 70%-85% of professionals report experiencing these feelings.

Consequently recognizing that impostor syndrome can and does affect us all is crucial. Whether you are just starting your career or are well established, the feelings of doubt and inadequacy can be a challenge. Anecdotally, by observing discussions in the cybersecurity community, even those who are recognized as leaders will report they experience the feelings and effects of impostor syndrome. I can report at a personal level that I have had to battle this perception throughout the almost two decades I have spent working in cybersecurity.

Let me share a little more of my personal experience. I began working in cybersecurity as a penetration tester in 2006. I had never considered hacking as a career path but now found myself as part of a security testing team within a large financial services company. Within a year, I was the lead for that team. By 2010, thanks in part to an acquisition, I was now managing not only that team, but also the complete vulnerability management program for this financial services organization of 35,000 employees, which appeared in the top 200 of Fortune magazine’s list of the top 500 companies at the time. I was barely over 30, yet I had a prominent role in the operational security of this global entity.

That sure sounds like an impressive career feat, doesn’t it? Yet for many years after I left that company, I refused to look at it or talk about it in that way. Instead, I chose to minimize it.

I wrote it off as dumb luck and not really that monumental of an achievement that I had any right to celebrate or brag about. Even on my resume, I downplayed the extent of my responsibilities in that position. I rarely talked about my regularly reporting on our security posture to executives. I didn’t describe working with the executives to secure funding for additional security initiatives and overcome the challenges of limited budgets. I was even bashful about disclosing the extent to which I had to work across the organization to ensure that vulnerabilities were remediated.

I looked at the help that I got from my previous managers, including the one who brought me into security in the first place, as a sign that my accomplishments were somehow less. I regarded the lucky break of an acquisition that thrust me into that level of responsibility as somehow diminishing the value of what I had undertaken in that role.

To put things in perspective, everyone achieves success through a combination of their own skills, their own risk taking, assistance they receive from others along the way, and in most cases, some measure of fortunate circumstances. The value of our accomplishments isn’t measured by those factors. Instead, it is how we choose to react to those opportunities that leads to our success.

It took me a long time to come to terms with that, and it did hold me back from chasing higher-level opportunities earlier in my career. Recognizing that many go through this and that you can expect to as well will help you better manage and overcome those forces of doubt. We will discuss this concept further later in this chapter.

8.2 Understanding the causes of impostor syndrome

Many academic studies and media articles have been published on impostor syndrome, what causes it, and who experiences it. Rather than regurgitate the results of those studies, I will focus on sharing what I have learned about causes of impostor syndrome from my own experiences and my discussions of the topic with others. A quick web search will yield plenty of results if you wish to dig deeper into formal academic studies, but in this chapter, I would like to bring more of the cybersecurity context to bear.

8.2.1 Perfectionism

One of the most common causes of impostor syndrome that I and others experience is the level of exceptionally difficult or even impossible expectations we place upon ourselves. Several of my colleagues have shared that they are not the type to go into any new venture only half-committed. I too share this personality trait. When I take on a new challenge, I strive to ensure that I’ll be competent and well educated in that subject.

By way of example, many years ago when I chose photography as a hobby, I didn’t just buy a camera and go out and start taking photos. Instead, I spent weeks studying the technical aspects of how cameras work. I learned about the relationship between shutter speed, aperture, ISO rating, and such. I participated on multiple photography forums and learned the language, which also drove me to understand additional concepts like f-stops and exposure compensation. I also didn’t stop with technical details; I studied the more artistic aspects of photography as well, including how changes in lighting, composition, color balance, and framing can impact the mood captured in a photo. Finally, I researched many cameras to ensure that the one I eventually purchased would fit me well and be capable of supporting the various creative aspects I wanted to achieve.

I held myself to high standards in launching my photography hobby, and these self-imposed expectations are like those many have described to me in terms of their impostor syndrome. When we set such high expectations for ourselves, they can become imposing or even impossible to achieve. We set impossibly perfect goals, and when we fail to achieve them, we let those failures convince us that we simply aren’t good at that activity. Instead of leaving room to grow and learn, our perfectionism drives us to be unfair and overly demanding. This is a core cause of impostor syndrome.

