The Imposter Syndrome Security Gap - Illyana Mullins

There we go. See, imposter syndrome. I swear this was a thing. Um um and really why we should be paying more attention to culture, confidence, and communication in cyber, which after listening to Paul's talk, he hit almost all of my speaking points. And I would like to blame him for that. So, you're about to hear quite a bit of overlap, but I do think it's that important. So, who am I? Uh I do a lot. I am Angel of all trades. mostly on the human side. I do everything from running a not for-p profofit for women in tech to coaching and working with companies to do the culture and communication bit to running a resilience uh service and product for

small businesses. Um I don't sleep. Um so what is imposttor syndrome? Now in a second I'll be able to explain why I think I'm teaching you all to suck eggs. And the answer is what imposter syndrome is is this feeling that no matter how much we do, no matter how much we accomplish that I don't deserve it. I don't deserve being up on the stage, I don't know enough, I'm not enough. And it's this perpetual feeling that goes through with that. Um, there's five types of imposttor syndrome. I love when people start getting nittygritty and making things up as they go. Um, but they say you have the perfectionist. The perfectionist says if something is not

perfect, I have failed and therefore I'm an impostor because I might have gotten 99% of it. I might have gotten really good grades, but they weren't perfect. You have the expert. Well, I'm not the expert. Am I sitting in a room of experts? Absolutely. But am I the expert? No, I'm not technical. I don't have a technical background. So, who am I? Because I am not an expert to be sitting here talking to you, the natural genius. I had to study. I had to study and I had to practice. And therefore, well, that person over there absolutely knew what they were doing off the bat. They know what they're doing. I don't. I had to practice. I struggled. I had to,

you know, go out and I didn't get it the first time. So, therefore, ah, yeah. Nope. I'm not the expert. I don't deserve to be here. The soloist. I didn't do it myself, therefore it doesn't count. Uh that amazing project you delivered. Well, actually, no. My boss ran the project. Um that vulnerability you found, well, I got help with it. I had to talk to the community. I did that vulnerability research and that that was cool, but actually my team helped with that. So, who am I to talk about it? And finally, the super person and my favorite. I can't do it all. Therefore, nope. Not good enough to talk to you. I'm not good enough technically. So,

obviously I I have lots of skills. Talking is one of them. But nope, I am not the super person. I cannot do it all. Therefore, I don't deserve to talk to you. And those are the types of impostor. Can you have more than one of them? Absolutely. Do we face these a lot in cyber? Of course, we do. All of that to wrap up of this is what we feel. And there's a really nice cycle of this. So if I have an impos like imposter syndrome, I want to prove myself. So you speak up at a at the meeting and say, "Yes, I want to do that because I need to prove that I'm on this

team for a reason." I then panic because okay, I can do it, but but should this project have really gone to someone else? Well, well, maybe. So, oh no. and and then I stop because I now need to, you know, my self-doubts crept in and that leads to analysis paralysis. Well, suddenly, because I now have to prove that I was good enough to take on this project in the first place, I need to come up with all 400,000 iterations of what could go wrong, what could go right, and I still haven't started the project. Then you come in with panic and and then then you do it and you feel awesome for about five seconds and

you're like, "Woo, look, I I did do that thing." And then you come up with all the reasons why it wasn't good enough or why you weren't competent enough or I had to get help. So, well, yeah, I can't really celebrate that. So, yes, I need to take on that next project to prove that I'm really good and I actually deserve to be here. Um, and it's this really nasty cycle. Um, similar to the burnout cycle. Um, and a lot of this will lead to burnout. If you're constantly thinking of a 100,000 ways to try and do something, your brain will get tired. Thinking actually takes up a whole lot of energy scientifically. It It's great, but it will lead to this

burnout. And the numbers don't lie. Well, these don't do. And I'm actually going to tell you why that is in a second. So depending on the study because we like creating it. This is a newer term by the way. 1970s 1980s is when this first came about. Um between 33 and 75% of people have imposter syndrome. So in theory if I now asked the room I would expect some random of percentage of numbers because that's a really big percentage um difference to say they have imposter syndrome. Thank you, Paul, for, you know, being the one up here before me, uh, to prove that it exists. Um, 511%. I I like when things go over 100%. Uh,

is the increase, uh, in Google searches for imposter syndrome. So, this is something that people are becoming more aware about. We're talking about it more. Um, but I'm not sure how much good Google does with it. And 25% at the moment is the number according to some survey of the number of people in the UK who think that they lucked into their jobs. Is anybody in the audience going to admit that they lucked into their career? Because I talk to a lot. Oh, I love this crowd. And I talk to people every day and this is it. Oh, I fell into cyber or you know, actually I wasn't planning on it, but I do it now, I guess. or I don't

