Security Awareness Training That Works: Anagram’s Path to Disney, Pfizer

This week, Madrona Partner Vivek Ramaswami hosts Anagram Founder & CEO Harley Sugarman. Harley’s founder journey is a fascinating one — from magician to music video producer to engineering at Bloomberg and then to investor at Bloomberg Data before eventually leading to becoming an entrepreneur. He launched a company in 2023 with a bold mission: to fundamentally rethink how we protect the human side of cybersecurity.

Originally founded to help security teams upskill through immersive training, the company has since evolved into a next-generation human security platform that’s tackling one of the biggest unsolved challenges in enterprise security: employee behavior.

In this episode, Harley and Vivek unpack how one pivot, a flood of cold outreach, and relentless focus on behavior change transformed a niche tool into an enterprise platform serving companies like Disney and Pfizer. From landing enterprise logos off of nothing but wireframes to outmaneuvering the 800-lb gorilla in a legacy industry — Harley’s tactics are a masterclass for any founder trying to stand out in a crowded market.

Listen on Spotify , Apple, and Amazon | Watch on YouTube.

This transcript was automatically generated and edited for clarity.

Vivek: What motivated you to launch this company? How did your background help you in the early shaping of the company itself?

Harley: Yeah, so I have a bit of a funny background. I actually went into school as an English major, was a semi-professional magician prior to doing that. So I really did not think I was going to be in the tech world for a long time. But after going to school in Palo Alto, sort of being very much immersed in that world, the idea of starting a company took hold, but I didn’t know what I wanted to go and do. So right out of college, I moved to New York and was working at Bloomberg, mostly there doing engineering for sort of infrastructure tools that Bloomberg was building, and sort of realized that I knew a lot about the product side of startups, but didn’t know much about all the other stuff, about the fundraising, about the hiring, all those other facets that go into creating a company.

So I found Bloomberg Beta, which was this early-stage fund that exists within Bloomberg and is very focused on the future of work, which is something I was also very interested in. So I joined for two years, essentially with the ultimatum that after two years, I want to be fired and forced to go and start a company. And the team I worked with was very supportive. I worked with a woman, Karen, out of New York who sort of held me to that promise. And for me, security was always a very natural fit. There’s a lot of engineering within security that I find really fascinating. That was my specialist focus at university.

And really for me, there was always this interesting intersection of the technical side of security and the human side of security. And that human side was this sort of much fuzzier problem than the technical side. And it was a problem that a lot of people had tried to solve, but hadn’t really been able to solve. And so, that was what gave me the trigger to say, “You know what? Let’s go into this space. Let’s look and see where there’s opportunity.” And that led to the initial vision for the product, which was focused on security teams and eventually led us to what we’re now building at Anagram.

Vivek: Yeah, and I think obviously you had a lot of interesting developments leading you to even starting the company in security in the first place. But then, the original vision of the company was very different, or certainly different from what you’re doing today, which was around upskilling cybersecurity employees and teams with this kind of capture the flag style approach. But then, you pivoted the company in 2024 and saw some rapid success from there. What sort of led you to this pivot? Walk us through what your thought process around that was.

Challenges and Market Realities

Harley: So the original product that we built, which I stand by as being an awesome product, was this way of evaluating security talent and training security talent through this idea of puzzles, right? In security, there’s this culture of capture the flag, which is we’ll give you a piece of broken software or vulnerable software, and your job is to figure out how to exploit that vulnerability. And in doing that, you very quickly understand, “Oh, okay. This is how I would defend against that in the future.” And it’s a really cool, engaging way to teach people to evaluate what somebody knows. And so, we started off building software very much focused on solving that problem for security teams, which I can talk about at length.

But I think one of the issues with it is that security is a very gate-kept industry. There are a lot of certifications, a lot of a feeling that you need to have gone to a certain kind of school, or have a certain degree to get into this field, and I didn’t buy that at all. So that was the first product that we launched. We got a little bit of traction with it. And candidly, we just realized quite quickly that the market wasn’t there for it. We launched sort of 2022, end of 2022 timeframe into a market that was very much contracting. So companies that had big security teams, financial institutions, tech companies, et cetera, were on hiring freezes. They were doing layoffs. They were downsizing. So we quite quickly learned that there was a cap to how big this business could be.

