Last Updated on January 23, 2022 by Dave Farquhar
I’ve had lots of discussions about imposter syndrome in both tech in general and cyber security specifically. I have thoughts.
An imposter syndrome analogy from religion
I hate to drag religion into this but imposter syndrome reminds me of the unforgivable sin. I remember in my high school New Testament class, the pastor teaching it spent about five minutes on the topic. He said that if you think you might have blasphemed the Holy Spirit, then you know you didn’t. He told us to write that in the margins of our Bibles and never worry about that verse again. If you’re afraid of having done it, you’re incapable of doing it.
Imposter syndrome seems like that. I’ve never seen someone incompetent have imposter syndrome. I’ve seen competent people have it.
None of us know everything, and that’s OK. I remember a time when you could buy two or three books that contained virtually everything you could ever want or need to know about a specific make of computer. But that was only ever true of simple 8-bit computers and that era ended in the early 1990s. Even then, the experts specialized. In enterprise IT, we always specialized.
And when you’re a specialist, you know about enough outside your specialty to recognize competence or incompetence. And that’s enough. You don’t have to know all the intricacies of Windows and Linux and databases and web applications. No one does, and it’s not fair for anyone to expect you to either.
Imposter syndrome in tech
My first mentors in Information Technology were a journalism professor, and two guys who had degrees in psychology and music. No one was teaching IT in Missouri at the time. The journalism professor needed to computerize a newsroom, and once that grew into computerizing the whole department, he eventually ended up hiring the psychology major. The music major was the guy the psychology major turned to when he ran into tough problems he couldn’t figure out.
In the 90s, virtually everyone working in tech, at least outside of the huge technology companies themselves, was an imposter. I don’t think I ever worked with someone who had an actual degree in information technology until 2013, and at that point I’d been working in this field for 18 years.
You know what? She wasn’t as competent as the psychology major who was my first boss. Not even close. You know what else? She never had imposter syndrome. Psychology Dude did.
But I can give you examples people less competent than her who thought they were superstars. I once worked with a guy whose superpower was building Windows NT 4 servers that couldn’t survive a reboot. He was involved in my story of a server named Barfy. But I’ll tell you what, Barfy was a lot better than any server he ever built.
But my favorite was a guy I worked with in the 2014-2015 timeframe who brags on Linkedin that his systems can run 90 days between crashes. My personal record is four years, but I know there are people who can beat that.
Imposter syndrome in cyber security
Of course imposter syndrome happens in cyber security too. It’s part of tech. I had it for a while, especially when I was studying for my CISSP because I learned that everything I’d ever been taught about IT management was wrong. I had to get over that. I wasn’t taking the test to become a manager, I was taking the test so I could keep my job as a cross domain solution engineer. That Bell-LaPadula and Biba thing they make you learn for CISSP? Yes, that was my life for a couple of years.
Then one day I realized I was advising large defense contractors on how to modify their documentation so the NSA would like it better, they were taking my advice, and it was working.
If I could do that, I reasoned, I could learn enough about management to pass that test.
I’ve worked with security guys with imposter syndrome. They had their limitations. Everyone does. The difference is they knew their limitations and knew when it was time to ask for help. That’s a sign of competence, not incompetence.
I’ve worked with security guys who were completely in over their heads too. And they would never admit it. They played political games to get themselves promoted, often over people who were more competent but less politically savvy. But their political savvy was a cover for their failings as security professionals, not a sign of competence.
What to do if you feel incompetent
If you have a case of imposter syndrome, that’s good. It means you’re teachable and honest. Both to others and to yourself. The key to beating imposter syndrome is to never stop learning. And that doesn’t have to mean degrees or certifications. There’s plenty you can learn outside of those frameworks, and those are valuable too.
If it seems like everyone else around you is competent, it’s probably because they are. The majority of people in IT are pretty competent. You don’t know what’s going on inside their heads though. They probably have the same doubts you do from time to time. If they’re better at hiding it, that’s just their personality. Learn from them.
You may or may not surpass the people who are incompetent and make up for it with political games. But in the end they don’t matter. You won’t work together forever, and what matters is what you learned, how you’re applying it today, and being adaptable for the jobs of tomorrow.
Most importantly, stop beating yourself up when you don’t know everything. No one does. Know where to find the answers. More importantly, know who to talk to once you find the answers so they can take action on them. It doesn’t make you an idiot if you don’t know. It makes you honest. If you can find the answers, you’re still plenty useful.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.