The Cybrary CEO wants to offer a mea culpa.
But first, some background. Earlier this week a portion of a Cybrary job description was posted to social media and went viral because of one bullet point included in the Culture Fit section: “Puts company first, team second, and themselves third; stands strong on important matters and is willing to take on high personal risk to care for the company.”
In the words of Alyssa Miller, the business information security officer at S&P Global Ratings who shared the language on LinkedIn: “Tell me your company has a seriously toxic culture without telling your company has a seriously toxic culture.” Comments flowed in, most communicating a similar sentiment to that of Miller.
Cybrary did respond — thanking Miller and the community for making their concerns known, acknowledging it was a “misstep” that would not happen again and assuring everyone that the job description was updated with new language. Indeed, the bullet was removed, replaced with one that called for “a leader who prioritizes the team and communities they serve and is focused primarily on the growth and well-being of our people and company.”
Some cheered them for owning the mistake, and others questioned whether the change was simply a finesse in phrasing, versus an accurate depiction of actual company culture.
So really — what was the company thinking?
Cybrary CEO Kevin Hanes wanted to answer that question. He spoke to SC Media about that misstep on the job description — which was for the company’s vice president of information security, essentially the CISO — owning the mistake, but also offering some more context and perhaps some lessons learned.
So first, Kevin, thanks so much for talking to me on this. Before we get into it, tell me a bit about you.
I joined Cybrary about seven months ago. And prior to that, I spent eight years as a COO of a very large cybersecurity company [Secureworks]. And I spent those eight years really in the thick of the cybersecurity problems and the skills shortage and everything that's hard about what is happening in the cyber space. So, joining Cybrary, for me, was really much about the community that we were able to help. There's two sides of it; there's the side that I was used to doing, which is helping organizations really deal with this problem, and then the second side that I get to do at Cybrary — help people get into this and build the community stronger.
Thank you for that. So, I saw the social media posts. As you saw, I even commented. Can you maybe offer some context on what the company was trying to communicate?
So, we had posted a job description for a VP of information security — a very important role. This is the security leader for the organization across every aspect. And of course, it’s very important that we find an individual who really embraces the mission, and our vision, and our company, and the community focus that we have for both businesses and individuals.
When the job descritpion was originally going through the process of drafting, there were many revisions, many conversations, and several people working on a shared document; sometimes you write something pretty verbose, and then you’re trying to pair it down to what's essential. And in that process, we just messed that up. A mistake was made. There was context that I think really needed to be there that was lost.
What was that context?
What we’re trying to communicate is that this is a leadership role; we want our leaders to be unselfish and put the company mission and our people first, and to not make decisions based on what's the best thing for their own organization or for themselves. And I understand it didn't communicate that at all; it communicated something, I think, very differently.
Yes, the way it read almost made it seem like it extended to people's personal lives — that the company comes first. And what you're telling me, is this was all meant in terms of professional decision-making.
Yes. You can kind of imagine there was a sentence or two or more that was in front of that or surrounding that, as it relates to what we expect leadership behaviors to be, as it pertains to decision-making in the company.
I think the context matters a lot, and unfortunately we goofed it up and it got dropped. The second piece of context that I think mattered relates to the part about [taking on] risk. That never should have been combined with that first bullet; that was a mistake. And what that really pertains to is, for a company like Cybrary, where what we do is cybersecurity, there's a certain level of of responsibility to be someone that people aspire to be.
Maybe sometimes unfairly, a spotlight [lands] on that role as to what's expected; and it also can put a target on a leader like that. And we wanted to make sure that as we were looking for this [individual], we were looking for someone who understands that this role, that any head of security role, comes with some big responsibility. And this one is just is a little more amplified because of where we sit in the community. We wanted to make sure we communicated that we expect a person to be not only a great ambassador for us, but a great ambassador for the community. We wanted to communicate that [this person] would need to be comfortable knowing that potentially everything that they're doing can be under a spotlight.
We’ve reported about the tendency to blame the victim in security. That can be a tough and often unfair reality for the security leaders.
That's right. I will tell you, I take full ownership for this mistake, and the description was not well written. We should have more carefully reviewed this before it got published. It was not what we wanted to communicate, and it was just poor execution on my part. I am glad that the community brought it forward to us so that we could clarify this. I'm glad that we have the opportunity to set the record straight for how we want to show up in the world as an organization.
Are there any broader lessons here?
I think it's important to just be honest and own a mistake and fix it. It's always tempting to give all your reasons for why something went wrong, or excuses. We just said, "Look, we made a mistake, we're going to own it, we're going to fix it." We did that right away. We’ve had nearly 500 applications in the last few days. I have to think that there is some value in just owning your mistakes.
And I think the other thing is just having a review process — somebody that maybe understands the context of the community a little more. Because these terms, as we've seen, they can take on meaning. And so, having someone that's really skilled at making sure they understand the pulse of the community and how we're trying to connect with that community is something that I've clearly learned from this.
And I am going to think a little bit about how does the company communicates its values. And I'm going to be thoughtful about this, because that could also be pretty generic — just a bunch of words — and that's not how I see it. When I think about values, I think about how companies make decisions and how they act. I’d want try to capture the essence of what we would expect. We kind of tried to do that, but we goofed it, obviously.
So then tell me, what is the culture like at Cybrary?
Thanks for bringing me back to that point, Jill, because after I saw what was posted, I'm like, "Oh my God, this is totally wrong." I would say, in that broader context, I sure hope people put their family, faith, and friends at the top of their lists of what's important. And we weren't trying to speak to that. And I understand how that was taken. We made that mistake. I've got huge respect for the security professionals in this industry, having been one, led teams pretty deep in the trenches. I want to do everything I can to make sure that we're representing the community well, our company well, and that our values are consistent in the things that we're publishing… like job descriptions.