And then, the other challenge with it was the needs and the requirements for security training at these different orgs looked fairly different, given the risk profiles, given the compliance frameworks you needed to worry about, given the kind of software that you are developing. So we decided to make a pivot, but we knew that we had built something special because the feedback from users was really, really positive. They loved the puzzles. They loved this idea of critical thinking and keeping things short, but engaging. And so, we basically started talking to the customers that we had, and we said, “Okay. Where are you feeling this pain, where this kind of solution could be interesting?”

And the thing that came up more and more frequently was this idea of training users who weren’t necessarily on the security team, training the general population. And it’s a very known issue. Human risk tends to be the biggest hole for most enterprise companies, meaning someone clicking on a phishing email, somebody sharing data with their personal email or to someone that they shouldn’t. Now, increasingly, there’s a lot of AI risk around what information gets put into models and what does that company do with that information. And there hasn’t really been a good solution to that problem. There’s a lot of companies out in that space. It’s a very popular space. But the approach most of these companies has taken is very cut and dry, right?

Pretty much everyone watching this or listening to this is going to have had to have gone through some kind of security awareness training in the past. That’s usually 45 minutes of videos talking about what is a phishing email, followed by a kind of reading comprehension quiz that looks like it came out of the SAT, and that is not a good way to train people. And what we learned was that there was real appetite to take this more engaging way of educating and teaching, and apply it to this space, which is a lot broader space, because every company above a certain size needs to do this employee training. And so, that was the seed that led to Anagram.

To be honest, I was quite hesitant to do this initially. I thought we were going into a space that was very commoditized. I felt it was a little bit of a race to the bottom. So I sort of felt like, “Okay, if we do this, we have to do it right and we have to do it differently.” And so, that was the initial sort of hump that I had to get over was my own kind of internal bias like, “Does this actually make sense? Is this a good idea? Is this not a good idea?” But we got really, really good feedback, and so we then started doubling down. And it kind of didn’t even really feel like a pivot at all.

Executing a Startup Pivot

Vivek: Take us through that actual pivot. You talked about externally why you decided to… You saw one direction, and you said, “Okay, you know what?” Actually, if I take the company and the product in a different direction, I’m seeing a lot of immediate traction there.”

But internally, what actually happened? If you just think about the tactics of this, did you wake up and you tell the team, “Folks, we’re going to change the direction of the company, and this is the product we’re going to go into.” Did you have to change the team? What sort of happened? At least on the internal side after you made that pivot, because that’s something so many founders have to go through.

Harley: So the way that we thought about it or the way that I thought about it was every step kind of felt like a natural progression of the step before. So I actually don’t think I remember waking up one day and saying, “Hey, you know what? We’re now a security awareness company.” That didn’t happen. It actually felt very organic. I make decisions well when I see data. That’s kind of the framing through which I view the world. And when we started selling this new product, we started sort of ideating on, “Hey, okay, security training for security teams. That’s probably going to hit a wall at some point. Where can we expand?”

We started just running a ton of little experiments around messaging and outbound, outside of our existing customers, and we said, “Okay. My hypothesis — this is probably not going to work.” Right? There’s a million companies out there. CISOs kind of think this is an unsolvable problem because human risk is that you can’t fix the human, which I think is a really terrible framing. And so I sort of said, “All right. Well, we’ve got these customers who are willing to give us some money. Let’s focus some effort on building that product as cheaply and as quickly as we can.”

And then in the meantime, let’s just start running some tests. Let’s start reaching out via LinkedIn, via email to CISOs, and see if we can get any interest like, “Hey, we’re going to try this a little differently.” And we got a lot of bites that way. Of our first, I think, 20 customers, 80% of them came through cold outbound. It wasn’t my network. It wasn’t people doing us favors, right? We had a couple of existing customers who converted, but the vast, vast majority came from us just reaching out. And I think that was the thing above everything else that made me say, “Actually, this is cool. There’s a there there. There’s an opportunity here.”

And people are sick of the status quo, and they feel like there is a chance for us to build something here that is differentiated, and feels unique, and feels innovative.” And so, we just slowly started spending more and more of our time on it. And there was a moment, I’d probably say early to the middle of last year, where we decided as a team, this is going to be our focus now. We are spending 80% of our time on this product. We closed more revenue in the first six months than we did in the past 18 months building the original product. And so at that point, it was fairly obvious like, “All right, we’re going to do this.” And you know, for the team, a few of them came and sort of said to me like, “It kind of didn’t feel like a pivot.”