quite know how I got into leadership. I guess I lucked into it. I looked up at that meeting at the wrong time and I became a leader. Just randomly they suddenly decided to trust me with all of this responsibility and I did absolutely nothing before that to prove that I deserve the role. I think we all from the outside in can go that's probably not true. Why do I think some of these numbers are a lie? probably because that's the poll that I put up at the beginning of the week and that's not 75%. My network on LinkedIn is probably majority cyber and tech. You will notice it doesn't add up to 100% and the rounding is really

bothering me. So 99% of people, but out of that 99% of the people, 96% say that at some point that they've dealt with imposttor syndrome. And more concerningly, 70% of those say that it's something that they are literally dealing with regularly. And I'm not saying doubt doubt's kind of this natural thing. It is. So the occasionally worrisome but you know if you can bounce back and have personal resilience for you know our favorite term in the moment but 70% of the people who are working in industry doubt that they should be in industry and that really bothers me or doubt that they're doing a good job and it leads to that burnout. Why would you do something

every day if you consistently go in and question yourself? It gets tiring. You don't feel like you belong. And we have an amazing community. So, it is pretty decent to stay around in. But this will get old. And why do I think it hits us harder in cyber security? Well, we kind of talked about this earlier. Cyber moves really, really fast. We're expected to know everything all of the time as one person. I was really lucky to do a podcast with someone this week and I can't wait till it goes out and she was like, "Yeah, I'm supposed to as a threat analyst supposed to know every single threat out there." Well, there's how many threat actors and

there's one person trying to keep up with them. It's never going to happen. Our industry is set up to fail just because of how big our industry is. And it's not just the people who are working in industry. You'll see this in a second. Why do I actually think it's harder? Um, without the memes, although I do like a good meme. Constant evolution. We need to know so much. And yeah, we find niches, but you you get comfortable and then AI pops up and now suddenly you're dealing with mythos and all that rubbish, which by the time this goes out as a recording on the B sides will be completely wrong. So, I'm not going to say anything

because that's how fast it's moving. We talked about egos and pride and I love that and the humility but we are a prideful group in cyber. Um we want to be the best. We probably drive on that thrill of the you know problem solving. We like the challenge. We then need to be that expert because we're trying to save that organization a lot of time a lot of money a lot of headache. And then we love gamification because I actually don't think I've seen a gamification talk but almost every conference that I go to there will be something about gamification. So you take people who already are at capacity who want to be the best who have this

drive and then make it a competition. What training platform doesn't have a leaderboard? Well, of course I want to be on the top of that. I do. Um it leads to a really bad mix because then what if I'm not? What if I don't have time to sit on insert has hack something the box try hack me whatever. What if I don't have the time to sit there and stay on the top of those leaderboards? Well, am I suddenly not good enough? Job roles and titles are ambiguous. I love the fact that Paul Paul, I'm going to pick on you. I'm sorry, but in there talked about how many different roles a CISO could have and the different types

of CISOs. That's not just the top. I have to tell people to get really creative when they're looking for their first job in cyber because I can tell you that cyber threat analysis probably has about six different titles if you go look on LinkedIn and then it's trying to find which one's there and they're really broad. So one cyber threat analysis if we're just going to pick one specific title if I look at company A and then go read a job description for company B I guarantee there might be two things that match. Not even like two things that don't match. No, every p company and industry thinks about something and creates these like definitions and titles very differently.

I love it when you get into senior and like head of roles or like directors. Those have no meaning in cyber. Sorry if you're one of them, but a senior whatever for one company could be literally the top of the top and senior in another could be literally mid-tier management. That creates a mismatch of expectations. You also have par paranoia and overthinking. They're literally a job requirement. I mean, we don't get into this because we're like, I think everything's fine. No, half of us got into it when I'm talking to you about how you got into cyber. It's like, no, I really wanted to know how that work and how to break it. And then when I couldn't break it, I

really wanted to know why I couldn't break it. And then I really wanted to figure out how to break that. So, I did. It's in the job description. us being stubborn and curious and overthinking and trying to think of all those scenarios is something that's built into the DNA of most cyber security. It's that curiosity. Funny enough, we talk about it, relabel it. It's just curiosity. And I do agree that curiosity is the one thing that you need to work in cyber. Mistakes feel catastrophic. If I mess something up and I miss an alert, I'm not saying the world's gonna end because I don't think the world's probably going to end, but there are a