8.2.2 Industry expectations

It is not just our own expectations that can put undue pressure on us and spur feelings of being an impostor. The cybersecurity industry itself can often place similar pressures on us. As we discussed in chapter 3, this industry overall expects practitioners to have a high degree of capability from the start. A great deal of pressure is placed on cybersecurity professionals to make things perfectly secure. Given the criticality of defending our digital way of life, the industry rarely makes room for practitioners or organizations to fall short of perfection.

Unfortunately, this sets us up for failure. In reality, mistakes will occur in technology. An odd dichotomy exists in that security practitioners recognize that these goals are unrealistic, yet we continue to try to achieve them. It is often stated that attackers will inevitably find a weakness that we’ve missed in our systems and exploit them. In the best-case scenario, we may identify and respond quickly and successfully to attacks and breaches, but to think we can be unhackable is unrealistic. The industry simply does not measure success according to reasonable and achievable metrics.

As a result, when these situations do occur, it is all too easy for security professionals to take those events personally. It is not uncommon for a security professional to look at a breach as a sign of their own failures or incompetence rather than acknowledge that technology is infinitely dynamic and difficult to secure as a result. This can be damaging to self-confidence and lead to feelings of hopelessness and anxiety that further impact our ability to perform our daily duties.

It is important for our career as well as our personal mental health that we view these types of challenges differently. Cybersecurity professionals need to regard them not as signs of our lack of qualification or competence but rather experiences that we can use to learn and to grow. It is a sign of true professional maturity to understand that learning and growth come from failures. If we were always successful in everything we try to do, there would be no challenge and hence no success to celebrate.

8.2.3 Comparison to others

As you saw in figures 8.1 and 8.2, a great deal of impostor syndrome comes from comparing ourselves to others. As you enter the field, you may establish relationships with other new cybersecurity professionals who are launching their careers around the same time. These relationships are important, and they can serve you well as you grow and advance in your career. However, they can also present challenges regarding feelings of inadequacy. Specifically, as you watch your peers progress in their careers, it is not uncommon to become focused on their successes and believe that they are progressing faster than you.

This type of comparison is inherently flawed. The reality is, typically, that they indeed are experiencing successes you have not, but you have also likely experienced successes that they have not. In this situation, you fail to recognize your own value and focus instead on what you have not yet accomplished. Even worse, those accomplishments may not have even been things you were targeting. Yet, seeing someone else achieve them still makes you feel like a lesser success.

The problem of comparison can also come into play when we look at the rockstar culture of the security community. You have probably already discovered the names of a few highly recognized and accomplished individuals in the cybersecurity community. You may admire their accomplishments and their skills. Perhaps they quickly ascended through various career milestones that you hope to reach as well. This is good and healthy if it motivates you to grow and achieve great things in your own journey. However, it becomes a problem when it leads to deep feelings of anxiety or pressure that become overwhelming.

It is common to look at all they have done and feel hopeless, as if you will never achieve their level of skill or success or that you are falling behind somehow. But believing that is true would be unfortunate. Remember that what you usually see of others in the public space is their best self. For most, that is the only part of what they allow you to see. You may not get to see the struggles and failures that they have dealt with and continue to deal with along their path. It can be incredibly surprising sometimes when you discover just how much they feel like they have not accomplished.

It is, therefore, critical to acknowledge that each of us is on our own journey and that accurately comparing one person’s success with that of another is ultimately impossible. Career successes can come at the expense of successes in other aspects of a person’s life. Hidden privileges or advantages may have helped one person reach a pinnacle, while others do not benefit from those same privileges and have to work through additional challenges as a result. This is why measures of success should instead be a personal thing. The way we identify our own milestones should take into context the many personal facets of our journey that impact our career and professional successes.

