Impostor Syndrome

It’s again, been a while since I wrote anything, and that is in large part because I have been what I would call spectacularly lazy the last month. It is not how everyone else sees it though, and ruminating on this made me think that I should write something about it.

I played video games for up to 12 hours this last week, and although that is somewhat on the low side historically, my recent studies have had me playing a lot less, and reading/working/coding a lot more. In fact I almost see video games as wasted time now, and not the completely OK leisure time I once did, as afterwards, I have no real sense of achievement.

Today I am talking about Impostor Syndrome. Usually this characteristic presents itself in people as a crushing disbelief in ones abilities, and that they have effectively fooled everyone around themselves into believing they are good at something, anything, and will be found out at any moment, and acted against accordingly.

People think that they are going to lose their jobs, because they think it will be finally discovered that the company has made a huge mistake and that they are not to continue working with someone who so obviously does not have the skills for the job.

Ironically, people who suffer from imposter Syndrome will work ever harder to cover what they see as their tracks in the sands of the dessert of fraudulence. They will take on ever increasing workloads, and more and more responsibility to cope with being found out, trying to build a case for why they must not be the impostor their fears are telling them they are.

I suffered from it to quite some degree when I worked at a web agency a few years ago. I was the first tester they had ever hired, and had actually never heard of them before I started working there. I was also just out of the video games industry, and had never before done web application testing, so as far as I could tell, it was a whole new world. After a week or two, I started to realise exactly what I had gotten myself into.

The web agency was not just “any old web agency”, it was something called Fantasy Interactive. Fantasy Interactive, or as everyone called it, F-i, was the web agency.  The projects they did would win awards all the time. What on earth was I doing there? There must have been some mistake.

The client list read like a who’s-who of the technology world. Google, Microsoft, Sony, Adobe, and even now its Facebook, Twitter and HP. I was not ready. I pretty quickly started to see the greatness in all those around me. Projects that we worked on were winning Emmys. The project I had just most recently worked on was a pretty mediocre corridor shooter, with a pretty good multiplayer component.

There was nothing “pretty good” about any of the people I was working with. They were all seriously talented, and I felt completely out of place. I had at this point been testing things and in the quality assurance field for perhaps a decade. More than long enough to be able to rationally justify my place at that particular table, but there is nothing rational about Impostor Syndrome.

I went through many of the stages of what others suffering from this problem do. I doubled down on work, really gave everything I could. I started to research testing frameworks in my spare time at home, and started experimenting with Python. I started reading about security problems and vulnerabilities and thanks to the excellent aloria, managed to see humour in security problems.

I thought I was protecting myself by making sure that no-one could see what a fraud I was, and making sure that people could not tell that I truly knew nothing about testing at all. What I was actually doing was just working really hard. It’s completely invisible when you are in that moment, but now with the benefit of hindsight, its seems entirely plausible.

I also started buying a lot of people a lot of cake. How could they possibly fire me if I was the cake guy, right? It turned out I just really liked cake, and as my hips could testify to, indulged myself and others around me way too often.

F-i was known for the very high quality of the projects it put out, and late nights shipping at 9pm on a Friday were not unusual. I only really saw that so much from the technology side of things, but the designers and UX teams looked equally paralyzed by work most days too. The last part of any project was known as “F-i-Q” which meant “F-i-Quality” and was the extra polish that you put on the end of the project. It meant an actual pixel perfect technological representation of the designs, and I mean down to the pixel.

I found out exactly how down to the pixel it was one day when I arrived at work and there was an email waiting for me from one of the company owners. It contained a link to a vimeo page with a password for unlocking. There was not much else to clue me in to what it contained.

I grabbed a coffee and put my headphones on and started up the video, which turned out to be this person chewing me out for a good five minutes because I had missed a 1 pixel line that looked bad on a web page we made that when viewed on an iPad. I had missed the F-i-Q. I had been discovered for the fraud I truly was.

If there was any kind of abating in the flow of Impostor Syndrome in the days that preceded that, I could not see it over the deluge I now drowned in. I was sure that my days were now numbered in the single digits.

I worked ever harder, essentially trying to hide myself in plain sight. I should not have worried.

That is what I really learnt through the whole experience. “It will probably be fine”. It is something I say a lot to some of my colleagues when I see them stressing out over details. “It will probably be fine”. And it probably will too.

So much of the emotional baggage we carry around with ourselves is invisible to others. Other people are probably way too busy covering up their own emotional baggage and focusing on carrying it to notice anyone else’s. It is highly unlikely that the day will ever come that you are confronted by someone yelling out that you are a phony and a fraud. “It will probably be fine”. This is kind of my mantra now.

Dr Jessica Barker recently asked people in the information security sphere, through the completely scientific medium of a Twitter poll, if they felt impostor syndrome at all, and if so, how often. The results really do speak for themselves. Fully one third of people felt it every single day.

What a crushing thing to have to walk around with. I know, I still walk around with it. Nearly another third said they feel it at least once a week, and the remaining third were near evenly split between sometimes/monthly and never. Only 1 in 6 people said they never felt it. That seems like something towards an epidemic to me.

I would say that if you are suffering from Impostor Syndrome, which if you work in information security, is (according to twitter science) ~85% likely, then at least do you self the favour of reminding yourself that “It will probably be fine”.

I can totally see exactly why you might if you are in infosec too. The field is just so vast, and people in IT are generally used to mastering their field. In infosec there is just too much to be a master of all areas. People who are excellent at web application security can be less than good when trying to overflow buffers in binaries. Malware researchers can be terrible at understanding threat modelling. The words best cryptographers can be the worlds worst SQL injectors.

It goes on and on, for every specialisation there is, there is another field that you can completely lack knowledge in. I am still falling into the trap of “Try to know all the things”. I look at my scrum board at home (of course I have a scrum board at home) and I see dozens of virtual machines to crack, several overly dense books, that I will probably read and never need the knowledge within. It is a hole with no end.

So how to get rid of Impostor Syndrome?

Well I don’t think you can. Or perhaps a more accurate statement would be I don’t think I can. Maybe you can. I hope you can. For me it comes down to knowing that I am never going to be the best at whatever part of information security I choose to enter. And that is perfectly fine. Even if I wanted to, the field is so broad, were I to choose something like webapp security, which I feel myself being pulled more and more towards every day, there are just so many people to measure oneself against, its a losing battle.

So stop battling. “It will probably be fine”. Like I tell my kids every time they are ashamed of something they did. “It’s not the fact that we failed, it is how we react to it that truly defines us.” Just try a little each day. Even if we fail at something, are discovered for the Impostors that we aren’t even anyway. What is the worst that could possibly happen? It’s probably that we just have to react to the situation like an adult. It will probably be fine.

I hope you have an amazing week.

It will probably be fine.

Leave a Reply

Your email address will not be published. Required fields are marked *