Someone said to me once, I thought it was kind of interesting. There’s like two genres of pivot. There’s a market pivot or there’s a buyer pivot. And it’s hard to do both, but you can do one. We kind of made a buyer pivot, right? We are still selling to security. The process is not a million miles away. It’s this top-down enterprise sale. But the end user, the experience, the problem that we’re solving is just fairly different. And we were kind of lucky there was a lot of DNA from product one that could apply into product two.

But yeah, it felt I think very natural and we didn’t need to make any team replacements or anything like that.

Vivek: I think that’s where the word pivot just sounds like you’re making a hard pivot, right? Where so many things are changing, and it’s like you got rid of one team, and you got another. In this case, it’s more almost a transition, right? There’s a transition of the product, but there’s a transition on the buyer side. They decided, “Okay, you know what? This first part I’m not going to spend that much money on. But the second thing that you’re doing, actually, there’s budget for this.” And now, you can tap into that budget.
And I think the thing you said that was really interesting and that is differentiated is, so much of your early traction came from you reaching out cold on LinkedIn and on email. And these aren’t just small SMB customers. This is Disney, and Pfizer, and big blue chip customers. Maybe talk through that a little bit. What was sort of different in what you were doing that allowed it to work?

Security Awareness Training that works

Harley: A few things that we did, I think, that worked for us and would work for other people is, we always started from a place of feedback. So in the early days, we didn’t have a ton of functionalities to the product. We had a lot of wireframes, we had some basic things that we could demo, and we were very upfront about that. We weren’t saying, “Hey, we are going to come in and solve all of your problems.” We came in and said, “Hey, security awareness training sucks. You probably hate what you’re doing. We’ve taken this approach that is a little bit different. We’d love to show it to you. We’d love to hear if the approach resonates with you. Do you have 15 minutes?” And I will die on the hill that a cold email is the highest reward-to-risk ratio proposition that you will ever encounter as a founder.

It costs you literally as close to nothing as it can cost you, right? Some time and some thoughtfulness around who you reach out to and how you reach out. And the worst that can happen is they ignore you. And maybe if you reach out to them a year later, they respond, but they’ll have forgotten about the first one. So there’s zero reputational risk really if you do a thoughtful one, but the potential upside is so high. So we really leaned into that. Just try it. But as I say, I think coming at it from a place of, “We want your feedback. We are not telling you that this is going to solve all of your problems.” Coming at it from a place of the open secret that in this space, there are a bunch of issues. And hey, we are thinking about how to solve this, and we’re being innovative. I also think, tactically, if you frame yourself as earlier than you are, that can help.

Even now, we send stuff from my university alumni email address, and we try things where we say, “Hey, we’re a team of… We recently founded a company, even though the company’s been around a year.” I just think having that framing of like we are early gives you two things, especially for C-levels at big companies. One is it puts them a little bit more at ease. It feels like, “Hey, I’m not just going to get pitch slapped by this dumb company that I get 400 of these every day.” And then the second thing is a lot of these big C levels love the idea of paying it forward and helping startups. Some of them might become investors. Some of ours did become investors. Some of them might want to help connect you with VCs that they’re connected with. So there is this idea of a rising tide lifts all boats that I think we were able to capitalize on as well.

Vivek: And I think also you approaching this with a level of humility that I think is really important too, right? It’s not this idea of, “Hey, buy us, and we’re going to solve all your human risk problems.” Right? It’s like we are the greatest security training tool. It’s not like, “Hey, we have a different approach. Why don’t you try us out? Or I’ll at least, get on the phone and talk to you about it. And we’ve had this success and you can just sort of build on top of that.” And I think that’s great. By the way, this probably the first time I’ve heard pitch slapped.

Harley: I didn’t come up with that.

Vivek: I was going to say it’s very good. And I’m not sure if we’re going to be able to use it or not. Hopefully, we can. But I think one thing you noted there is really important, which is this is a space that’s been around for a long time. Right? As you say, at a certain size, you need to have some level of security awareness training, products within your organization. Now, the vast majority of them today are very much check-the-box, and it’s not a great experience. And I’m sure 90% of the people who are listening or watching this podcast have kind of gone through that. Now, I’d love to hear how you all and how Anagram thinks about standing out in this space.