8.2.4 Lack of representation

In chapter 1, I discussed the need for diversity in the cybersecurity community. A large diversity gap exists in this space. Women, people of color, and other demographic groups are underrepresented. As a result, finding role models who have achieved the level of success that we aspire to and that we can also identify with on a personal level may be difficult.

For instance, for a Black person who aspires to achieve a high-level executive role, finding a Black role model in a leadership position to serve as a mentor or inspiration can be difficult. In the 2017 “Global Information Security Workforce Study” released by (ISC)² and Frost & Sullivan and others (http://mng.bz/06wm), only 9% of cybersecurity professionals were African American or Black. Among those, only 23% were in leadership positions. Logic would then also dictate that subsequently an even smaller subset would be found in executive-level positions.

We may want to believe that people’s ethnicity, race, gender, and sexuality don’t matter when it comes to identifying role models. However, looking at the situation more pragmatically, when members of those groups fail to see their demographics represented in their career field, it can lead to a feeling of not belonging. This feeling further exacerbates the already difficult feelings that result from impostor syndrome or can trigger feelings of being out of place in people who would otherwise not have such doubts. Given that much work remains to be done in terms of diversity in this community, it is important that you, especially if a member of an underrepresented group, look within and acknowledge that we are not only allowed but encouraged to blaze a new trail if necessary.

8.2.5 Diminishing accomplishments

I discussed earlier my personal experience of belittling my own accomplishments. Because I had received help from others and had also been the beneficiary of many serendipitous opportunities, I minimized the value of my career achievements. As it turns out, this is a common mindset among highly driven individuals, especially in cybersecurity. A flawed impression exists that those who’ve demonstrated the highest levels of achievements got there of their own accord, without outside influence. The reality is quite the opposite, however.

Success is rarely, if ever, achieved by working and conquering challenges alone. Athletes work with coaches, trainers, nutritionists, and others. They leverage this assistance to ensure they are the most fit they can be for their sport. They learn from others and find opportunities through those they work with. As another example, musicians spend countless hours playing with and learning from other musicians. They might learn music theory or gain inspiration from others. Very few of the songs you listen to are written, composed, and produced by a single person.

In addition, neither athletes nor musicians, nor any other highly successful and recognizable person gets to their position without some measure of fortunate circumstances. Perhaps it is the lucky break that a professional scout happened to show up at a college baseball player’s biggest game of the season. Maybe that recording executive just happened to be in the club the night that a particular band played there.

The same is true for your career in cybersecurity. You will have mentors, coworkers, and others who help you develop your knowledge, your skills, and even help you find professional opportunities. You will undoubtedly experience those lucky breaks that present you with an opportunity to take on a new challenge or leap into a new role. Ultimately, you’ll find that success comes when you use those influences and those opportunities to your advantage. Taking risks and chasing the next big thing is often what makes the difference between a quick career progression and one that lumbers along.

Therefore, you would be remiss to think that because you or anyone else experienced such influences, those accomplishments are somehow less valuable or impressive. To drive your career progression forward, you need to see these events more objectively and be willing to give yourself credit for the way you leveraged those influences to grow and advance. That is what makes those achievements something you can be proud of.

8.3 Overcoming impostor syndrome

Now that you understand what impostor syndrome is and the detrimental effects it can have on your career journey, we can start to discuss what can be done to limit those impacts and possibly even avoid the phenomenon altogether. Since you now understand that everyone is susceptible to these feelings, you know that you don’t need to feel ashamed or broken if you struggle with them too.

Not everyone’s experience of impostor syndrome is the same, so the ways to avoid or overcome the challenges will be unique to our own journeys as well. There is no one right way to go about it, and in reality, the methods we find successful can change over time as well.

What will not change is that impostor syndrome will not go away on its own. It requires acknowledging that it exists and that it could be impacting you. Developing ways to see yourself, your journey, your struggles, and your achievements in a different light will give you the tools you need to defeat this nemesis. So, let’s look at a few tactics you can leverage in your career journey to ensure that impostor syndrome does not hold you back from achieving all the success you hope to realize.

