by Christa M. Miller
It’s pretty much impossible to work in a small, niche community like DFIR and not eventually rub elbows with a rock star. You go to a conference and get to talking with someone, and you don’t even realize until 20 minutes later — when, inspired by the conversation, you finally ask for a business card — that you’ve been talking to Sarah Edwards, David Cowen, Alissa Torres, Rob Lee, Cindy Murphy, Eric Zimmerman, Heather Mahalik, or any other Big Name that you’ve always wanted to meet but been too intimidated to work up the nerve to approach.*
You immediately die of embarrassment, melting into a puddle of self-loathing. How could you have missed whom you were talking to? Like the awkward kid in the lunchroom longing to ask the most popular kid in school on a date, you’ve admired your heroes from afar, convinced you have no business talking to them:
- You’re not experienced enough.
- You’ve never testified on a major case or responded to a news-making data breach.
- Your code resembles command-line chicken-scratch, copied directly from Stack Overflow.
And for all their encouragement to contribute to the community, you’re convinced that you’ll be the one laughed off the forums for a contribution so obvious, a sixth grader typing a few terms into Google could have made it.
The last 20 minutes of intelligent, well-constructed conversation melt into the floor alongside you. You suck, and you “know” the rock star you’ve just spoken with knows it now, too.
Coming to grips with the suckage
This kind of impostor syndrome is so rampant and pervasive throughout the DFIR community that it needs a way for people to disempower it by laughing at it, at themselves, at the notion that we’re not all in a continuous learning process. Perhaps memes:
Because it’s hard not to feel like an impostor when a defendant’s fate or a company’s business rides on how you interpret evidence. It’s one thing to prove or disprove a hypothesis when you’re legitimately bound by what isn’t yet possible; try making a case on a locked iPhone 5s for which you don’t have the passcode.
When you know you are lacking skills, however, things get a lot less comfortable. Who are you to contribute to a decision on whether someone goes to jail, or whether a business owner declares bankruptcy? Much less to contribute to the entire DFIR community.
Many of the rock stars are fond of saying that DFIR is only part science and technology, also involving art. Art involves intuition, the gut sense of rightness. Not perfection — no one can achieve perfection — but rightness, that what you have set out to say has been said, or if it hasn’t, that you can explain why.
And if neither, intuition, used effectively, guides you on the decision to go further down the rabbit hole, versus when collecting only the low-hanging fruit is enough. And for that matter, when it’s appropriate to mix your metaphors.
Needless to say, the better your skills are, the better your intuition, that collection of knowledge and experiences that allows you to recognize patterns and make decisions based on what those patterns tell you. Of course intuition can be faulty, so how do you build the skills necessary to improve it?
Freelance writer Megan Reynolds wrote earlier this year in a financial-advice blog, “How do you know if you’re bad at your job? Benchmarks of success are often hard to come by…. Really, the only insight you have on your job performance and whether or not you should be there in the first place is the day-to-day. Do you do a good enough job? Are you well-liked? Do you speak with the intention of being heard? Are you doing a good job based on the standards you’ve set for yourself because there are no standards in place for you to achieve?”
Good supervisors and colleagues have their own definitions of what “a good job” means, but here’s the rub: they have to communicate specific, constructive feedback. Otherwise, vague critique is just criticism, and not especially constructive, especially if you never hear what you’re getting right.
Build on what you know you’re good at
If your supervisor and colleagues are pointing out gaps, carefully examine what they’re saying and how they’re saying it. Ask for specifics. You should have both a set of job expectations, and a plan in place for professional development, to measure these specifics against.
Once you’re doing that, don’t fall into the trap of constantly trying to measure up to what others want from you — especially if you’re a people pleaser. You should get out of your comfort zone, but not to such an extent that you’re not playing to your strengths.
If something in your data, your code, or your career isn’t matching, don’t settle; find out why, and be prepared to move on if you need to. Sometimes you won’t find what you’re looking for because it doesn’t exist. Develop a good practice of documenting all you found, all you did not find, and why you think that is.
Don’t let impostor syndrome trick you into thinking you’re not good enough to get any job of any kind. Instead, let your desire for self-improvement drive you to a position that will honor your career goals.
Understand what Sheryl Sandberg (Facebook’s chief operating officer, for those of you who maintain a cozy existence under rocks) calls “the three P’s” — personalization, pervasiveness, and permanence — and how they can conspire against you when something goes wrong, as well as how to counteract them.
Do your own thing. Have a hobby or some other pursuit that you’re good at, that makes you feel good. It will help you keep perspective.
And about that contributing-to-the-community thing
Nearly every “rock star” I know has had Harvard Business School professor Amy Cuddy’s first-time experience giving a talk: “I don’t think I moved any part of my body other than my mouth. I felt as if I could go blank at any moment. And there was nothing I wanted more than for it to be over. At the end, when someone raised his hand to ask a question, I thought I might pass out. But I survived it, and my audience didn’t seem to think it was quite as bad as I thought it was. And I kept giving talks—virtually every talk I was invited to give. I even invited myself to give talks. Anything to get more practice.”
Decide what works for you, and realize that if you feel that way, others probably do too. Well worth the read is infosec pro Daniel Miessner’s “Fixing the Culture of Infosec Presentations,” including some different perspectives on presentation length and format, needed topics, and a certain overemphasis on entertainment.
Because ultimately, it’s not about you — it’s about them. The people who, like you, are still learning. The ones who need to hear your unique blend of experience and knowledge, the way you have of arriving at a conclusion, because no one ever thought of it that way before much less communicated it. Get out of yourself, and invite others to join you, because ultimately it’s about this:
*Special thanks to Brian Moran for his help fleshing this article out from an actual DFIR practitioner’s perspective. Brian also expresses his willingness to “introduce anyone to anyone” and is the last person you should ever feel too intimidated to approach.
Christa M. Miller has worked as a marketing and public relations professional for digital forensics and incident response vendors for the past seven years. While seeking new employment, she continues to write and edit in both personal and professional pursuits. She is based with her family in South Carolina, USA and, besides writing, enjoys traveling, reading, hiking, storms, and breezy summer afternoons in her hammock.