I’ve unfortunately had the experience of dealing with a number of psychological issues (either personally or through personal connections) during my tenure in the security fold. I hope to shed some light on them and encourage others to take them seriously.

If you are hoping this post will be some grand reveal of security engineers going psychotic and stabbing users who enter passwords into phishing pages with poor grammar and spelling, web site administrators who can’t be bothered to set up HTTPS, and ransomware authors, then I hate to disappoint you. If, on the other hand, you’re interested in observations of people who have experienced various psychological problems while in the security industry, then I’ll probably still disappoint, just but not as much.

Impostor Syndrome

According to Wikipedia:

Impostor syndrome is a concept describing individuals who are marked by an inability to internalize their accomplishments and a persistent fear of being exposed as a “fraud”. Despite external evidence of their competence, those exhibiting the syndrome remain convinced that they are frauds and do not deserve the success they have achieved.

I know many, many people in this industry who suffer from this and do not have the ability to recognize their own successes. They may only credit themselves with having “helped out” or done the “non-technical” parts. Some do not take career opportunities or refuse to believe their work is interesting to others.

I, myself, sit on the border of impostor syndrome, and it took me years to be convinced that it was only impostor syndrome and that I am not actually incompetent. Even after promotions, performance reviews “exceeding expectations”, and other signs that a rationale individual would take as signs of success, I still believed that I was not doing the right things. I still believe that I’m not as technically strong or effective as any of my coworkers, despite repeated statements by my manager, my skip-level manager, and my director.

I’m not sure if it is possible to “get over” impostor syndrome, but I think most are able to recognize that their self-doubt is a figment of their imagination. It doesn’t necessarily make it easier to swallow, but at a certain point, if you really believe you’re a failure, you will sabotage yourself into being a failure. If you’re concerned about your performance, you don’t have to admit to impostor syndrome, but ask your teammates and manager: am I performing up to your expectations for someone at my level? Am I on track to keep progressing?

Impostor syndrome, though not a diagnosable mental illness, is probably the most common psychological issue faced by those in the security industry. It’s a fast-paced, competitive, field and it’s hard not to compare yourself to others who are more visible and have achieved so much.

Depression

I don’t think I need to define depression. I think it’s important to acknowledge that depression is not the same as “feeling down” or occasionally having a bad day. Most people who have suffered from depression describe it as a feeling that things will never get better or a complete lack of desire to do anything.

Depression doesn’t seem to be quite as widespread as impostor syndrome, but it’s clearly still a big issue. I have known multiple people in the industry who have suffered from depression, and it’s not something that gets “cured” – you just learn how to live with it (and sometimes use medication to help with the worst of it).

Depression is obviously not unique to our field, but I’ve known several people who suffered in silence because of the social aversion/shyness so prevalent. I strongly encourage those who think they might have depression to seek professional help. It’s not an easy thing to deal with, and the consequences can be terrible.

Working as part of a team can help with depression by increasing exposure to other individuals. If you currently work remotely/from home, consider a change that gets you out more and spending time with coworkers or others. It’s clearly not a fix or a panacea, but social interactions can help.

Anxiety

Anxiety is an entire spectrum of issues that members of our field deal with. There are many “introverts” in this industry, so social anxiety is a common issue, especially in situations like conferences or other events with large crowds. I use the term introverts loosely, because it turns out many people who call themselves introverted actually like to be around others and enjoy social interactions, but find them hard to do for reasons of anxiety. Social anxiety and introversion, it turns out, are not the same thing. (I’ve heard that shyness is the bottom end of a spectrum that leads to social anxiety at the upper end.)

Beyond social anxiety, we have generalized anxiety disorder. Given that we work in a field where we spend all day long looking at the way things can fail and the problems that can occur, it’s not surprising that we can tend to have a somewhat negative and anxious view of things. This tends to present with anxiety about a variety of topics, and often also has panic attacks associated.

There are, of course, many other forms of anxiety. I have long had anxiety in the form of so-called “Pure-O” OCD – that is, Obsessive-Compulsive Disorder with only the Obsessive Thoughts and not the Compulsions. This leads to worst-case scenario thinking and an inability to avoid “intrusive” thoughts. It also makes it incredibly hard to manage my work-life balance because I cannot separate my thoughts from my work. I have spent entire weekends unable to do anything because I’ve been thinking about projects I’m dreading or meetings I have the next week. I also tend to obsess about stupid mistakes I make or whether or not I have missed something. At the end of the day, I value certainty and hate the unknowns. (Security is a perfect field for discovering that you don’t handle uncertainty!) At times it can lead to depression as well.

Feeling Overwhelmed (Burn Out)

Obviously this isn’t a diagnosable issue either, but a lot of people in this industry get quite overwhelmed. Burn out is a big problem, and one I’m trying to cope with even as I write this. There’s a number of reasons I see for this:

  1. It’s hard to keep up with this industry. If you just work a 9-5 job in security and spend no time outside that keeping current, I don’t think you’ll have an easy time keeping up.
  2. In many companies, once someone has interacted with you on one project, you’re their permanent “security contact” – and they’ll ask you every question they possibly can.
  3. At least on my team, you’re never able to work on a single thing – I currently have at least a half-dozen projects in parallel. Context switching is very hard for me, and the fastest way to lead to burn out for me.
  4. A lot of being a security professional is not technical, even if that’s the part you love the most. You’ll spend a big part of your time explaining things to product managers, non-security engineers, and others to get your point across.

I wish I had an instant solution for burnout, but if I did, I probably wouldn’t be feeling burnt out. If you have a supportive manager, get them involved early if you’re feeling burnout coming on. I have a great management chain, but I was too “proud” to admit to approaching burnout (because I viewed it as a personal failure) until I was nearly at the point of rage quitting. I still haven’t really fixed it, but I’ve discussed some steps I’ll be taking over the next couple of months to see if I can get myself back to a sane and productive state.

Other Reading

Conclusion

I’m hoping this is a helpful tour of some of the mental issues I’ve dealt with in my life, my career, and 5 years in the security industry. It’s not easy, and by no means do I think I hold the answers (if I did, I would probably feel a lot better myself), but I think it’s important to recognize these issues exist. Most of them are not unique to our industry, but I feel that our industry tends to exacerbate them when they exist. I hope that we, as an industry and a community, can work to help those who are suffering or have issues to work past them and become a more successful member of the community.