Hiring managers speak about looking for culture fit and diversity, but never at the same time. Can they coexist? Are they mutually exclusive?
Check out this post for the discussion that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Sherron Burgess, CISO, BCD Travel.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Votiro
[David Spark] Hiring managers speak about looking for culture fit and diversity but never really at the same time. Can they coexist? Are they mutually exclusive?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me for this very episode is Steve Zalewski. Many of you will recognize him because he sounds a lot like…
[Steve Zalewski] Hello, audience.
[David Spark] That’s exactly how he sounds. Since the first day we did a recording. It has not changed. Our sponsor for today’s episode is Votiro. We are thrilled to have Votiro back again. Especially they are the winner of the first season of the Capture the CISO contest. If you’ve got a business that’s got files, which right now I’m trying to think what business does not have files… Well, none that I can think of. Then you have people who are trying to stay productive, and sometimes these files get tainted. We know that. Well, you want them to stay productive with their files. If that’s the case then you’re going to want to hear what Votiro has to say later in the show. Stay tuned. Steve, I brought up a controversial subject in LinkedIn. I argued that culture fit and diversity are mutually exclusive. Mostly because we don’t often see diverse groups based on cultural values form by themselves. It happens but not often. I got plenty of pushback and lots of people wanting me to explain “culture fit,” which is what I would say to everyone else as well. I hear culture fit all the time, but I’ve never really hard anyone describe in words what their culture is. Steve, are these two being strived for in unison? Because I don’t often hear it in unison. I definitely hear one and the other but never together. Do you think companies have a good way of explaining what their culture is?
[Steve Zalewski] I will start with that is a loaded question. But what I’m going to do is say more and more, people are attempting to make them one and the same – to have them in the same sentence. But I think you’re right, David. They are foundationally two completely different concepts, and what I look at this is people think that culture fit, like diversity, is something you want to consolidate on. But culture fit can be egregiously difficult. It could be, “Hey, look, all I want are Princeton MBAs. That’s my culture is that…” I’ll give an example. I’m a PE firm, and therefore it’s all about finance. It’s all about old boys club. It’s all about coming from Princeton or getting a Harvard MBA. Otherwise you’re not in. Well, that’s a culture. It has nothing to do with diversity. So, I think you’re right when you call it out as the two being different. I think many people would like us to be able to bring culture and diversity into a common conversation.
[David Spark] I would argue though your opening statement has nothing to do with culture. The problem is the source has its own culture as well, and its own culture may have a lack of diversity. So, this also becomes an enormous problem. It kind of becomes a fulfilling prophesy if you will.
[Steve Zalewski] Yes.
[David Spark] All right, to join us in this conversation, someone you introduced me to, Steve, it’s Sherron Burgess. She is the CISO over at BCD Travel. Sherron, thank you so much for joining us.
[Sherron Burgess] Thank you, David, for having me.
Can there ever be agreement on this?
[David Spark] Helen Patton over in Cisco disagreed with me. She said, “If your culture values diversity, it is easy to achieve culture fit.” A good point. And Scott Morgan of Practical CSM said, “I suppose if your culture is not welcoming to diversity then diversity is not a fit.” So, the opposite of that. Really it seems from both of these responses that the only way to get these two to work together is that diversity has to lead.
[Steve Zalewski] Yes. And I think that’s what a lot of people want to have. It makes them feel good. But the reality is how many times have you heard about a toxic culture. That in this day and age is still a very common conversation. Look at the number of CISOs. I’m going to use myself as an example where we talk about the culture that we’re in is toxic because the work ethic is wrong. Because the expectations are one that we can’t align to because we’re expected to be heroic and do it with no money. The culture is toxic. Not the principles, not the diversity, but the culture itself. So, I think we still have to, to your point, realize toxicity can be in diversity, and it can be in culture, but you want to remove the toxicity from the conversation, not necessarily the two words.
[David Spark] All right. Sherron, I’m going to start with the same question I asked Steve. Please address also his toxicity comment. But in both of these quotes from Helen and Scott, they say that if you want the two to work together, diversity needs to lead.
