Infosec imposter syndrome is real. Here's something that can help Imposter syndrome plagues people across all professions — including the cybersecurity industry — and it's not going to get any better until individuals are willing to share their struggles and find tools to help overcome these feelings of inadequacy. Vicky Ray, director of Palo Alto Networks' Unit 42 cyber consulting and …
I should perhaps point out that sheer humility and feelings of inadequacy can sound very similar.
I don't doubt that some people clever people suffer from genuine Imposter Syndrome, but just because someone admits that they don't feel up to the job doesn't mean that they aren't being humble or even that they aren't genuinely correct in their being incompetent.
In my case I can't see any spot where all four even can overlap.
As David Graeber pointed out, the most useful jobs are frequently the worst paid. What, you want money as well?
In my current $WORK, I'm coding tools for 'people herders' to carry out marketing. (Is that two or three corners on the Bullshit Bingo Card?) What can I say, I'm a code whore.
I totally recognize myself in these descriptions. I had been actively involved in the Swiss (Switzerland) infosec scene for a bit more than 10 years, I used to present at international conferences (talks, trainings and workshops) quite regularly. I also held local chapters for security associations. Although I always had very good feedbacks from my work, every instance of public work felt incredibly difficult and demanding to me, and pubic speaking was utterly stressful. I always felt my message was mediocre, and my content too basic in comparison to other professionals.
At the time EDRs were becoming a thing, the scene shifted to focus almost exclusively on exploit/detect/respond/recover. Protect and identify were (and are still) my passion, I was still eating threat modeling, architecture risk assessments, secure systems engineering/design, privacy engineering, etc. for breakfast, but I always got this feeling that both organizations and the community would rather invest their time and money in detect/respond and consider my message useless or insufficient. I started rejecting invitations to speak at events, I regularly reject freelance work because I convinced myself that I'd not deliver good enough quality.
Ten years forward, I'm not on the podium talking anymore, I'm in the dark corner of the conference arena or the meeting room, listening to my professional peers and colleagues. I very often feel I'm being shown mediocre work, lacking causality from all parts, but I just tell myself "don't jump into conclusions, you probably missed something they know better than you, it's not your fight and not your data."
Today? I moved from my 60-hourweek poorly paid consulting position to the security products wagon. I joined an editor, my top sellers keep making baseless and clueless promises to our customers but these don't care and keep throwing enormous amounts of cash at our face. I find this utterly indecent, sad, and frustrating, but hey: I get paid a fantastic salary, I support my family well, I don't have to think twice before purchasing anything, my manager is fond of me, and most of my time is spent assessing whether an alert is relevant or not.
I know deep inside I could have done brilliant things, but something happened that just shut me off and since that day, I feel like a professional failure. Not later than today, a conference host asked me if I wanted to say things at a keynote. I refused. I would never ask myself to speak at a keynote, I can't fathom what could ai say that risks would be interesting to an audience of 2000 security professionals who paid their seat
I can't tell if this is impostor syndrome or I'm a just being an arrogant jerk. But hey, as long as you install X and I get paid to manage your alerts, I get to travel business class in many beautiful places and put money aside for my two sons.
Can I complain?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
