by Christa M. Miller
It’s pretty much impossible to work in a small, niche community like DFIR and not eventually rub elbows with a rock star. You go to a conference and get to talking with someone, and you don’t even realize until 20 minutes later — when, inspired by the conversation, you finally ask for a business card — that you’ve been talking to Sarah Edwards, David Cowen, Alissa Torres, Rob Lee, Cindy Murphy, Eric Zimmerman, Heather Mahalik, or any other Big Name that you’ve always wanted to meet but been too intimidated to work up the nerve to approach.*
You immediately die of embarrassment, melting into a puddle of self-loathing. How could you have missed whom you were talking to? Like the awkward kid in the lunchroom longing to ask the most popular kid in school on a date, you’ve admired your heroes from afar, convinced you have no business talking to them:
- You’re not experienced enough.
- You’ve never testified on a major case or responded to a news-making data breach.
- Your code resembles command-line chicken-scratch, copied directly from Stack Overflow.
And for all their encouragement to contribute to the community, you’re convinced that you’ll be the one laughed off the forums for a contribution so obvious, a sixth grader typing a few terms into Google could have made it.
The last 20 minutes of intelligent, well-constructed conversation melt into the floor alongside you. You suck, and you “know” the rock star you’ve just spoken with knows it now, too.
Coming to grips with the suckage
This kind of impostor syndrome is so rampant and pervasive throughout the DFIR community that it needs a way for people to disempower it by laughing at it, at themselves, at the notion that we’re not all in a continuous learning process. Perhaps memes:
Because it’s hard not to feel like an impostor when a defendant’s fate or a company’s business rides on how you interpret evidence. It’s one thing to prove or disprove a hypothesis when you’re legitimately bound by what isn’t yet possible; try making a case on a locked iPhone 5s for which you don’t have the passcode.
When you know you are lacking skills, however, things get a lot less comfortable. Who are you to contribute to a decision on whether someone goes to jail, or whether a business owner declares bankruptcy? Much less to contribute to the entire DFIR community.
Many of the rock stars are fond of saying that DFIR is only part science and technology, also involving art. Art involves intuition, the gut sense of rightness. Not perfection — no one can achieve perfection — but rightness, that what you have set out to say has been said, or if it hasn’t, that you can explain why.
And if neither, intuition, used effectively, guides you on the decision to go further down the rabbit hole, versus when collecting only the low-hanging fruit is enough. And for that matter, when it’s appropriate to mix your metaphors.
Needless to say, the better your skills are, the better your intuition, that collection of knowledge and experiences that allows you to recognize patterns and make decisions based on what those patterns tell you. Of course intuition can be faulty, so how do you build the skills necessary to improve it?
Freelance writer Megan Reynolds wrote earlier this year in a financial-advice blog, “How do you know if you’re bad at your job? Benchmarks of success are often hard to come by…. Really, the only insight you have on your job performance and whether or not you should be there in the first place is the day-to-day. Do you do a good enough job? Are you well-liked? Do you speak with the intention of being heard? Are you doing a good job based on the standards you’ve set for yourself because there are no standards in place for you to achieve?”
Good supervisors and colleagues have their own definitions of what “a good job” means, but here’s the rub: they have to communicate specific, constructive feedback. Otherwise, vague critique is just criticism, and not especially constructive, especially if you never hear what you’re getting right.
Build on what you know you’re good at
If your supervisor and colleagues are pointing out gaps, carefully examine what they’re saying and how they’re saying it. Ask for specifics. You should have both a set of job expectations, and a plan in place for professional development, to measure these specifics against.
Once you’re doing that, don’t fall into the trap of constantly trying to measure up to what others want from you — especially if you’re a people pleaser. You should get out of your comfort zone, but not to such an extent that you’re not playing to your strengths.
If something in your data, your code, or your career isn’t matching, don’t settle; find out why, and be prepared to move on if you need to. Sometimes you won’t find what you’re looking for because it doesn’t exist. Develop a good practice of documenting all you found, all you did not find, and why you think that is.
Don’t let impostor syndrome trick you into thinking you’re not good enough to get any job of any kind. Instead, let your desire for self-improvement drive you to a position that will honor your career goals.
Understand what Sheryl Sandberg (Facebook’s chief operating officer, for those of you who maintain a cozy existence under rocks) calls “the three P’s” — personalization, pervasiveness, and permanence — and how they can conspire against you when something goes wrong, as well as how to counteract them.
Do your own thing. Have a hobby or some other pursuit that you’re good at, that makes you feel good. It will help you keep perspective.
And about that contributing-to-the-community thing
Nearly every “rock star” I know has had Harvard Business School professor Amy Cuddy’s first-time experience giving a talk: “I don’t think I moved any part of my body other than my mouth. I felt as if I could go blank at any moment. And there was nothing I wanted more than for it to be over. At the end, when someone raised his hand to ask a question, I thought I might pass out. But I survived it, and my audience didn’t seem to think it was quite as bad as I thought it was. And I kept giving talks—virtually every talk I was invited to give. I even invited myself to give talks. Anything to get more practice.”
