The bullets below summarize this post:

• Security awareness leadership depends on company size and revenue.
• Seed stage (0−0−2M): Focus on core product; existing team members can manage basic security practices.
• Early Series A (2−2−5M): Designate a team member to oversee security awareness; consider a fully managed security awareness platform.
• Late Series A (5−5−10M): Hire a full-time security awareness leader for a comprehensive program and interdepartmental collaboration.
• Beyond $10M: Expand the security awareness team and continuously adapt the program to address new threats and challenges.
• The right time to hire a security awareness leader varies based on the company's growth and security needs.

Companies shouldn’t rush to hire a dedicated security awareness leader. In this post, we outline the ways to operate a security awareness function at varying stages of size.

Seed - $0-$2M in Revenue

At the seed stage, a company's focus should be on building its core product and establishing a customer base. Security awareness is important, but it can be managed by existing team members who take on security responsibilities in addition to their primary roles. Implementing basic security practices and training, such as secure password management and avoiding phishing attacks, will suffice at this stage. As the company grows and revenue increases, the need for a dedicated security awareness leader will become more apparent but it is too early at this stage to hire for this role.

Early Series A - $2-5M in Revenue

As the company progresses into the early Series A stage, security awareness becomes increasingly important. At this point, it's wise to designate a specific team member to oversee security awareness initiatives. This individual should have experience in security and be able to develop comprehensive training programs for employees. They can also coordinate with other departments to ensure security best practices are being followed. While a full-time security awareness leader may not be necessary at this stage, having someone dedicated to the task will help prepare the company for future growth and security challenges.

We have found the optimal solution at this stage is to consider a fully managed security awareness platform. Go direct to the vendor and don’t use an MSP to save on costs and improve the quality of service.

Late Series A - $5-$10M in Revenue

At the late Series A stage, with $5-$10M in revenue, the company should seriously consider hiring a full-time security awareness leader. This individual will be responsible for creating and managing a comprehensive security awareness program, ensuring that employees are well-trained and informed about potential threats. They will also collaborate with other departments to implement security best practices and policies across the organization. As the company continues to grow, a dedicated security awareness leader will play a crucial role in safeguarding its assets and reputation.

Beyond $10M in Revenue

Once a company surpasses the $10M revenue mark, the security awareness leader's role becomes even more critical. They must continuously adapt and expand the security awareness program to address new threats and challenges. This includes staying up-to-date with the latest security trends, conducting regular risk assessments, and tailoring training programs to meet the needs of a growing workforce. The security awareness leader should also collaborate with other departments, such as IT and HR, to ensure that security policies are consistently enforced and that the company culture promotes a strong security mindset. At this stage, it is essential for the security awareness leader to proactively identify potential vulnerabilities and take preventive measures to minimize risks.

Typically, this is when security awareness becomes a team function with multiple dedicated people. A great first security awareness team composition is typically a lead/manager, a technical resource, and a content creator.

Conclusion

In conclusion, determining the right time to hire a security awareness leader depends on the company's size, revenue, and security needs. As the organization grows and faces new challenges, having a dedicated professional to manage security awareness becomes increasingly vital. By following these guidelines, companies can ensure they are adequately prepared to handle potential threats and protect their valuable assets.

‍