We’ve talked about this. There are almost two sets of competitors. One is all these new age sort of AI forward companies, many of which are getting venture funded, and a lot of them have been out there for the last few years. And then, there’s this one giant behemoth, right? In KnowBe4, which has been around, probably the first one in this space, and is sort of the 800-pound gorilla in this market. For a product and a company that’s only been around for a couple of years, how do you think about how Anagram competes in the spaces? Do you think about all of these? Do you think about this side more? Walk us through the competitive set and how you compete and find success.

Harley: So I think for what we do, it is a fairly commoditized space. There are a lot of startups. There are a lot of incumbents. There is really one massive incumbent, which is KnowBe4, and they’ve built a machine. I’ve got to give them credit because they have managed to dominate the industry. When we go into these enterprise companies, nine times out of 10, we’re competing with KnowBe4. All stuff they’ve built internally. But it’s unusual, I think, to see a space within security where so few of the incumbents of the big customers are using a startup as a solution. When we go up for these customers, we’re very rarely competing against the startups. We’re usually competing against KnowBe4. Sometimes, a company like Proofpoint, like an email security platform, has some training built into it.

And then, the startups that are doing the AI solution. We run into them a little bit more at the mid-market, sort of maybe 500 to a thousand, 1500 employees. We learned quite quickly that our bread and butter is the big enterprise. We found that we can serve 1000, 2000-person companies pretty well, but those processes tend to be very competitive. You’re going against all these other AI-driven companies. There’s a lot more shininess. And you’re also going up against a team that you’re selling to a persona who’s got a lot more going on in the sense that there is typically one person. Maybe it’s a CISO. Often, it’s not even a CISO. It might be a director of IT who’s wearing 17,000 hats, and security awareness is one of those hats.

And so they just need to get something in, check the box, and get it done as quickly and as cheaply as possible. And that’s not really the company that we’re going after. What we’ve realized is that these big enterprises that have the biggest risk surface because they’re dealing with 10,000, 20,000. In our bigger customer cases, 400 – 500,000 employees, they have to think about this with a bit more sophistication. They have to think about, how do we target training to different parts of the org? How do we customize what people get? We deal with a lot of companies that have manufacturing facilities. And those workers are hourly. And so for them, training that is 45 minutes long versus 15 minutes long, all of a sudden.

Vivek: An hour of pay.

Harley: Right. Exactly. Yeah. If you take 10,000 manufacturing workers times that by 30 minutes, that’s 300,000 minutes. I think I did the math right.

Vivek: It’s a lot of time.

Harley: Yeah, it’s a lot of time. But it’s interesting, because what we’ve learned quite quickly is that that is our bread and butter. Those are the programs where we can go in and show ROI really, really quickly. And so, that’s where we focused. In terms of how we’ve looked at it from a product perspective. I think if you look at the incumbents, we’re all familiar with that product. As I say, it checks a box, but it doesn’t lead to behavior change.

And I think the big problem in this space, and the reason you’re seeing a lot of startups in this space, is that CISOs have realized this training doesn’t really do anything. It is a thing that we have to do because our compliance framework says we have to do it, but that’s kind of as far as it goes. And the analogy I’ve started to use is if we taught kids, if we taught school-age kids the way that we expect adults to learn security awareness, within two weeks, there would be protests in the streets.

Vivek: Yes.

Harley: We’re not going to let our kids just sit in front of a screen and then take a comprehension quiz. That doesn’t actually teach. And it doesn’t teach you anything, right? There’s been so much research on how behavior change works at scale and how education can work at scale, not from security companies, but from companies like Duolingo, from companies like TikTok.

Vivek: Right.

Harley: And you need to incorporate those kinds of technologies and techniques into awareness training. The big incumbents don’t do that. And then, even the smaller startups that are very AI forward and they say, “Hey, we’re going to take the phishing simulations that you do and we’re going to let them be AI-generated,” or, “We’re going to have AI-generated videos.” Again, there’s some value there, but it’s kind of, to me, the lowest hanging answer to the question, how do we incorporate AI into this training?
And I just feel like if you put someone, and give them three minutes and say, “Hey, how do I incorporate AI into awareness training?” That’s what they would come up with. So what we’re trying to do is go one level deeper and look at the workflows that our users are engaging with day-to-day, and figure out how do we insert nudges, behavior change, training into those workflows. And I think that’s something that no one’s really doing right now.