couple situations, you know, that you bring down the whole check clearing for the UK. People aren't going to be really happy about that. Mistakes can genuinely be catastrophic here. And then certifications create false benchmarks because they're a snapshot in time. And I'm I won't go into much more there because I'm conscious of time. So why do I think this creates a cyber security gap? Because I told you I was going to make you care about the risk. So let's talk about my sock analysis analyst. So if I'm sitting there and I'm in a sock and I see an alert and I look at it and I'm like, hm, I think that might be an issue, but I really don't want to

look stupid. So I'm going to sit here and actually I'm going to do more research. I'm not going to trust my gut. And this happens. Well, all I'm all I'm giving is an increased meantime to response. I'm adding days to that because I'm not speaking out, which gives people more of a risk window. I love false negatives because trying to describe false positives, true positives, true negatives. But I'll use false negatives because they're much more difficult to argue when you're sitting there going, "No, no, no. It says it's not an issue, but I think it is." trying to explain that I think it is can be much harder. But what if I don't have the guts to go and challenge

that because I'm using a tool. The tool should be right. The tool probably knows better than me. Well, oops. I haven't escalated it because well, it says it ne it's negative. It must know what it's talking about. Yeah, it wasn't. And it leads to a breach incident response because I'm picking on everybody. Um, I love this. What if I'm sitting in an incident response planning or a war war game and we're practicing and my boss has come up with something in this plan and I decide, "Oh, I think that's wrong." Sorry, sometimes leaders aren't right. I don't always know better than everybody. I just act like I do. But if I don't speak up because I'm unsure or my

imposttor syndrome s sitting on my shoulder, you know, like one of those little devils from like the 90s cartoons, um, sitting up there going, "Yeah, you probably don't know and you don't challenge." Well, you haven't created a better process to follow. Or, hey, this is my first incident. I've done the war games. I understand this, but actually, I'm really uncomfortable speaking up because that doesn't seem right or I think we should be doing this. Well, all of a sudden I I don't think I have that value to add because this is my first one. What could I know that someone Sorry, Harriet, to pick on you. You've been through Equifax. How could I like possibly know

something that Harriet doesn't? Well, I probably don't, but in this hypothetical situation, um I keep my mouth shut. So, we've missed information. We've created much more difficult communication. We've probably delayed something because I'm not speaking up. That's still a risk. Told you I was picking on everyone. The leader, I'm not as qualified as people think. I got lucky. I talked to a lot of senior leaders in cyber and most of them think that they got lucky. So, if I'm now having to fight with the seabboard and I don't have the confidence that I deserve to be in front of them arguing my case to give me more budget, well, I'm not going to be very effective at arguing

that case. I don't think I'm technical enough, so I shouldn't be a leader. There is a gender gap on this one. And I'm not saying it's just a gender gap, but I talked to so many people. I think technical people should be leaders. I think we have a lot of work to do for leadership in general. People are made leaders without any idea of what being a leader is or how to be a leader. Um, it's one of the things that I'm literally working on fixing in industry. But I also think if I'm good enough to know who I need to go talk to, not every technical person wants to be that leader, and if I know who I can rely on

my team who is technical enough, then why can't I be a leader? Because I might be really good at talking to the board or really good at translating and really good at doing the political bit that I mean, I hate the political bit, so we're not talking about me, but why why can't I? We're missing really valuable leadership skills. the developer because I told you I'm picking on everyone. Well, I see a vulnerability in the code, but I don't raise a security concern because I'm not a cyber security expert. I have genuinely seen this happen. Well, it looked dodgy, but we needed to get the code out and people were putting pressure on us from up above and you

know, we just needed to ship it and I'm not a cyber security expert, so not my problem. They can deal with it once we pushed it to prod. Um, we've now put the vulnerability out there. Who exploits it? Hopefully it's just the pentester who we've hired to actually do it, but maybe not. Um, or the once again because we do have kind of the same thing. I won't challenge seniority. So, if all of a sudden I have a senior developer who's like, "Yeah, I need that, you know, pushed now. We're under deadlines." I'm going, "Well, they know better than me. I'll do it. I'm not going to check. I'll just get that done." Well, who would

have thought? Those both lead to vulnerabilities being out there in the wild. I will move out of the way of the pile of gift cards. Um, the workforce. So, I like this one because this is where we start arguing about where humans are either the weakest point in our security or the strongest point. Well, no, we're human. were valuable. But if I'm new into finance or accounting and all of a sudden I have who I think to be the CEO on a video call to me going, I need you to do or push this payment through and I really need to prove that I got this job and I know what I'm doing because I like

