Cybrary’s CEO wants to offer a mea culpa.
But first, a little background. Earlier this week, part of a job description for Cybrary was posted on social media and went viral because of a point included in the Culture Fit section: “Put the business first, the team second and themselves third; stands firm on important issues and is willing to take high personal risks to take care of the business.
In the words of Alyssa Miller, head of business information security at S&P Global Ratings, who shared the language on LinkedIn: “Tell me your company has a seriously toxic culture without saying your company has a seriously toxic culture. toxic.” Comments poured in, most conveying similar sentiment to Miller.
Cybrary responded – thanking Miller and the community for raising their concerns, acknowledging it was a “misstep” that won’t happen again, and assuring everyone that the job description had been updated. updated with a new language. Indeed, the bullet point was removed, replaced with another that called for “a leader who puts the team and the communities they serve first and who is primarily focused on the growth and well-being of our employees. and our company”.
Some applauded them for acknowledging the error, and others wondered if the change was simply a finesse in wording, versus an accurate depiction of the actual company culture.
So, really, what was the company thinking?
Cybrary CEO Kevin Hanes wanted to answer that question. He spoke to SC Media about that misstep in the job description — which was for the vice president of corporate information security, essentially the CISO — owning the error, but also offering a bit more context and maybe some lessons learned.
So first, Kevin, thank you so much for telling me about this. Before getting to the heart of the matter, tell me a bit about yourself.
I joined Cybrary about seven months ago. And before that, I spent eight years as the COO of a very large cybersecurity company. [Secureworks]. And I’ve spent those eight years really in the thick of cybersecurity issues and the skills shortage and all the hard stuff that’s going on in cyberspace. So joining Cybrary, for me, was really about the community that we could help. There are two sides; there’s the side that I used to do, which helps organizations really deal with this, and then the second side that I can do at Cybrary – helping people get involved and building community .
Thanks for that. So, I saw the social media posts. As you saw, I even commented. Can you maybe offer a bit of context on what the company was trying to communicate?
So we had published a job description for a vice president of information security — a very important role. It is responsible for the security of the organization in all aspects. And of course, it’s very important that we find someone who truly embraces the mission, our vision, our business, and the community focus that we have for businesses and individuals.
When the job description initially went through the drafting process, there were many revisions, many conversations, and multiple people working on a shared document; sometimes you write something quite verbose and then try to couple it to what’s essential. And in this process, we messed up everything. An error has been made. There was a context that I think really needed to be there that was lost.
What was this context?
What we’re trying to communicate is that this is a leadership role; we want our leaders to be selfless and put the company’s mission and our people first, and not make decisions based on what’s best for their own organization or for themselves. And I understand that he didn’t communicate that at all; he communicated something, I think, very differently.
Yes, the way it read almost felt like it extended into people’s personal lives – that business comes first. And what you’re telling me is that this was all designed in terms of professional decision-making.
Yes. You can kind of imagine there was a sentence or two or more before or around that, in terms of what we expect from leadership behaviors, in terms of decision-making in business.
I think context matters a lot, and unfortunately we messed it up and it was scrapped. The second element of context which, in my opinion, is important concerns the part on [taking on] risk. It should never have been combined with that first chip; it was a mistake. And what it’s really about is that for a company like Cybrary, where what we do is cybersecurity, there’s a certain level of responsibility to be someone that people aspire to be.
Perhaps sometimes unfairly, a projector [lands] on this role as to what is expected; and it can also put a target on a leader like that. And we wanted to make sure that while we were researching this [individual], we were looking for someone who understands that this role, that any role of security manager, comes with great responsibility. And this one is just a little more amplified because of our standing in the community. We wanted to make sure to communicate that we expect a person to not only be a great ambassador for us, but a great ambassador for the community. We wanted to communicate that [this person] would need to be comfortable knowing that potentially everything they do can be in the spotlight.
We reported the tendency to blame the victim when it comes to safety. This can be a difficult and often unfair reality for security managers.
It’s true. I’ll tell you, I take full ownership of this error, and the description was not well written. We should have reviewed it more carefully before it was published. It wasn’t what we wanted to communicate, and it was just poor execution on my part. I’m glad the community brought it to us so we could clear that up. I am happy that we have the opportunity to set the record straight on how we want to present ourselves to the world as an organization.
Are there any broader lessons here?
I think it’s important to be honest, to recognize a mistake and fix it. It’s always tempting to give all the reasons why something went wrong or an apology. We just said, “Look, we made a mistake, we’re going to own it, we’re going to fix it.” We did it right away. We have received nearly 500 applications in recent days. I have to think there’s some value in just owning your mistakes.
And I think the other thing is just to have a review process – someone who maybe understands the context of the community a little bit more. Because these terms, as we have seen, can take on a meaning. And so having someone who is really knowledgeable about making sure they understand the pulse of the community and how we’re trying to connect with that community is something that I definitely learned from that.
And I’m going to think a bit about how the company communicates its values. And I’ll think about it, because it could also be pretty generic – just a bunch of words – and that’s not how I see it. When I think of values, I think of how companies make decisions and how they act. I would like to try to capture the essence of what we would expect. We kind of tried to do it, but we were wrong, obviously.
So tell me, what’s the culture like in Cybrary?
Thanks for bringing me back to this point, Jill, because after seeing what was posted, I was like, “Oh my god, that’s totally wrong.” I would say that in that larger context, I sure hope people put their family, their faith, and their friends at the top of the list of what’s important. And we weren’t trying to talk about it. And I understand how it was taken. We made this mistake. I have immense respect for security professionals in this industry, having been one of them, having led teams quite deep in the trenches. I want to do everything I can to make sure we represent the community, our company, and our values are consistent in the things we post…like job descriptions.