Having had a number of separate conversations recently with people in this industry, some very experienced and incredibly well-respected, I was struck by how prevalent it is to feel like a fraud. This prompted me to do a quick twitter poll on so-called ‘Imposter Syndrome’.
Update: after doing the poll and writing this blog post, I gave a talk on this subject at Steelcon
Imposter syndrome is defined as individuals who are successful by external standards but have the illusion of personal incompetence; they attribute their success to luck and interpersonal skills, rather than hard work, talent and experience. The ways it manifests has been very well described by Scott Roberts in this blog post.
I set a twitter poll for 24 hours asking ‘infosec people’ how often they feel imposter syndrome and gave the options of:
- All the time / daily
- Often / weekly
- Sometimes / monthly
The poll got a large response and generated a lot of discussion: 37,976 impressions, 2,212 engagements, 813 votes and 79 replies. I feel pretty safe in assuming that’s the biggest response I’ve had to a tweet, which implies that my question struck a nerve.
Infosec people! How often do you feel imposter syndrome (the feeling of being a 'fraud')? (Please RT)
— Jess (@drjessicabarker) April 29, 2016
As you can see above, 84% of respondents feel imposter syndrome at some point. The majority of respondents, 64%, feel it either on a weekly or daily basis. The largest response was ‘all the time’, at 34%.
Twitter polls don’t facilitate demographic analysis and so there is no way of knowing whether age, experience, seniority, gender, sector etc. influence feelings of imposter syndrome. Some argue that it exists more in women than men (and so it would be surprising that it was prevalent in a male dominated industry), but research suggests that it is experienced by men just as much as women (Chrisman et al., 1995).
The replies and discussion which followed was, for me, the most valuable and insightful part of the poll. Many very successful and well-known leaders in the field replied to share their feelings and it seemed from the replies that the feeling was not dependent, as many would assume, on experience and standing in the industry. In fact, for some, the more senior they became, the more they experienced the feeling – as Ben Hughes describes in an excellent, eloquent and thought-provoking blog post which he wrote after responding to the poll. I’m not even joking when I say this: I felt nervous about writing this blog post after reading what Ben had shared as his article is so good.
And, isn’t that part of the problem? Having conducted this poll, had lots of great responses to the tweet and thought about imposter syndrome a lot over the last two weeks, some of the causes, or exacerbating factors, seem to be:
- Insecurity (Alanis Morisette could write a fitting lyric about the insecurity felt by a bunch of people working in security). The feeling we have to be as good as one another surely contributes to imposter syndrome, especially given the fact we work in a hugely diverse industry which is based on distinct specialisms that vary hugely. As many commented, we meet someone or watch them talk at a conference and feel intimidated and concerned when we don’t know what they know. We worry that we can’t possibly truly understand the field, and belong in it, in the way that this person does. We often forget that we actually don’t need to know what this amazing person does, that our job is not the same as theirs and that we probably have a bunch of knowledge and experiences that they don’t. We don’t acknowledge that the most vocal people in this field are the minority, they are the 2% of this industry as research by both Adrian Sanabria and Lawrence Hecht shows. If we all knew the same stuff, this industry would be a lot worse off. In fact, aren’t we always saying we need more diversity?
- Bravado. There’s the notion that all hackers are egotistical. Of course, there are the loud mouths who like nothing better than to point and laugh when someone messes up or doesn’t display a perfect level of knowledge. As far as I’m concerned, these people are probably the most insecure – tearing someone else down is usually a sure sign that you’re not very happy with yourself and you’re desperately trying to convince yourself, and everyone else, otherwise. This kind of person is everywhere, in every industry. However, we do seem to tolerate them more in information security than I’ve seen in other industries. Let’s not let them define our culture. As Ben Hughes argues, we need the space to be vulnerable. The outpouring of responses to my poll implies that many people feel vulnerable and want the opportunity to share that. The comfort many took from reading that other people feel like they do, and in fact people that they look up to, demonstrates the value of having such a space.
- Introversion. We spend a lot of time on our own working on laptops and computers. Most people spend a lot of time online, undoubtedly more than in a lot of other industries. The danger with this is that your world can narrow and you can lose perspective. You forget that you are more than your job and that your worth is a lot more than your professional output.
- Technology over people. The industry has tended to neglect the human dimensions of our interactions. From my point of view, this limits our success, as we fail to adequately address the human elements of cyber security, but it also negatively impacts the culture within the industry. It is hardly surprising that issues like imposter syndrome, depression and anxiety are a problem, in an industry more comfortable and concerned with the black and white of 1s and 0s than the ambiguities of people and their emotions.
- The pace of change. It is pretty impossible to keep up with the pace of change in this industry and yet, we feel that we should. In many ways, that’s a good thing, as it drives us to learn more and keep our knowledge up-to-date. Our employers and clients certainly benefit, but the cost can be a feeling of being always on and never knowing enough, which drives anxiety and the feeling that we aren’t good enough.