paying the bills. Well, I'm I'm doing it. There's a pressure there that my imposter syndrome even without the the training. And by the way, this doesn't just happen out there. This is where I have to raise my hand. So when I started at P3M works first week, I get a text message like WhatsApp and it's stupidly early and I don't do stupidly early and it's like, "Hey, it's Jack, your director. I'm in a meeting. I need you to contact me. You know, can you send me like an email?" It wasn't it was like my number or an email or something. It was it was not you know the gift card and without thinking because it's the

first week. I haven't really thought like oh it was an email and they asked me for my number so he could WhatsApp me. Totally didn't check it. I had checked my email on my phone. I think it was like something like 6:00 a.m. in the morning. Um I work in cyber long enough that I shouldn't fall for that. I gave him my number. I got the message and went, "My god, I'm a moron." But it was my first week. I had more to prove. Uh, and attackers will specifically target new employee announcements for that reason. Uh, and I don't want to be wrong, so I'm not going to report this email that I think is fishing because

well, what if I report it and then I have to talk with cyber security and they're really high and mighty that this wasn't and it was just something. Um, I've also seen that happen. So, more importantly for me, now that I've said that there is a risk, because I do genuinely believe that, by the way, part of it was a joke that I do want you to care about imposter syndrome, but I do genuinely think imposter syndrome and burnout have an unintended risk to a company. It's why we should be focusing more on mental health. What can we do about it? So, first we're going to address four truths that no one wants to hear.

everyone Googles. Despite what some of the university professors that I've talked to have have stated, I think I was really shocked that not here in Chelenham. I was talking to a professor and they're like, "No, they can't Google. That's still considered cheating." And I'm like, "How do you expect me to know everything in cyber security? There's a reason we have forums. I bet I could ask anyone here where their favorite, you know, type of material where they would go for a resource." I used to say Twitter, but no. Um, you know, but but genuinely, we all Google, too. There is no such thing as a dumb question. One of the things that you talked about is saying I don't know. And

we'll talk about this again in a screen. I don't know should be absolutely okay in everybody's vocabulary. You can't know everything. As much as I want to know everything and I act like I do and ask me, I will give you an opinion on almost everything. When it counts, I'd still say, "Yeah, I don't know." And if you don't know, when you're sitting in a meeting going, "Hm, I don't know this, but I don't want to speak up." Ask the dumb question. You're not going to be the only one. Seniors forget, too. People who have been in industry for 20 years, they might have some of that core knowledge, but I hate to say it, technical gets

moved out of the way for leadership and finance figures. It's outdated. Seniors are leadership isn't invaluable either. And finally, which is probably the most relevant one to me is that the loudest person in the room is probably not the smartest person in the room. And we all know that I am currently the loudest person in the room. I don't need this microphone. But my overconfidence can outshine a lot of people. If I'm sitting in a meeting, I am very conscious because we'll get to this in the practical tips of what we can do. I'm really conscious of how I make space for someone because I can absolutely intimidate people into not speaking. So, what do I think the corporation as a

whole can do? And yes, we always talk about leadership starts at the top. Most of these can be done yourself. If you're a leader, do it. If you're not, I'm going to come track you down and give you a very strong talking to and you'll have to listen to my opinions even longer. If you are just starting out your career, this is all still stuff you can do. You all have input into this. The first one is really personal for me. For the longest time, I went, I don't know who I am without Witch. I do not know who I am outside of what I do in cyber security. If I had to shut which

down tomorrow, I mean, I'm dressed in my brand colors, my entire like there is I'm extra, but I mean, I literally have an identity that is formed within what I do in cyber. If that suddenly closed tomorrow, who am I? And that creates a crisis. That also leads to imposttor syndrome because well then I have more pressure to know it all because I have to have this. Well, if I don't exist as a person or a personality anymore. Well, of course that's going to be. So, as Harriet did, you learned tennis and you expand that. And I know I'm not the only one because I've seen LinkedIn posts where people are like, I don't know who I am if I'm not a cyber

professional. I'm also a geek. I have lots of animals. I practically live in a small zoo and I collect board games like their um Pokemon give space and oh implement no blame culture. We talk about this a lot in cyber security but I don't think we actually ever embrace it especially when it comes to ourselves. We will talk about oh that person clicked on a fishing link. It's no blame. We're just going to teach them more. Well what happens when we're the ones blaming ourselves? That no blame culture needs to be passed on at a leadership level. Yes, root cause analysis is great, but I'm sorry everybody stops at that human later. Well, this was caused because you

