Those in cybersecurity are keenly aware of the concept, “imposter syndrome.” Some think they don’t know enough to succeed in the industry. Others believe they don’t have the right experience to contribute anything meaningful.
In actuality, many people suffer from imposter syndrome at some point in their cybersecurity careers. This reality suggests that many of us are too hard on ourselves when starting off in the industry. Cisco found this to be the case after asking numerous cybersecurity experts the following question: “If given the chance, what advice would you give yourself when you first joined the industry?”
These experts’ responses are presented below.
That’’s a good question. For me, I didn’t feel like I had much guidance. There was no woman that I’d seen doing what I was doing. There was a steep learning curve because cybersecurity was still very new to me. I didn’t see myself reflected in those spaces. So I felt lost a lot of the time, and I didn’t have much direction or any mentors to turn to because there were so many men, and not that many women.
If I could go back and tell myself anything, it would have been to pace myself. I would have reassured myself that I was on the right track, that things would turn out the way they’re supposed to. And I would encourage myself to learn as much as I could but to be patient with my learning. A lot of times, newbies want to be experts, and they don’t give themselves the chance to take the steps to get to that point. Having been in the industry for about 11 years now, I totally see that even if you have all the books behind it, you still don’t have the experience when starting out. That experience is what helps me execute my tasks and examine a problem the way that I do. If you’re new, you don’t even know how to think that way. You wouldn’t think that way. I wouldn’t want to shortchange education, but I know how necessary experience is.
So I would have just told myself to be patient. You’re on the right track. You’re doing all the right things. You’re learning. You’re getting the foundations and fundamentals. And every aspect of that industry is going to involve learning. The learning never stops. Basically, I would have taken the pressure off of myself to know everything in the beginning so that I could add value to a space and just know that it was going to come with time.
The advice that I would give myself when I first joined the industry would be to trust the process. I don’t necessarily know if I would give my past self any new advice because I’m thankful for the journey that led me to where I am. But trusting the process has been something that I tell everyone and myself often. You can only do what you can do. The rest is up to the process of contributions and reaping the benefit of the work that you put in. So if you trust the process and stay disciplined, great things can happen for you.
I would remind my younger self not to internalize criticism. I am a threat intelligence analyst, and also a writer. You can’t be a writer without having a thick skin. If you’re a writer, your work is going to be critiqued. Nine out of ten times it’ll be stronger for it.
This goes double for the cybersecurity industry. Conflict between attackers and defenders features heavily here, especially in the response-related corners of the field. In cybersecurity, personal feelings sometimes take a backseat to quickly responding to an issue. It has definitely changed for the better over time, but there is an above-average number of plain-spoken and direct people in this industry.
When coming from a non-computer related field, not everyone will immediately see the value of what you bring, and you’ll have to spend extra time proving your worth. Stand your ground when necessary, but pin your ears back for other ideas and perspectives. You’ll pick up some very valuable information.
So ultimately, my advice to myself would be to learn to take things in stride. That, and don’t get too attached to that hairline.
Looking back, I would advise myself as follows:
When I first joined the industry, I wasn’t aware of all the options and diversity of paths, so I got sucked into the “you MUST be technical to be worthy of anything” world.
If I were to go back, I would tell myself to not worry about how technical I was or wasn’t. I would put more focus on knowing my strengths, interests, and hobbies. I would then spend time figuring out how I could combine them all to make a difference in someone’s life.
Not everyone gets to do that, but if you can find that combination, it can be life-changing. I eventually found it, but I would definitely tell myself to stop stressing over grades, certifications, job titles, compensation, and technical abilities because it doesn’t matter. It didn’t for my journey, at least.
I would tell myself that the impact I was called on to make in this world was bigger than any of that, and that I didn’t have to squeeze myself into a box of degrees, certs, job titles, and career paths.
I would basically say to pace yourself and to understand that you’re not going to be able to learn everything overnight. Cybersecurity is very broad. You have things from ethical hacking, pen testing, digital forensics and incident response, exploit development, etc.
So yes, become familiar with all the different domains and the ones that you want to specialize in and that attract you the most. Then dive deeply into it while always recognizing that you will never be an expert in every single area in cybersecurity. Pick your niche and concentrate on it.