Decide what works for you, and realize that if you feel that way, others probably do too. Well worth the read is infosec pro Daniel Miessner’s “Fixing the Culture of Infosec Presentations,” including some different perspectives on presentation length and format, needed topics, and a certain overemphasis on entertainment.
Because ultimately, it’s not about you — it’s about them. The people who, like you, are still learning. The ones who need to hear your unique blend of experience and knowledge, the way you have of arriving at a conclusion, because no one ever thought of it that way before much less communicated it. Get out of yourself, and invite others to join you, because ultimately it’s about this:
*Special thanks to Brian Moran for his help fleshing this article out from an actual DFIR practitioner’s perspective. Brian also expresses his willingness to “introduce anyone to anyone” and is the last person you should ever feel too intimidated to approach.
Christa M. Miller has worked as a marketing and public relations professional for digital forensics and incident response vendors for the past seven years. While seeking new employment, she continues to write and edit in both personal and professional pursuits. She is based with her family in South Carolina, USA and, besides writing, enjoys traveling, reading, hiking, storms, and breezy summer afternoons in her hammock.
10 thoughts on “How to Stop Worrying and Learn to Love Your Inner Impostor”
Fascinating article…it lays out a self-fulfilling prophecy. If an analyst decides in their mind that they’re not good enough to approach another, ask a question, or offer up a different perspective, then they become insular. At that point, how does that analyst then decide that they’re “good enough”, when their benchmarks are all internally developed?
What makes someone a “rock star”? It’s highly unlikely that we’re talking about the work that folks do…reports are not publicly available. There are very few within the community who share information publicly, and fewer still who produce original work. As such, I often wonder what it is that causes others to decide that someone specific is a “rock star” and unapproachable.
Again, interesting post.
From what I’ve observed, “rock stars” typically are the people who are writing their own tools — scripts or full programs — writing books or regular columns, developing SANS courses, etc. The kinds of things people tend to think are out of their reach because they don’t see what goes into learning how to do those things; moreover, a group of “rock stars” all hanging out together at a conference can look like a clique, no matter how much it isn’t really.
I agree that this kind of self-limitation can result in missed opportunities, but I don’t think the risk is 100% insularity as long as analysts cultivate the right relationships at whatever level they feel they’re ready for. Benchmarking according to a manager’s requirements is only one facet of this, though the risk is that the manager doesn’t really know either.
At that point, if an analyst doesn’t feel ready to approach a “rock star” or still feels out of place speaking up on a forum they know a “rock star” is active on, they should look for ways to build relationships at their own level, both inside and outside of their own organization. It’s the personal connections they should emphasize; connecting on a personal level with people on Twitter or at a conference (or both, or other venues) can help a person feel like they have someone in their corner when they finally do post on that forum, or write the abstract for a CFP.
Thanks for the comment!
“…“rock stars” typically are the people who…”
As you mention later in your response, sadly this sort of “standard” or bar is largely self-imposed. For example, I’ve been asking for input into or feedback on a lot of things over the years, and there’s been very little. This illustrates to me that even when feedback (beyond clicking “Like”) is purposefully requested, there’s little input.
I completely and wholeheartedly disagree with this whole “rock star” mess. I’ve had people who own one or more of my books call me an “expert”, and then get offended when I asked them if they _read_ any of the books. My reason for asking was that my preface starts and ends with “I’m not an expert”.
Writing your own tools doesn’t make one an expert, nor a rock star. The same is true with any of the other activities you’ve listed. This is a label created in an individual’s mind that absolves them by providing them with an excuse.
As I’m going to state in an upcoming blog post, approaching people professionally is grounded in whether you feel you have anything of value to provide. To you this may look like excuse-making, but in my experience, it doesn’t feel that way. In other words, unless you are on or near the same level, it’s hard to determine what “value” might look like to someone who obviously has enough expertise to have already written multiple tools and/or books, teach or speak regularly at conferences, hold a director-level position or higher, 15+ years in the field, etc. As subjective as value is, even a person who has legitimately done the work may worry that they won’t put themselves across effectively, will be perceived not to have legitimately done the work, has missed something obvious, etc.
This is what impostor syndrome is all about, and why I wrote the above post; to help others recognize it for what it is, realize that others feel exactly the same way, and observe how they started to overcome it. I think that not only is it human nature to compare oneself to others and to elevate others who appear to have more experience and expertise; but also that there’s a wide spectrum of comparison-making and elevation, and degrees of that pervasive sense of just not being good enough.
For those who might be kick-ass contributors, but have simply internalized the message that they are “just making excuses” or their work is “not up to par” (again, subjective), the risk of continuing to hear that toxic crap is just too great to take. At that point, how much contribution is the community missing out on because a few influential people didn’t recognize that what motivates them, doesn’t motivate everyone? If more of us had the patience to draw the quiet ones out of their shells, perhaps fewer people would give up too soon.
Personally, I think it’s on the “rock stars,” whether you agree or disagree with that label, to be great mentors, help those quiet lurkers to recognize their strengths and start to act on those to find a true niche in the community. Many of them already do, and while I agree it’s on the less experienced to recognize those opportunities for what they are, there’s got to be more middle ground.