[Sherron Burgess] I think one of the challenges that I see is that there isn’t a clear definition of what culture fit is and what it means. I think that as individual departments, they bring in new people, diverse people. There’s been a lack of foundationally understanding what is the culture of a respective business, of a respective organization. Once that organization has defined its culture, how it moves, what it’s about, the values that it has as an organization, then they can start to look at, “Well, what does fit look like?” Fit could mean understanding how teams work together, or what do you value in order for an organization to be successful, or even departments to be successful.
That may mean that we value people who are creative thinkers, or we are supporting or encouraging thinking outside of the box. And how then as you’re hiring then in this diversity space…how do you measure whether or not an individual has those kinds of components. I think going back to the point that Steve made around toxicity, I think a lot of the toxicity comes because individuals operate around what they think should be the fit for an organization. That contributes to hiring bias or even unconscious bias comes into play there. So, I think there’s a leading approach around objectively measuring what fit looks like in the same way that you would measure the knowledge, or the skills, or the capabilities of an individual from their resume or their professional acumen. Fit could also be measured in that same way, objectively.
How do we make this everyone’s concern?
[David Spark] Ann Kramer of Wisetack said, “When you focus on culture fit, you’re picking people that already fit a certain mold. How can you learn and grow as a company if everyone fits into one box?” That’s how we normally see culture fit, but Helen had pointed out in the last segment… I quoted her, “What if diversity is the culture?” So, that’s why I said that needs to lead. But I also want to quote here Owanate Bestman of Bestman Solutions said, “Diversity is the goal. The culture fit is the current state of play. They really should be referred to separately. The closer an organization gets to the goal of achieving an inclusive, diverse workforce, only then will the culture of the organization change. It’s not an overnight achievement but rather a journey.” So, I’m going to start with you, Sherron, on this one. Wow, I will say the very last part of Owanate’s comment of, “It’s not overnight. It’s a journey.” And very few leaders really want to play that long a game. They’re in this sort of immediate need of, “I need to solve this problem now.” And how can you sort of build this into a longer game play? How conscious is this for you, I will ask?
[Sherron Burgess] Yeah, I think one thing that we forget is companies, organizations in a lot of cases…companies are designed to make money. The reality is that diversity can help them with being more competitive, help them to be more creative, and help them to do more. And so that’s really why companies are approaching diversity. On one hand, there’s some goodwill that goes along with it. But at the end game, it’s the idea of how do you continue to remain competitive, and how do you continue to evolve as a company. I think as leaders, we need to be thinking about, “Well, does the homogenous view of our organization help us get to that end goal?” So, to the point, David, around the long-term effect or how do you think about planning for that long-term effect, you have to think about the core mission of the organization, which may be to make money or to support whatever the missions there are for the organization. I think everyone is concerned that… I wouldn’t say diversity is the goal. I think it’s how do you pull diverse populations, diverse views, diverse perspectives to help achieve the mission of the organization. If the population that you have today doesn’t enable you to do that or to see beyond the limits of what exists in your organization today in terms of personnel then that’s why people should diversify.
[David Spark] Steve, the common way to hire within an organization is to ask people, “Who do you know who would be good for this job?” Get referrals within your own company. But that is super hard to do if diversity is your goal because usually the sort of friends are often not a divers group of people as well. Commonly. So, that technique which we all lean on and it becomes a very useful, valuable technique might fight against the diversity goal. Yes or no?
[Steve Zalewski] I think we can all agree that regional demographics can play a role in your ability to find diversity. The Midwest, northeast, pacific. There’s just natural diversity in certain regions just by demographics. There is another conversation here which gets back to privilege also. So, when we’re looking for cultural fit, there’s this conversation that enters around privilege. That’s another one I think where when you look at your friends or you look at what your workforce demographics look like, the conversation around privilege sometimes enters the conversation. Whether it’s appropriate or not. So, I think a long with diversity and along with culture, along with whether it is a positive or negative culture… You have to look at privilege. I think what we’re really saying is companies have a reason to be. Your responsibility is to achieve those goals and objectives. Things like principles, things like culture, things like fit are opportunities that we have to maintain the objectives of the company and potentially improve it by incorporating diversity and incorporating inclusion where we can see that there’s opportunities for the company to do better against its core principles or goals.