The advice I always give to those new to the industry is to network. Networking is so important; had I not done it, I would not be where I am today. By attending a huge amount of conferences and events over the years, I have been able to build a network of professional connections and friends who have helped to support me along my security journey.
If I could turn back time, I definitely would have told myself to not be afraid and to start networking earlier! At first, I was scared to attend events and I didn’t start doing so until nearly the end of my first year at university.
In my opinion, it’s never too early to start networking. The earlier you start, the sooner you can grow your network and utilize it as a stepping stone to help you kick-start your career.
If I could go back to the point when I was just joining information security, which was more than 20 years ago, I would tell myself to not shy away from being visible. I would urge myself to use my voice and network. Visibility is the most important thing that a woman needs to focus on in order to advance her career.
When I talk about visibility, I mean it in a sense of using your voice so that people know about you. You need to get yourself out there. They need to be able to see and understand the work that you are doing. So it’s really important that women build their visibility.
When I came into the industry, I was building my own company. I was leading that company, so visibility to me was important from a leadership perspective. But if there was an opportunity for me to be a spokesperson for my company or to go and speak, I would always avoid it. I would push everyone else forward. Except me. I was absolutely petrified. I was very fearful of the press. I thought they would manipulate my words, which isn’t the case. (Not always, anyway.)
So that would be my advice. Get out there. Be visible. Use your voice, demonstrate your value visibly, really focus on building your network and use all of the tools around you. Nowadays, it’s a different kettle of fish. We’ve got social media and things like that. When I started my career, we didn’t have those. And there weren’t any networking groups for women in those days. That’s the advice I would give myself.
Finally, don’t worry about your age. Don’t worry about how young you look, and don’t worry about not being considered technical. For me, I had a great big hang-up about being really young. I wasn’t actually bothered about being a woman. I didn’t see that as being a disadvantage at all, but I was really concerned that I looked so young and that I wasn’t technical. So I would go back and tell myself to not worry about looking young and to not worry about not being technical. I was able to do my job and to do it really well even though I wasn’t technical in those days.
There are two pieces of advice I’d give myself from lessons I’ve learned over the years.
The first piece of advice is from a lesson that came from me being too naïve and idealistic early in my career during a time when I was building and managing an information assurance program for a large multinational corporation. The information security and privacy policies I had drafted for the corporation were approved the previous year and lauded and supported by the top executives. They applied to all employees, and they clearly indicated a range of non-compliance penalties to those who chose not to follow the requirements.
During an audit, it was discovered that one of the business unit Senior VPs regularly shared his ID/password with his staff so they could log in to the corporate network on his behalf to do their own time cards, etc. We also learned that he had been sharing his ID/password with his daughter, who used his work computer at home to go online during the early days of the internet so that she could visit chat rooms and do shopping in the few online stores that were then available.
When the audit director, who was much lower in the organization’s chart than the Senior VP, confronted him about this, he stated that he saw no reason to stop since it saved him time and made his daughter happy. I met with my manager, the Sr. VP and CIO, who reported directly to the CEO. I thought he would be outraged at the flaunting of security requirements as much as I. However, he told me that while he admired my egalitarian beliefs, he thought that it just wasn’t practical in a large corporation such as ours to have a high-performing senior executive held to the same standards as everyone else, even if they were security standards.
I did not like that one bit. That made me realize that I needed to do more to understand executive and other management views of information security and privacy. I could then take those perspectives, and use them in effective ways to raise awareness of all levels in the organization chart about the need for strong security. That was the only way to obtain executive buy-in.
It was around that time that I realized that a one-size-fits-all training session was not going to compel those who already had great latitude in their decision-making for the actions they take to follow sound security practices. I covered this issue of customizing awareness in the two editions of my book, “Managing an Information Security and Privacy Awareness and Training Program.” Even so, I could write an entire book on just this type of situation alone.
Another piece of advice to myself would be to not wait until I feel I am confident I know and can do everything related to information security and privacy before offering ideas or being proactive with actions. Early in my career, I did not speak up with my ideas that likely would have propelled me much further and more quickly in my career if I had. No one will ever know, though.
We need to have confidence and faith in our own capabilities as well as to always approach issues logically. We also need to be aware that others who may be less knowledgeable and/or experienced than you will advance more quickly because they didn’t wait to be 100% knowledgeable or fit 100% of an advertised position within which they ultimately excelled.