Vivek: At the end of the day, for most of these customers, they would like to drive behavior change. Right? It’s very hard to do.

Harley: Yeah.

Vivek: Because we’re used to the way we do things at work, right? And so, being able to show, especially at these big enterprises, can you drive behavior change? Or what leads to behavior change to make your environment more secure is so important. And so, I would say that one of the things that attracted us to Anagram was taking this enterprise-first approach, right?

A lot of companies will go say, “Hey, you know, let me start with a small customer and kind of work my way up.” Versus just going, “No, Disney has a complex environment, and that complexity is what’s going to make our product shine.” What advice do you have for other founders who are trying to break into the enterprise? Because enterprise is not easy, right? And these large companies are not easy. What sorts of things have you found successful for Anagram that you think might be relatable to other founders?

Enterprise Sales Strategy

Harley: So I think within the enterprise, you really have to put in the time understanding how their business works. It becomes a much more of a consultative sale than a prescriptive sale because every enterprise has its own beast. There are power dynamics at play that you will not get a sense for until you’ve spent real time with them. And what we started to do that is showing a good amount of promise is look for a specific problem that we can solve, right? Let’s take J&J, or Kenvue, or Disney as an example.
They have such a huge number of challenges that if you try and say, “Hey, we’re going to solve everything day one.” First of all, they’re not going to believe you if you’re a company at our stage. Second of all, the number of people who would have to buy in for you to go and solve all of those problems is probably in the dozens. Not always, but oftentimes. And there’s different departments that might need to buy in. I’m not even talking about budgeting yet or dollar amounts. Just the sheer complexity of the sale goes up so quickly. So what we’ve tried to do is really focus on specific areas where we can improve. So it might be training people who click on phishing emails a lot. It might be doing a little bit more targeted training to certain parts of the organization. But this land and expand motion, I think, works really, really well within those enterprises, because you get the chance to build some of that trust.

And you get in the door a little bit quicker. Your contract size won’t be that big initially, but our mission is to build trust, and to get them enjoy working with us, and that unlocks volumes, I would say, in terms of ability to expand. Also, social proof, right? I think once you’re in one of them, you can then kind of name-drop that one. And then all of a sudden, you get a little bit of the FOMO among the enterprise, which is always nice.

Vivek: Yeah. Well, you should be less humble about it. It’s not easy to break into these companies in the first place, and then expand. But as you say, if you can get your foot in the door, you have a good starting point that can give you a lot of leverage to moving across the organization.

Choosing the Right Investors

Let’s switch gears here a little bit to fundraising. Tell us a little bit about the fundraising journey. And I guess I’ll put you on the spot a little bit. You weren’t really fundraising when we talked, and so why’d you even take the call? And give us a little bit about that experience.

Harley: Yeah, we weren’t fundraising when I first met you. I think we had planned to fundraise kind of around now, like March, April, May. I guess we’re in June of 2025. At the end of 2024, when we got introduced, I was really just in the early stages of saying, “Okay, I probably need to get my reps in fundraising. And I remember this from my time as a VC. We used to give this coach to our founders. Fundraising is like a muscle, and you just have to remember how to talk about your business.

What are the common questions that come up? What are some of the big things that you’re going to have to answer? Who are your competitive set? How are they fundraised? And there’s a lot of prep work that I think goes into a good fundraising process. And so, this was going to be the very, very early stages of that process for me. We got connected through my little brother, of all people.

Vivek: You owe him a nice Christmas present.

Harley: Yeah, exactly. And he was like, “Oh, I met these guys at Madrona. They seem really smart. Do you want to have a chat?” I said, “Yeah, I’ll get some practice swings in.” And yeah, I think on our side, we were in a fairly good position because we had had a lot of momentum. We’ve closed a lot of contracts. We were and are growing pretty well. But I was just really surprised. I loved the conversation that we had, and you asked really good questions. I also fundamentally believe that fundraising… And I hate the cliche, but fundraising is kind of like a marriage. This is a long-term partnership, right?