Sponsor – Votiro
[Steve Prentice] One of the challenges security specialists are coping with today as we get even more digital disrupted and distributed is how files and downloads enter an organization. As Aviv Grafi, founder and CTO of Votiro explains, in the last few years it has got even worse.
[Aviv Grafi] It was usually email and maybe downloads. But in the last few years, companies are actually getting more digital and having files entering the organization through various content collaboration platforms. Platforms like Box, Drobox, Office 365, SharePoint, Slack, even WhatsApp we see more and more as a method to import content into the organization. Now, the problem is how do you know whether all those files that are entering the organization are safe, and how can you even prevent hidden and unknown threats coming in with them. So, that’s where Votiro comes in. Votiro offers a content disarm and reconstruction as a service. Proactively removing hidden threats without the need to detect them. Votiro recreates a document without the need to remove any active content. It keeps the benign macros, and it does not change the file. In fact Votiro is seamless to the user, so the user receives the exact same experience. The IT administrator does not need to worry about an employee double clicking a malicious document.
[Steve Prentice] So learn more, visit votiro.com. That’s votiro.com.
What are they looking for?
[David Spark] Mark Eggleston, CISO over at CSC, said, “While I agree that candidate shopping to find the one that fits your culture is synonymous with a lack of diversity, I must disagree with, ‘We simply don’t see highly diverse groups really getting along in any setting.’ Highly diverse groups do get along, so long as you celebrate that diversity.” I think I’ll hearken back to Helen Patton of Cisco’s comment there. And Robert Strohmeyer of Leadspace said, “A culture of diverse people sharing common values and motivations is easy to build.” I think that is… I agree that finding people with common values and motivations is good. Easy to build, I don’t know if it’s that easy. Sherron, what do you think?
[Sherron Burgess] No, I don’t think it’s easy to build at all. I think it’s something that you have to be conscious about. Culture isn’t just, “Let me write what our mission is and our value is on a piece of paper and then hope everybody just miraculously takes it on.” It requires training. It requires reinforcement. It requires being intentional, which I think is really important. That teams are willing to work with one another. That you see mentoring that happens between groups that wouldn’t normally get together.
[David Spark] I’m sorry, do you see that in your own organization?
[Sherron Burgess] I do. We’ve been very intentional about being diverse, especially within our security organization. Not just having people with different types of certifications, which is one thing that as a security professional, the hallmark is, “Let me just have the alphabet soup of certifications.” But having that difference of skillset and background, even education. I’m a perfect example of that. I don’t have a computer science degree, and so I think that allows me to look at the world very differently in how we approach the security for our organization and how I lead my organization as well. So, I think those are important, but that comes from having that culture internally of saying, “It’s okay to be different. It’s okay to bring the skills and the gifts that you have to our organization. And yes, celebrate them.” And allow room for people to leverage their gifts and their talents for the purpose and the goals for the organization. I think that’s absolutely critical. But no, it’s not easy.
[David Spark] Can you give me an example of that? Like how any way that you sort of promote this sort of diversity of background, diversity of thought. Any way that that’s demonstrated?
[Sherron Burgess] Yeah, so one of the things that we do is I ask my leaders to look across your team. What do you need? What does it look like? First of all. You can always look at kind of the skin tones or the nationalities, or even the geographies. Are we looking to incorporate the different types of perspectives into our organization? Do we just have all men? Which was part of the practice in our cyber security organization before I took some of that over and said, “Hey, we need more women. We need more black or brown. Or we need some more international players on our team.” Then the second thing is I always ask my leaders…
When I meet with each one of my new hires, I always ask them what their gift is. the gift is really important to me, and I always evangelize that because your gift is the thing that you might be naturally good at. Being aware of an individual’s gifts allows you to tap into their gifts. It’s a place of comfort for them. It also may be an opportunity for you to leverage their gifts for whatever they’re doing within their job. So, for example, I’ve had people who have said, “Well, my gift is making friends.” And when you look at it from just the security professional’s perspective, you’re like, “Eh, who cares if you make friends.” But if you have a new project and it might be tough to get through, you might deploy that individual to go make some friends in a department that may have some challenge. And now you have a bridge. So, that’s important. It’s something that they’re naturally good at, and it celebrates what they bring to the team. We encourage that.