I don’t really agree with the “if you could go back in time and give yourself advice” post hoc-type question. It evokes the construct of regret, which arguably negatively impacts decision-making processes. At any point in time, you make a decision based on the available facts and advice, whether these are educational choices, career choices, work choices, or life choices. From my perspective, the ground rules are pretty straightforward. Were you ‘compos mentis’ (of sound mind) when you made a choice? If yes, then you should respect your decision. Regret simply serves to undermine decision making not just in the past but importantly going forward, as well.
Bottom line: don’t second guess your own judgement, that is, the ability to make considered decisions and come to a sensible conclusion. My only advice to those who seek a career in cybersecurity is to do what I did and don’t view opportunity through the myopic lens of a singular discipline. Try to adopt a transdisciplinary approach, and don’t underestimate the incredible value of the arts. In terms of decision making, Robert Frost’s “The Road Not Taken” sums it up:
Two roads diverged in a wood, and I—
I took the one less traveled by,
And that has made all the difference.
When I was a kid, I was diagnosed with Dysgraphia, a learning disorder related to Dyslexia. This didn’t happen until rather late in my childhood. Up until that point, I believed I was “stupid and lazy,” as that is what many teachers told me. My handwritten work was illegible no matter how hard I tried. Even though I was a creative kid who loved reading and who read at a college level, I could not communicate my ideas on paper.
When I received my diagnosis, it made a huge difference. My parents bought a computer. I took typing classes. I started playing guitar (to help with motor skills). I ended up being the first in my family to graduate from college, and since then, I have built things that many people didn’t think were possible.
The impact on my self-esteem is something I carry even today. If I could go back and tell myself about my disorder, tell myself I wasn’t stupid and to get into computers sooner, I think it would help my confidence throughout all of my life.
The one thing that stands out for me is asking questions and being brave about asking questions. I still remember early in my career how I often found myself being the only woman in the room, the only person of color in the room and/or the youngest person in the room. And on top of that, I already had a very shy and timid personality. Bundled together with asking questions, it was a nightmare for me sometimes.
What I would do is I would take out a notepad every time I heard something I didn’t know or every time there was a concept that I couldn’t quite grasp. I’d go home and do a ton of researching and studying to figure it out. That worked for me.
Sure. I learned things. But I can’t help but reflect that had I been more intentional about asking those questions in the moment, and more open, I could have gotten that feedback and gotten those answers then and there and been able to apply that information and learn more quickly. But then the other piece to that is I was surrounded by people who had so much rich experience, so much talent and so much knowledge.
With that said, I think being able to ask those questions and really get that information and soak that in, as well as to build those relationships with the people around you is an added plus. Don’t be afraid to ask questions. No matter how “beginner level” those questions might sound in your head or how stupid you think some people might think they are, all of that doesn’t matter at the end of the day. When you get answers to those questions, that is helping you to evolve and grow into the best version of you and the best professional that you can be. That is what matters. That’s exactly what I would tell myself. And that’s exactly what I still tell myself today.
As a beginner, I didn’t know where to start, and I didn’t know what was important. The healthcare system has all kinds of security aspects to consider, and I wanted to know all of them. Over time, I realized that I can’t know everything in this field; nor do I need to. This helped me learn to take a breath, to take a look around, and have more patience with learning step-by-step instead of all at once.
There are many sources of information and free courses/training packages that we can find on the Internet for learning more about security. There are also many companies that will give you a chance to start working even if you don’t have your diploma. Reach out to them to show your initiative! The information security community is awesome. It’s full of people who will help and support you when they see that you’re moving forward with your heart and that you want to learn. If you don’t understand something, they will be there to help. Just be respectful of their time.
Earlier in life, I took a chance to find my place in the security world without losing faith and trust in myself. Thanks to some people and their trust in me, I was able to find my place. I now find what I want and do what I can to produce change for the better. So here I am, a nurse in the information security world.
Want to learn more about the beginning of these experts’ careers in cybersecurity? Download Cisco’s eBook, Diversity in Cybersecurity: Mosaic of Career Possibilities
The post Trust in Yourself and the Process: Key Guidance for Forging a Successful Cybersecurity Career appeared first on Cisco Blogs.