The Insecurities of Cybersecurity Success

In the past few years, the issue of mental health in the cybersecurity industry has grown in prominence. A 2019 survey revealed that 1 in 6 CISOs admitted to self-medicating to deal with the stress of their job. The strain passes through the CISO's office and permeates the whole sector. A profile that's rising faster than the budget and an ever-growing sophistication and financial impact of attacks combine to turn what was once a corner of the IT department into a pressure cooker.

John Hammond, a cybersecurity researcher at Huntress, spoke on "Hard Truths and Unexpected Realities: Lamentations in Producing Cybersecurity Content" at Intigriti 1337UP Live, a bug bounty online conference, in March 2022. His videos on YouTube tend to cover technical topics like malware analysis, reverse engineering, and general programming, as well as less-technical content such as careers and interviews with cybersecurity notables.

While he uses content creation as a lens for talking about mental health and the pressures he faces, he also draws parallels between making videos for the community and making tools for the community. They are both similarly creative and high-profile pursuits, and they come with some of the same insecurities and pressures.

"Something goes wrong, and I'll often feel like, 'Look, I don't know what I'm doing.' All these cool crazy elite ninja warriors, cyber shenanigans, the wizards that are cutting through Ghidra and Ida and this low-level stuff — like, man, that is so out of my league," Hammond said. "I come to the conclusion I'm a fraud."

Part of that feeling stems from the sheer scale of the field, where no single person can know everything there is to know. "One learning lesson that I hope comes from that," he said, "is that no one knows what they're doing. No one is an expert in cybersecurity. Because there can't be."

To counter the inner voice saying you're a fraud, Hammond recommends concentrating on your own process rather than focusing on other people's successes.

"You can't compare yourself to what people ... show on Twitter, because for one thing, those are celebrating their highs, their successes, the incredible moments in life. And that's awesome, but you don't see the hard work, you don't see the grit, you don't see the determination, the long nights, the lack of sleep — everything they're doing to put that work out," Hammond notes.

The value of bringing your voice and your opinions to the community lies in increasing the range of perspectives and experiences in the town square. "They have their strengths, they have their weaknesses; I have my strengths, I have my weaknesses," he said. "We have this discussion, we have this conversation, we have this sharing of knowledge and insight and input and opinions — whether they are wrong or they're right, we're doing it. And that's a good thing."

He closes with an excellent block of advice on how to proceed with growing your profile in the cybersecurity world without burning yourself out. "Do the stuff that you love," he said. "Stop comparing yourself to other people. Compare yourself against yourself. And offer your input and insight, because that has to be how we grow and continue and better the industry and everything that we do."