[David Spark] I like it. Steve?
[Steve Zalewski] So, I’m going to use two examples, just like Sherron did, in a very practical nature. I’m going to actually use Levis as one of the examples.
[David Spark] Where you used to work, for those of you just tuning in and did not know this.
[Steve Zalewski] So, obviously I am all for using real practical examples of what I’ve actually seen because I find real use cases to be better. Levis, women selling jeans to women. You’ve heard me say that many a time. Okay? Culture and diversity? We had 20 different styles of jeans for women. We were at 40 at one point, brought it down to 20, because of physiology. In which case we needed different sizes, different everythings because everybody buys jeans. So, how can I make sure that the jeans fit and that they are stylistically appropriate for all of the types of people that we want to buy them unless I have that culture represented? Which means there’s natural diversity. That’s a very real experience about to be able to sell jeans to everybody I have to have everybody represented in the conversation as to what style, fit, and finish look like. Okay?
Now, that’s a manufacturer. That’s obvious for everybody then to be able to say, “Well, yeah. But that’s because you sell to everybody, and so therefore obviously we need all the types of people to be able to be represented. So, that way we maximize the sells of jeans.” But then I look at cyber security, and you can go, “Well, in cyber security that’s not true, Steve, for Levis. You don’t necessarily need that because not everybody is going to wear a pair of jeans.” I say, “Well, time out. Here’s where it worked for me.” I have all kinds of people that were attacking me. They weren’t just one demographic. So, I needed a culture of diversity because I needed people that could think about all the ways that I was being attacked so that I could appropriately defend. There’s a case where the culture of diversity was equally important that I had a different type of diversity expectation and requirement but diversity, nonetheless.
How do we determine what’s most important?
[David Spark] Danielle Bennet of Crowe said, “I like the idea of trust between highly diverse people. What’s the point of having different opinions if you don’t believe another point of view has merit?” Aw, I like that comment there. “And trust is not a cheap commodity. It’s hard to grow and easy to use.” I’m going to pause there. What I like so much about Danielle’s comment is the fact that some people say, “Oh, we want diversity,” and they, “let the person speak,” but don’t value their response as part of the organization. That’s key. I want to go on to the other quotes here. David Mortman of Wells Fargo said, “Culture fit is a BS metric. Look at the people will improve or enhance the culture. Looking for just a fit is a recipe to justify being insular.” And Kevin F. of FNZ Groups said, “It depends how you define culture. I think for me it’s as simple as ‘passionate about security and wants to be part of an awesome team.’ Emphasis on team. Working together, supporting each other, etc.” Like what you said, Sherron. Going on, Kevin says, “If you define culture too tightly, you’ll potentially impact your diversity work. If you define it loosely, as above, you can have ‘fit’ and diversity.” So, I’ll start with you, Steve, on this. These are a lot of different thoughts, but it’s about sort of keeping the reigns open for how you do your definitions and also the fact that if you are going to be diverse, make it truly something that you adhere to.
[Steve Zalewski] I would say diversity as a value is important, but I really picked up on but at the end of the day, what we’re trying to accomplish is great teamwork so that we work for the best possible company we can work for. That doesn’t mean the most profitable, but it means where things like privilege and things like caustic aren’t common in the language to describe the environment. Then you get culture that’s positive. You get diversity that’s naturally inclusive against the principles, and the goals, and the personal expectations of the individual members that ultimately make up the team that make up the company.
[David Spark] Sherron?
[Sherron Burgess] It’s kind of difficult to say if diversity or culture or culture fit is more important. I think they’re both necessary. I think if you understand or you define what the culture looks like for your organization and even more specifically for a security department, those values will help welcome diverse groups. And so I think about just the point that Steve made – teamwork, the idea of trust, the idea that when I speak up that my opinions matter or my recommendation matters. That comes from defining the culture. I can hire anyone – black, brown, any type of sexual orientation. If the core of it is that we work hard, we value each other’s opinions, and that we get things done then I think that’s what’s important. So, I think both of them… I can’t say one is more important than the other, but I think they’re both necessary.
