How to manage imposter syndrome in cybersecurity
The imposter syndrome phenomenon is readily apparent in cybersecurity. Learn how to manage it, along with mishaps to avoid during the job hunt and other career advice.
Cybersecurity is often viewed as a highly technical industry. This perception is largely accurate; however, a lack of technical knowledge shouldn't prevent someone from exploring a cybersecurity career.
"If someone has a lot of intangible qualities about them, they'll likely be a good fit for a role in security," said Alyssa Miller, author of Cyber Security Career Guide. "Once they're in the role, managers can bring them in and help them develop on the technical side because they have the other pieces -- like natural curiosity or problem-solving or empathy."
Even those entering roles in the industry with technical skills in hand will feel inadequate in their job at some point in their career. These feelings are completely normal, Miller said -- especially in an industry that is constantly changing.
The phenomenon, known as imposter syndrome, affects the majority of people. The term describes feelings of doubt in one's own abilities, especially in a professional environment.
In her book, Miller dedicated an entire chapter to imposter syndrome and how to manage those feelings. Here, Miller discussed her book and offered advice on starting a career in cybersecurity, mishaps to avoid during the job-hunting process, tips for once you're hired and more.
Editor's note: This transcript has been edited for length and clarity.
Who will benefit most from reading your book?
Alyssa Miller: The primary audience is people looking to start a career in cybersecurity. That might be college or high school graduates who have decided they're ready to launch a career or those looking to pivot their careers toward security.
There's a secondary audience, too: professionals who are looking to accelerate their careers and learn how to be successful in the long term. The last three chapters of the book are focused on positioning yourself for long-term success, while the first six chapters are about finding a job and dealing with the job hunt.
How did you start your career in cybersecurity?
Miller: My career journey is a little complex. At 12, I bought my first computer and hacked into an online community service -- I wanted to play their games without paying for a subscription. But that never looked like a career to me.
I entered college as a pre-med major. Three semesters of college-level chemistry will tell you if you're cut out to be a doctor -- and I was not. So, I switched careers and found computer science. While still in school, I got a full-time job as a programmer. I worked in that role for nine years before I was asked if I wanted to join the pen testing team.
It was a new challenge. My manager from that role is one of the three people I included in the dedication of the book. When I told her, 'I've never done pen testing before,' she said, 'You're smart; you'll figure it out.'
That's what we've lost in cybersecurity. It's shocking how many hiring managers talk about that conceptually, but few invest in talent that doesn't fit the typical image of a person in cybersecurity. You don't necessarily need a tech background or technical security skills to succeed in the industry.
Learn how to create a cybersecurity resume in this excerpt from Chapter 6 of Cyber Security Career Guide by Alyssa Miller, published by Manning.
What are the most common mistakes made by entry-level candidates during the application process?
Miller: The first mistake is a lack of understanding. I have people come to me and say, 'Hey, can you help me? I'm trying to get into cybersecurity.' I answer, 'Great, what do you want to do? What are your interests? What do you want to learn about?' I know that's a big ask, so in the book, I walk readers through an exercise to help them find their place in cybersecurity. You won't be able to tackle everything, so it's important to focus on the topics that really drive you. Step one is knowing yourself.
Second, people undersell their skills. A barista, for example, should ask themselves, 'What did I do as a barista that would fit well for this job? What transferable skills do I have?' Baristas take inputs from many sources, prioritize those inputs, translate them into tasks and deliver a quality product. A security analyst, for example, has a similar job. They get alerts -- or inputs -- all day and then must process and prioritize them in a timely manner. In the book, I use the barista example to explain how to take inventory of your skills, while removing coffee from the discussion. Now, you've got transferable skills you can talk about in other places.
The third mistake is not understanding how to negotiate your pay. Every job offer is negotiable. Every hiring manager and recruiter I've talked with has said they send out job offers knowing the candidate will come back wanting to negotiate. It's part of finding the right mix of compensation. Maybe that's a signing bonus or more vacation time. Your salary shouldn't be based on your previous pay; it should be based on your requirements for salary in this new job. This requires candidates know their worth -- and that's the hard part.
Speaking of knowing your worth, why was it important to include a chapter on imposter syndrome? How prevalent is it among security pros?
Miller: Eighty to ninety percent of people in cybersecurity and tech say they've experienced imposter syndrome. I think people are lying if they say they've never experienced it. I have to wonder how narcissistic they are, honestly. We all get those moments where we feel insecure.
Alyssa MillerAuthor, Cyber Security Career Guide
Imposter syndrome might stop us from taking advantage of an opportunity -- for example, when I decided to take the pen testing job. We should all feel empowered to chase the next big thing. That's how you grow -- by putting yourself in uncomfortable situations. But there's the voice in our head that tells us, 'We're not good enough.'
Imposter syndrome never goes away. You just learn how to acknowledge it, put a name on it and then say, 'I'm not going to let that feeling hold me back.'
Throughout the book, you mention the impact of social media on the security community. How has social media affected your career?
Miller: For the majority of my cybersecurity career, I wasn't well known. I worked 8 to 5, went home and didn't think about cybersecurity until the next day. It wasn't until 2017 when I created my Twitter account. I mostly used the account to share when I would be speaking at conferences -- no one wants to be that person speaking to a room of five people.
After that, it just took off. It's really shocking that I'm sitting here a couple years later with over 60,000 Twitter followers. The increased visibility has really impacted me and allowed me to be more authentic. I have the ability to advocate for others in the industry.
I found my current job through social media, too. I connected with somebody on social media, and we ended up at the same roundtable event. I found out the organization she worked for had an open position. I reached out to her, leveraged my social network and landed the job.
It's important to recognize, however, that it's not the end-all be-all. Having a social media account isn't a must if you're looking to start a career in cybersecurity -- but it can be a useful tool.
Once entry-level candidates land a job, what advice do you have for them during their first six months?
Miller: Expect to be overwhelmed. You're going to be working with knowledgeable and experienced people. In the first six months to a year, you might feel discouraged because there's so much to learn. That's completely normal.
Don't be afraid to ask questions. People will assume you already know what to do because they don't realize that you don't know. That doesn't mean they're going to judge you. They saw your resume, and they know what they were getting when they hired you. They're not going to fault you for asking questions, but they're going to fault you for not being able to do the work because you didn't ask questions. That's how you learn and grow.
About the author
Alyssa Miller is a hacker, security researcher, advocate, author and public speaker with over 15 years of experience in cybersecurity. She currently directs security strategy for S&P Global Ratings as its business information security officer. She frequently participates in public speaking events about security and privacy at various conferences and events. In February 2021, she gave a TEDx Talk on the tech skills and talent shortage. Miller began her IT career as a programmer for a financial software and services provider before moving into IT and security consulting.