Martin 2022: This is another post I wanted to keep, based on the feedback I’ve received from multiple individuals. “You are not alone.” has long been a message I felt was important to share. I hope this short essay continues to resonate with readers for a long time to come.
What am I doing here? When are they going to realize I don’t know what I’m doing? How long until they fire me for faking it? I don’t belong with these people, they’ve actually done something, while nothing I’ve done is remarkable or interesting. I’m not worthy of this role, of being with these people, of even working in this environment. I’m making it up as I go along and nothing I could do would ever put me on the same level as the people around me. How did I end up here?
I know I’m not the only one who has these thoughts. It seems to be common in the security community and not uncommon in any group of successful people. It’s called ‘impostor syndrome‘ and it’s often considered a sub-set of the Dunning-Kruger effect. Basically it’s a form of cognitive dissonance where a successful person has a hard time acknowledging his or her success and overemphasizes the many mistakes everyone makes on a daily. To put it simply, it’s the thought we all have from time to time that “I’m not good enough” writ large.
It’s not hard to feel this way sometimes. In security, we create heroes and rock stars from within our community. We look at the researchers who discover new vulnerabilities and put them on a stage to tell everyone how great their work is. We venerate intelligence, we stand in awe of the technical brilliance of others and wish we could do what they do. We all tend to wonder “Why can’t I be the one doing those things?”
It’s easy to feel like this, to feel you’re not worthy. We know the mistakes we made getting to where we are. We know how hard it was, how rocky the road has been, where the false starts and dead ends are and all the things we didn’t accomplish in getting to where we are. When we look at other people we only see the end results and don’t see all the trials and tribulations they went through to get there. So it’s all to common to believe they didn’t go through exactly the same road of mistakes and failure that we did. As if they don’t feel just as out of their depth as we do.
I don’t think there’s a cure for impostor syndrome, nor do I think there should be. We have a lot of big egos in the security community and sometimes these feelings are the only thing keeping them from running amok. The flip side of impostor syndrome, illusory superiority, the feeling that you have abilities that far outstrip what you actually have, is almost worse than thinking your an impostor. And I’d rather feel a little inadequate while working to be better than to feel I’m more skilled than I am and stop working to get better.
If you feel like an impostor in your role as a security professional, I can almost guarantee you’re not. The feeling of inferiority is an indicator that you think you’re capable of more and want to be worthy of the faith and trust those around you have put into you. You might be faking it on a daily basis, making things up as you go, but the secret is that almost all of us are doing the exact same thing. It’s when you know exactly what you’re doing day in and day out that you have to be careful to fight complacency and beware of illusory superiority. It’s better to think you’re not good enough and strive for more than to think you’ve made it and are the best you can be.