“…approaching people professionally is grounded in whether you feel you have anything of value to provide.”
I tend to disagree. I’ve been approached a number of times following talks at conferences by people who didn’t necessarily have “anything of value to provide”. Many have had questions, in some cases questions about stuff that was not covered (and stated explicitly so) in the presentation.
While not necessarily “approaching professionally”, look at any online forum and see how quickly most/many threads to off topic.
Interesting points raised. Every day is a school day in this industry anyway – despite what the job adverts might demand, nobody has decades of experience in a 6 month old tool or a deep understanding of a brand new threat or technique.
On ‘rock star’ status, it sounds like a rock star is just someone who is in the public eye. I know plenty of DFIR practitioners who should be writing books, teaching PhD level courses, and writing the best software ever. But many of them are just working hard, keeping out of the public eye. As it relates to competence, there are plenty of these kinds of rock stars; they just aren’t in the public eye nor want to be (or can be if their employer doesn’t allow for publicity).
On talking to rock stars or anyone in the field, just do it. I’ve approached many, became friends with some, and keep in regular contact with others. If for no other reason to approach a speaker but to say thanks for the presentation, just do it. You never know what will become of saying thanks, asking a question, or giving a bit of information you learned that relates to the presentation (or book, or blog, etc…). Most are quite nice, humble, and approachable.
It is important to know when wanting to approach one of these rock stars, is that they don’t know everything, and sometimes they only know a few things. By that I mean, a Windows “expert” may know next to nothing about a Sun system, or iOS devices, but really knows everything about Windows. In all likelihood, anyone can offer something to the Windows expert, or to the mobile device expert, or to the Linux expert. The field has split in so many sub-groups that anyone professing to know it all certainly does not. I believe that anyone can research a topic and become an expert in it within two years. Anyone. Any topic.
As to having something to offer, after I presented at Enfuse in Vegas this year, a few folks came up to me during the week at different times. I can say that I felt each time like I came out with more benefit than they did in the conversations, in that I learned some neat things I didn’t know before. I only hope they got something out of what I had to say in return. You never know what you don’t know that is helpful for someone else unless you talk, regardless of perceived status.
Contributing to the field is tough. Time restrictions due to work and family and life events that knock you off track don’t make it easy. Sharing data from cases might be possible at times, but most times, the fear of ever being asked (questioned) if you shared any data from any case is enough to make you not want to ever do it. Contributing research is a big key to make up for not sharing actual case work to become an integral part of the DFIR community. I’ve been sent research that was done as a hobby to look at and my initial reaction has been telling the DFIR researcher/student/newbie to publish it, share it, and put it out for everyone to see. Too much research happens in the dark and stays there. If sharing research makes for rock star status, we need everyone to be a rock star. Basing rock star status on entertainment value doesn’t do the community as good as basing it on sharing information.
Great comment, very well said.
I just wanted to add the a “contribution” to the field can be any of a wide range of things. Like you said, if you liked a presentation, go up the speaker, and tell them. Tell them *what* you liked about it.
I’ve heard people say, “I can’t contribute like you do…” for a long time, which is odd because no one’s asking them to contribute like anyone else. Contribute in your own way. Publish research in a blog. If you read a book, don’t write a review by regurgitating the table of contents, like many tend to do…instead, comment on what effect the content had on you, and how it affected you.
One of the aspects of sharing that most people don’t realize is that it’s hard to tell if what’s being shared is having an impact. Is it of value? If not, what would make it easier to digest?
As an example, I was recently doing some work to assist a co-worker, and I had a thought that it might be valuable to provide a detailed training session on shell items to the entire team, in order to raise not only awareness, but to also provide them with the capability to recognize and understand the data. I thought, after all, that shell items comprise so many artifacts on Windows systems (shellbags, RecentDocs, ComDlg32, LNK files, Jump Lists, etc.) that understanding these artifacts would be beneficial.
The response I got was, “yeah…no.”
That was extremely beneficial feedback, as it saved me hours of developing something that would have ultimately wasted the time of the team members.
Contributions come in many forms.
> …unless you are on or near the same level, it’s hard to determine what “value” might look like to someone
> who obviously has enough expertise to have already written multiple tools and/or books, teach or speak
> regularly at conferences, hold a director-level position or higher, 15+ years in the field, etc.
I have to say, I completely disagree with this…it’s not “hard to determine” at all. I say that because I’ve been asking people within the community to contribute for years, and even said what that should or could look like.
When I was at IBM, junior analysts would not contribute to the greater team, because they felt that the senior folks had already seen everything. I was the first person to say, no, I _haven’t_ seen everything. There’s no possible way that anyone, no matter how long they’ve been doing this work, can see everything. And particularly in the age of “threat intelligence”, knowing that something is continuing to occur is critically important, no matter how often someone feels that it’s been seen.
> …a few influential people didn’t recognize that what motivates them, doesn’t motivate everyone?
I completely agree, which is why I’ve tried a number of different approaches.
> …it’s on the “rock stars,” whether you agree or disagree with that label, to be great mentors, help those
> quiet lurkers to recognize their strengths and start to act on those to find a true niche in the community.
Agreed. Let’s do it.