8.3.1 Avoid competition

As you have seen throughout this discussion of impostor syndrome, many of the causes and challenges come from the expectations we place on ourselves and comparing our journey to that of others. In particular, these can lead to a sense of competition with those around us. We want to achieve that milestone faster than someone else got to it. We want to have more credentials applied to us than that peer we see in the industry. We want to know more about a given topic than someone else. The list of expectations and competitive motivators goes on and on and on.

Unfortunately, the cybersecurity community sometimes contributes to this natural tendency for competition. We regularly organize events like CTF challenges, in which individuals or teams compete to hack various systems. It is assumed that the most skilled will accomplish those tasks the quickest and win the prize. These competitions aren’t inherently bad or unhealthy, but if we use them as a measure of our own skills rather than simply an opportunity to learn and grow in a fun competitive environment, they can be toxic. If you choose to partake in these activities, try to see them for what they are worth. Just as sports participants can become overly competitive, the same can happen in these spaces. Keep it fun and understand that just because you or your team doesn’t win doesn’t mean that you’re somehow less valuable to the community.

Competition in cybersecurity can also occur in the discovery of security vulnerabilities. Those new flaws we find, which we refer to as zero-days, are often leveraged to establish someone as a skilled researcher. These zero-day vulnerabilities are reported typically via the CVE database. So, you may encounter people who measure a hacker or researcher’s skills by the number of CVEs they have reported.

This is dangerous for a lot of reasons. First, discovering a zero-day vulnerability can be valuable but shouldn’t be seen as having greater value than finding long-recognized vulnerabilities in a system or application. Some may argue that the latter is more valuable in terms of securing systems. Additionally, many hackers and researchers (myself included) work for organizations testing and securing their systems. Vulnerabilities discovered in their systems or applications may be zero-day vulnerabilities, but because they were found in software developed by the organization (rather than sold commercially), the vulnerabilities aren’t reported to the CVE database.

The point of all of this is that you will be tempted to compare and compete with your peers in many ways throughout the cybersecurity community. Competition should be approached carefully, however. It should be leveraged for fun or as a motivator to continue to grow your expertise and your career. It crosses the line and becomes a damaging influence when it is no longer enjoyable, and instead you start using it to measure your own value. Be cautious about competition and know that just because you don’t win that prize, get that accolade, or see your name credited on something does not mean you aren’t contributing.

8.3.2 Set goals and define what success means to you

Related to the topic of competitiveness and comparison is the idea of how we measure our success. The reason that things like CTFs and CVEs become measures of success for some is that they are easily demonstrated to others as success indicators. In fact, you can fall into many traps in terms of your career journey and impostor syndrome if you are defining success by the way others will recognize it or become aware of it. This is a toxic way of defining success. Just as our journeys are unique to each of us, so too should be our measures of success. Defining achievements based on the perceptions of others versus what is meaningful to us subjects us to a constantly changing and ever dynamic set of metrics that will be impossible to achieve.

If your motivations for attaining a certain position are focused on the way you will be perceived by others, that is a tenuous and ultimately dangerous goal. The old adage that you can’t please everyone comes into play here. No matter how big your success, there will always be those who will criticize and doubt you. Sadly, that’s just a part of human nature, especially in the cybersecurity community.

Additionally, because of the dynamic space in which we operate, setting your goals based on others’ perceptions of an impressive achievement today leaves you with no guarantee that when you realize that goal, it will still be seen as impressive. Pursuing success for the sake of fame, acclaim, glory, or whatnot leaves you with little room to shift and change. Anything short of being among a very small percentage of people suddenly means failure. That is not a healthy perspective.