- Burnout. Considering the work done by Jack Daniel and Chris Sumner on burnout, there seems to be a cyclical relationship between burnout and imposter syndrome. Jack Daniel suggests that feeling a lack of self-efficacy (your belief in your ability to succeed) is an indicator of burnout. I found this blog article helpful in describing the way burnout and imposter syndrome can take hold.
- Criticism. Criticism dominates this industry. By nature, we tend to be a cynical bunch who look for the flaws in everything. This is inevitable and of course valuable, but it can have a damaging effect on individuals. As a few people commented in the twitter thread, this industry can build people up and then tear them down very quickly, which ultimately undermines us all. It damages not only the person being targeted, but those who see it happening and hold themselves back for fear they will be next.
- Bullying. For some people, feelings of imposter syndrome stem from bullying in previous jobs or at school. If someone has been in your ear, undermining your confidence and constantly telling you that you’re not good enough, it can really damage your self-esteem and cloud your vision: you can lose sight of the fact that it is the bully with the problem, not you. We all have a tendency to hold on to the negative things said about us and not attach the same significance to positive comments. When the negative comments have been repeated over a period of time, this can be very hard to shake off.
What to do about it?
Some suggested that they find the feelings helpful, as a way of motivating them to keep learning and working hard. Robin Wood‘s discussion of worrying about not making a mistake on a penetration test ties into this, as he discusses the way it helps to make sure that he does his best on every job. This is how I approach it, too: when I worry that I’m not up to the task or don’t know as much as others in the industry, it drives me to work harder and learn more. However, for some it seems the feelings are more self-destructive and can lead to procrastination. It can limit the extent to which they make their voices heard or put themselves forward, which is a loss for them and for the industry as a whole.
If that’s the case for you, many people shared approaches that they find useful to overcome the feeling of being a fraud:
- Surrounding yourself with positive, supportive people that you can talk to. Many people commented that it helped to see, via the twitter thread, that they are not alone in feeling like this.
- Don’t stop working – procrastination feeds the feelings, and you can end up beating yourself up for a lack of productivity, too.
- At the same time as I say don’t stop working, I’m also going to say take a break. Schedule something where you take time – and most importantly, your brain, off work. Hang out with friends, visit family, have fun, go offline and spend some time in nature. See the bigger picture.
- ‘Fake it (confidence) til you make it‘ (but don’t fake skills or knowledge – that will not help with feeling like a fraud). This really helps me when I’m giving a talk, for example to a technical audience who I know are experts in a lot of things I am not. As commented by one person in the thread – there is no difference to the viewer between confidence, and fake confidence. Sometimes behaviour drives feelings, so if you can change your behaviour and appear more confident, that confidence eventually becomes embedded.
- Remind yourself what you do know and where you have proven successes. For me, this takes the form of keeping track of what I’ve done, as well as what I’ve got to do. I use a simple form of agile working to keep track of my to do and done lists, and I also keep a list of conference presentations and media appearances.
- Feel the fear and do it anyway. For me, it’s helpful to do something outside of work that I find scary or have not done before – I find that pushing myself out of my comfort zone in one sphere helps build confidence all-round.
- Don’t be defined by any failures. Everyone makes mistakes and no-one is perfect. Of course, no-one likes to fail but, when it happens, resist beating yourself up and instead focus on what you have learnt and how you can use it to do better next time.
- If you’re in a junior position, acknowledge that you do still have a lot to learn and that’s fine. No-one expects you to know everything. If you feel like you’re learning things which everyone else already knows and you’ll never find your own path or have your own expertise, just stay on the bus.
- Recognise that you don’t have to hold on to imposter syndrome to stay humble and be a nice person. Some respondents seemed to feel that if they overcame feeling like a fraud, they would automatically go to the other end of the spectrum and become egotistical. Others, who didn’t have imposter syndrome, replied or sent me DMs to say they wondered what it said about them that they’re not plagued by self-doubt. There’s a big difference being comfortable and confident with what you know, and thinking you know everything and are better than everyone else. There is nothing wrong with healthy self-confidence and self-belief. In fact, isn’t that the aim?
- Look after yourself. Eating well, sleeping well and exercise are all proven to be positive contributors to good mental health, and I’m sure play a role in keeping imposter syndrome at bay. But, more than anything, I think the key to looking after yourself is not beating yourself up for negative thoughts. If you start to doubt yourself and your abilities, don’t compound it by kicking yourself for having those thoughts.
Thank you to everyone who voted in or commented on the Twitter poll – the discussion here is a reflection of your contribution. Feel free to contact me if you have any comments on imposter syndrome or this article. If you’ve found other ways to overcome the feeling of being a fraud, I’d love to hear from you.