clicked on that link. Well, no. Why wasn't the process humanproof? Can you completely humanproof something? No. But but why didn't we do more? We stop at the human blame level way too much. And then of course, why wouldn't we then do it to ourselves if we're doing it to everybody else? Give space and time for everyone to give feedback. If this is saying, hey, you know, if you have a comment about this and you don't want to make it in front of everybody having the meeting, come talk to me after or email me because not everybody likes speaking out in meetings. And this can be done by an individual just going, "Hey, Harriet, I know you haven't speak.

Did you have anything you wanted to add?" Anybody can do that. Have internal mentorships and sponsorship programs or look external if you don't, which has some uh build better playbooks. I shouldn't have to guess. My imposttor should be able to be beaten with a baseball bat and that incident response plan. It is a great way to be able to go, nope, I know exactly what I'm doing because I have a playbook that says I know what I'm doing. Have learning and development that's not just technical. We should be doing much more in leadership training, communication training, speaker training. Um, that should be something that is just as mandatory for everyone. Not because you should be out here speaking on stage,

although I really truly believe everybody should. You all have something that I want to hear you say, and I think everybody would echo that. But no, because if you can stand up here and give your opinion and talk about it, you can do it in any meeting room. It just takes practice. Make I don't know a valid answer. Please do this. My one challenge to everybody, and I'm about to get into the individual and then really speed through this week. If you don't know, say it. Please say it. And reward questions. Reward the curiosity. Don't just reward the people like me who think they know it all. So, what can you do? Document your wins.

Funny enough, I run two mentorship programs for W at Witch. I do one for leading ladies, so senior women. I also do one that we consider tech trailblazers for women in their first year of industry. The first kind of class of the cohort, we do the same thing. We create goals and then I challenge everybody for the next six months while we're meeting that you will document your wins. And I make sure they do because the first question that I ask pretty much going forward in all the other five consecutive meetings is so what was your biggest learn and what was your biggest win? And by the way, this isn't just good for your imposter. It's

also really good for keeping your CV up to date. So when you do want to go find that job, like it's one of those things that is absolutely essential and no one does it. And then by the time you get to the end of your year review and your boss is talking to you and you're like, "What did you do? Like what did you accomplish this year?" I don't know. I don't remember what I had for breakfast this morning. So, if you document it, not only do you have an up-to-date CV, you can blow your boss away with your end ofear review. Well, funny enough, you get to prove to yourself. So, when your imposttor pops

up, you can go, actually, look what I've done. Look what I've done. Well, I don't need to listen to you. Mentor someone. Whether that's reverse mentorship, but go out. If you can mentor someone, you are. And everybody here can. I don't care if you're in your first year. There is someone out there like a student that you can mentor. Everybody has something and knowledge already that they can pass on. And reverse mentorship is also a thing. So if you are just starting out, there are leaders who need to know what you're thinking, how you're doing it, and what they've missed for the last 20 years. Work on challenging limiting beliefs. So anytime you say, "I don't know that. I'm

not good enough." Stop it. Imagine me sitting up here lecturing you about why you shouldn't do that. And if you ever say that in front of me, I probably will give you a lecture of why you shouldn't say that. Paul, you deserve to be up here. You have a growth of exp like wealth of experience and I was inspired listening to you. So that's why you should do it. There you go. Tell that imposttor to go sit down. Separate your role from your identity. And this can be hard because we put a lot into this. Cyber people are genuinely someone like some of the most passionate people I've ever met. And that passion often leads to our

sense of fulfillment. And yeah, sometimes that's great because we can literally go out there and save the world. Like we're protecting really cool stuff, but that also means that if something goes wrong, we take that just as personally and it can't be because you'll burn out and we'll lose you from industry and we can't afford that. And stop waiting to feel ready. I whether it's to apply for that role, to get that promotion, to give a talk, do it. Do it scared. I I mean, I've always done it scared. I'm trying to get rejected like a hundred times this year because eventually it kind of goes a little bit numb. I can tell you every

time I step on stage, I still get nervous. I do it anyways because I love talking and hearing the sound of my own voice, but also because no one else is. So, I need you to stop waiting to feel ready so we have we can stop listening to me. And that is it. But please remember that you're not a fraud. You're just paranoid. And you're paid to be paranoid.