[David Spark] Yeah, I think that’s what we’re realizing and why I said this culture fit versus diversity, not which one is bigger than the other or more important than the other. There seems to be sort of a clear understanding by everything that you need both. But I will throw this out…and I’m putting this in quotes, recently. Culture fit has been around for a long time. Diversity or the demand for diversity has not. And I think it’s because it was ignored for so long. Sherron, I want you to have the final comment on this. We realize how homogenized so much of cyber security has become that there’s a desperate effort to sort of right this wrong that’s been going on for too long. What do you think?
[Sherron Burgess] Absolutely. I think it has been a homogenous nature of security. It makes it so difficult for people, new people, to come in. We know we have tons of open jobs, and there’s this, “It’s too hard for me.” Or if you don’t have CISSP as an entry level position then you’re not good enough. I think we need to open the reigns or open up our arms to welcome new people. Just to the point that Steve made, hackers don’t care if you have a diverse group or not in your organization. They’re going after those targets. You need different perspectives to be able to be affective and to help secure your organization. But we have to open our arms. We have to have different types of perspectives in order for us to do our jobs wells and to keep our company safe.
[David Spark] Let me ask you… I’m going to relay a story of something. I was at the BSides in Las Vegas. This goes back a number of years. I’m going to say maybe five years ago. And I was just shooting the man on the street style videos that I do. And these guys who were obviously kind of their own little insular group, boys club, were just like, “Oh, have him say this.” It was obviously some inside joke that only they got. I had no idea what they were talking about, and all I could think was, “Nobody gets this. Nobody knows what this is. All you’re doing is excluding people.” I find that kind of behavior goes on again, and again, and again. They create this own sort of inside joke world that’s sole purpose is it’s for us and not for you. What do you do when you see that kind of behavior?
[Sherron Burgess] Yeah, that’s a really interesting question.
[David Spark] You know what I’m referring to, right?
[Sherron Burgess] Absolutely. Well, first of all, the perspective from which I come, I’m an African American female CISO. First of all, it’s like finding a unicorn in a rainbow forest. We do exist. [Laughs]
[David Spark] Right, and I appreciate you coming to the recording with the horn on your head.
[Sherron Burgess] Yeah, we do exist. And so in some cases as people like me, we’re pioneering what it looks like to be excellent in our roles. Often times we have to bypass those comments, or we have to just let that be for that group and for individuals to think that whatever insight they had was just so profound and only for them. That doesn’t mean that I have to always respond to it. In a place where more diversity is accepted then there are absolutely more opportunities to call it out and say, “Hey, that’s really dumb.” Or, “Hey, that doesn’t help anyone else but you.”
[David Spark] That’s literally exactly what I said, by the way. They kept pushing me to do that, and I said, “Look, I’m the producer. Just so you know, I’m not going to use that. I’m cutting it out because nobody knows what the hell you’re talking about. I’m producing this, and I don’t know what you’re talking about. So, it’s not going to be used.” I made it really clear to them that their inside joke was pointless. [Laughs] And hopefully that landed with them. I hope. I don’t know.
[Sherron Burgess] But I will say one thing that I find…and even for a while…that’s very discouraging going to these conferences and these forums… I would literally sit in a room. This is a discussion, and you’re raising up points. “Hey, what are you thinking about this or that?” And I get CISOs who are of a homogenous group giving me this kind of feedback. They have a remit in the scope that is really tiny, and they just have these expert opinions when I’m operating in a global company of a size beyond the scope they can understand. But somehow, back to the point around the merit of what you have to say, my opinions would be discounted as if I wasn’t as competent. I think that kind of culture within security specifically needs to change, but it won’t come from individuals likely that look like me calling it out. It’ll come from this concept of allyship or from those who are in that homogenous group calling each other out, just to the point that you made, and saying, “Hey, that was pointless, or that wasn’t valuable,” to help humble a little bit our security professionals so that more diversity can be enabled, catalyzed to do its best work.