Instead, it is important to set goals that are important to you. Consider the meaning that those goals have for you. Why is that something you want to achieve? Do you want to be an executive-level leader? Why? If it is because you want to be respected by others as a top expert, you may be disappointed someday when you become a CISO. Look around on social media or in the news. Pay attention to how often CISOs of organizations or in general are treated with disdain. Setting that goal based on how others will perceive you is not going to work out well. Now, instead, if you want that role because you relish the challenge of bearing the responsibility for the cybersecurity posture of an organization, or because you feel like you are well suited to defining strategy and interacting with other executives, well then, that goal might be the right one for you.

But as you will see in chapter 9, goal setting needs to be more than just identifying a big objective at the end of the road. We need to also set shorter-term goals that help us get there along the way. If your only goal might take 7, 10, or more years to reach, falling into the trap of devaluing what you have done along the way to get there becomes too easy. Accordingly, keep reading, as we will discuss later how to set attainable goals that keep you motived and progressing toward your eventual objective.

8.3.3 Turn to colleagues and peers

No, you don’t want your goals to be based in what others think of you or how impressive they find your accomplishments. However, that does not mean that your peers and your colleagues can’t provide effective support in combating the feelings of impostor syndrome.

One of the unfortunate symptoms of impostor syndrome is that professionals tend to have a hard time accepting compliments. Think about it. How do you react when someone tells you what a great job you did or how impressed they are by something you were able to pull off? Do you thank them and enjoy the feeling of having someone share in your success? Or do you let the feelings of flattery cause you to deny the value of what you were able to get done?

In our society, we are conditioned against bragging. However, that conditioning can go too far and cause individuals to be excessively humble when it comes to admitting their own worth. Fear of being seen as conceited or regarded as a braggard will cause individuals to downplay compliments. Additionally, to assist in that denial, it is human nature to assume that the compliment is biased or that “they’re just being nice” rather than accept the genuineness of the sentiment. When it comes to impostor syndrome, you can flip this narrative on its head and use it as a form of validation.

When you detect those feelings of being an impostor, that is a good time to reach out to someone you respect and share those feelings. You likely will find that they feel similarly. It might even be jarring to you, as the things they feel worst about might be what you respect most about them. Do not shy away from having those conversations. Chances are they will share with you that many of your concerns are related to aspects of your journey that they most admire. Keep your mind open and be willing to accept that their comments are genuine. Just because you initiated a conversation on the topic does not mean that what they tell you is biased.

Your mentors can also serve a valuable role here. They might have additional context of similar feelings they have experienced. They could potentially share with you tools that they used to overcome the feelings. Find the solutions that connect with you and leverage them in your own journey. This is why gaining that personal perspective of your mentor as we discussed in chapter 7 is so critical. Make that relationship work for you and help you to see that you are not a fraud, you are not underqualified, and you do ultimately deserve the accolades you receive.

8.3.4 Be a resource to others

You are early in your cybersecurity career; I totally understand that. As a result, you may feel like you are not in a position to help others in their career. You would be wrong. As you take the first steps in launching a career in this field, you already have the ability to serve as inspiration for others who are considering a similar career path. As you continue in your journey, openly sharing your experiences can help others grow and advance as well.

A wonderful side effect of this effort is that it can help you conquer your feelings of impostor syndrome. The experience of helping raise others can be affirming in multiple ways that directly speak against the forces of impostor syndrome. Consider first the discussions you will have with those who seek you as a source of inspiration. Something about what you have accomplished speaks to them or is something they can identify with. As you share your experience and they react, you will see how various elements of your journey that seemed insignificant to you are actually quite valuable. This affirmation of your success will help to address that feeling that you have not yet achieved anything that comes from not being at your goal yet. When talking to someone who is inspired by you, it is also easier to accept the authenticity of their feelings. Listen to what they say, share what you know, and you will understand just how far you have come along this path.

Being a resource to others is also a chance for you to demonstrate your knowledge in various technical aspects of cybersecurity. Skills and techniques that you have learned and taken for granted will suddenly be called upon. As you begin sharing that knowledge with others, you will begin to realize just how much you have grown. It can serve as a reminder of where you once were in your own journey and the degree to which you have developed your own skills and knowledge. Let it be an opportunity for self-discovery as much as teaching and lifting up other members of the community.