[David Spark] An excellent point. That brings us to our conclusion. But before we truly wrap it, I’d like to know what your favorite quote is and why. What was your favorite quote, and why?
[Sherron Burgess] I like the quote by Danielle Bennett.
[David Spark] I thought you would pick that one, yeah.
[Sherron Burgess] About the idea of trust. I think it’s important to note that as practitioners, we have the same type of certifications, similar types of skills and abilities. It’s just the different perspective of thought or different background that we may come along with. And so I think it’s important even within a security department, you have to work in a team environment, and you have to rely on one another and know that individuals have your back. It doesn’t matter if you’re black, or brown, or any of these other diverse groups. Neuro diverse. That you have confidence in your team to be able to work together towards a goal. So, that’s absolutely my favorite quote.
[David Spark] I agree. Because what she said is it’s one thing to have diversity. It’s another thing to value what comes from diversity. Steve, your favorite quote, and why
[Steve Zalewski] I am going to go with Robert Strohmeyer of Leadspace. What he said was a culture of diverse people sharing common values and motivations is easy to build. I picked that one because that is my aspirational perspective. Which is it should be easy to build. That is all of us taking on that challenge so that eventually that is a true statement. So, to me it’s looking at this as aspirationally that statement should be true, and that we all want to work to get there.
[David Spark] Excellent. Well, let’s wrap this sucker up. Sherron, thank you so much. You were excellent for this conversation. I let you have the very last word, so hang tight right there. I want to thank our sponsor for today’s episode, who is Votiro. Thank you very much, Votiro, for sponsoring this episode of the podcast. They are available at votiro.com. Check them out for all your file malware needs, which you may not know you need. Go check them out. Again, they were the winner of the first season of the Capture the CISO contest. Steve, any last thoughts?
[Steve Zalewski] I do have one, and I want to take this from a very high level, which was we talk about diversity and inclusion. We talk about the challenges we have to do that. The United States is still a great melting pot of people from around the world trying to build that diversity, to build that inclusion. I want to highlight some of these conversations are us taking on international diversity and inclusion and biases that come out of eastern Europe or come out of Asia whereas we open up our arms and bring all of these people into the United States and encourage them to talk about diversity and inclusion, we are taking on a challenge that’s larger than just the United States. We really are doing a lot to try to drive diversity and inclusion and fairness around the world.
[David Spark] Very good. And, Sherron, I ask all my guests, are you hiring?
[Sherron Burgess] Absolutely we’re hiring. We’re hiring diverse candidates as well. [Laughs]
[David Spark] Hiring diverse candidates. I would hope so. Any last thoughts on this topic? And how people would reach you if they want to get a job and work with you.
[Sherron Burgess] Yeah, so diversity really requires you and even the idea of inclusion requires you to get personal. It’s okay to know people. It’s okay to be authentic with them and to share your story, and to listen to theirs. I think forums like this and the conversations that we’re actually having are helping with making diversity possible – for people to open their arms and to at least discuss what it means and if they’re being conscious of it. And so I thank you for that. And of course, yes, we are hiring. Go to BCDtravel.com. We are hiring all kinds of different… People of course return to travel. And so we have a lot of companies who want to travel, and we’re hiring a lot of agents. So, please go to BCDtravel.com. And of course security as well, we’re hiring there.
[Steve Zalewski] And I want to say having met Sherron, she’s an awesome leader, and she cares as you hear. So, if there’s an opportunity and it looks like a fit, I can’t recommend Sherron and her organization high enough. For those…?
[David Spark] Why can’t you? Why can’t you recommend them high enough?
[Steve Zalewski] [Laughs]
[David Spark] What is your limitation?
[Steve Zalewski] She sets the bar to the top. There’s nothing higher than her and her organization. I will share… If you know Sherron or if you have a chance, ask her sometime about the dinner where she and I met, and we can talk about diversity and inclusion. I’ll leave that as a teaser.
[David Spark] There you go. There’s your teaser. There’s your opening question when you get to interview with Sherron. Thank you very much. Thank you, Sherron Burgess, who is the CISO over at BCD Travel. Thank you to Steve Zalewski, my cohost. And thank to our audience. We greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site, CISOseries.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.