Finally, as you help to build others up, no matter what stage of your own career you are in, that experience will help you along the path to your own goals. If your long-term goals are to achieve a position of leadership, the experience of helping others grow will equip you with effective leadership skills. If your goals are based more on technical acumen, imagine the benefit of having to potentially do some research of your own in order to help someone else with a problem they are experiencing.

This is where the adage of a rising tide raises all ships comes from. The more you do to help others grow, the more you will grow yourself. In that growth, you will achieve goals faster, which in turn will help you to ward off those feelings of impostor syndrome.

8.3.5 Acknowledge and celebrate your achievements

One of the toughest aspects in dealing with impostor syndrome can be looking at our past accomplishments in an objective light. As I described earlier in my own story, I found it difficult to admit to myself and others the levels of achievement I had reached at fairly early points in my career. I was 19 years old, had not even graduated college yet, when I got my first full-time job as a programmer. That would be a big deal for many folks, but I just looked at it as I got lucky because it was during the “dot com” era and programmers were in high demand at that time.

I’ve discussed at length the challenges of admitting our successes and recognizing that receiving help and getting lucky breaks are not just OK, but necessary components in achieving success in any field or pursuit. As you progress on your journey, it is important to acknowledge those achievements and allow yourself to celebrate them and be proud of them.

You might be asking yourself right now, how do I make sure I recognize those achievements? Let me share with you a simple exercise that you can perform to help you recognize the value of what you have done. Now, presumably, you have not yet launched your cybersecurity career; that is OK. We will just use your overall journey to date. You can work with your academic experiences, your work experiences in other fields, or even a hobby. Any of these will work for this exercise. Choose one or even a couple, grab a piece of paper, and let’s begin:

1. Think back on the experiences you had. How did you learn how to do those things? Start listing any educational steps you took, any people you worked with who helped train you or shared knowledge with you, and describe any lucky breaks you experienced along the way.

2. Separate from that list, describe the most enjoyable facets of that experience for you. It could be an aspect of the job that you enjoyed (even if overall you hated the job), it could be that you achieved a certain success or milestone, perhaps even just a level of personal satisfaction that it brought to you.

3. Look at your first list and the subsequent description of enjoyable aspects and connect the two. How did those educational steps, the people who helped you, or the lucky breaks contribute to those enjoyable aspects of your experience? List them.

4. Considering those influences, describe how you used those outside influences. How did you apply those in a way that helped achieve those enjoyable moments? Focus on your actions. What did you do with that information or that opportunity that led to your personal enjoyment?

5. Take those descriptions of your actions and rewrite them as if you were putting them on a resume. It does not matter whether they are job related. Consider how you would tell others about them to paint yourself in an impressive light. Do not exaggerate or lie; just simply tell the story in a way that you believe would help others appreciate what you did.

6. Take a step back and consider what you have written objectively. Try to forget for a moment that you wrote these about you and think instead about how you would feel if you saw those items on someone else’s resume or biography. Now, remind yourself that you wrote these things about you. There were no lies or exaggerations; those accomplishments are yours to be proud of.

Keep what you have written. This will be a good reminder of this exercise so you can repeat it as you progress along your career journey. Use these steps to appreciate in a more objective way just how much you have been able to achieve as you grow and develop in your cybersecurity career. In this way, you will be able to tackle and overcome that monster of impostor syndrome that keeps trying to tell you that you don’t belong or that you are not enough.

Summary

• Impostor syndrome is the undervaluing of our own achievements and feeling like we don’t belong.

• Impostor syndrome can keep us from progressing in our careers and can be experienced by anyone at any stage of their journey.

• Impostor syndrome can be caused by perfectionism, outside expectations, comparing ourselves to others, a lack of role models we identify with, and devaluing our own accomplishments.

• You can defeat impostor syndrome by avoiding competition, setting personal goals, getting support from colleagues and peers, and objectively recognizing and celebrating your achievements.