This is not, “Oh, they’re going to write a check, and then disappear.” This is — you are going to be seeing these people or speaking to these people multiple times a month, or once a course, in a board meeting or whatever it is. And so, you need to get along both on a professional level, obviously. And then, have a shared vision for the company. But also, you need to just want to spend time with them, and trust that you can be honest with them, and have these conversations. Life’s too short to have friction like that. And yeah, as I say, I just… You know? Not to big you up too much on your own podcast.

Vivek: We’ll take it. We’ll take it.

Harley: But I just thought it was a really great conversation.

Vivek: The feeling is mutual. And I think, for us, we had looked at a number of companies in this space. But I feel like the approach you are taking and Anagram was taking, but also your authenticity, right? Outside of just having a very interesting approach in this space, it’s like, are you the kind of founder or the kind of person that’s going to be able to make changes when the market throws a million things at you, right? It takes time to suss that out. I remember we spent half a day in New York and went for dinner. And those are the kind of things that I think get us really excited. Great traction and customers is important, but ultimately, so much of the company is defined by the founder in the early stages. And I think getting to those things is really important.

And I think the other underappreciated part is that when you already have a great group of investors, like in your case, you already had Bloomberg Beta and GC. You want to have someone who also can probably fit into that board dynamic while also challenging you in certain ways. And I think you’ve been very lucky to have a great set of investors, and I’m not talking about ourselves, but even your other investors. And so, it’s been fun to be part of that dynamic in that group. If you were to give advice to founders about fundraising and choosing a partner for the long term, what are one or two things that you would, maybe that they don’t hear as much? Or are there one or two pieces of advice you’d give after having gone through this process?

Advice for Founders

Harley: I would say the biggest thing is choosing someone who you get along with. To me, that is far and away the most important piece. And this isn’t to say the case for every CEO, but I really value collaboration and I really enjoy hearing other people’s ideas. I think of myself as a sponge. And I might take in all the information, and then just wring it out and ignore all of it, but I love absorbing it. And so, I need someone who I can listen to and who I’m going to care about their opinion.

And I think if you are someone who always thinks that you’re the smartest person in the room, if you’re someone who has to get the last word in edgewise, you are just going to… I just know myself and I know that I’m going to start dismissing what that person says or take it with a grain of salt. And so for me, I was really solving for that. Who is this person who is going to be a thought partner? Because ultimately, you also have to, as a founder, know where to take the advice and where not to take the advice. VCs are great, and we have been very lucky. We have a really good batch, but they are backseat builders, right? They are not there in the trenches. They don’t see what’s happening day-to-day. So you, as the founder, have to make the call ultimately, but you need someone who is going to have that little bit of humility on the VC side and say, “Look, I know that I am not necessarily the best person to answer this question. You’re the best person to answer this question, and trust you with that vision.” Again, being a VC, I think I saw this happen in a positive, constructive way.

And I saw this happen in very negative ways, where board meetings were just sort of this thing that the founder and even some of the VCs dreaded because they knew there was going to be conflicting egos. It’s uselessly destructive because it doesn’t contribute to building the business. It doesn’t contribute to a good relationship between these people who are spending a ton of time and are really invested in each other’s success. So yeah, as I say, for me, it’s a soft answer, but I think that interpersonal connection is massively important.

Vivek: That totally makes sense. And let’s end with a couple of rapid-fire questions here. So, outside of fundraising, if you could provide founders with one piece of advice, what would it be?

Harley: Send more cold emails than you think you should.

Vivek: Love that. Okay. Send more cold emails. Yeah, I think you probably learned some of this skill as a VC too, right? This is what we do all day. And one, let’s talk about hiring for a second. What lessons have you learned around hiring, especially when it comes to the kind of talent you want to get at this stage that Anagram’s at?

Harley: This is a longer answer for a quick-fire question, but it’s difficult to get talent that can scale at any stage of a company. What is a good fit for someone when you are 2, 3, 4, 5 people might not be a good fit when you are 10, 11, 12, 13 people, which might not be a good fit when you’re 25, 30, or 50, or a hundred. And so, always being cognizant of, is this the right blend of talent that I need for my team at this stage of this company? And then, a lesson that I have learned and a mistake that I’ve made that I’m trying to internalize and continue to get better at is not letting bad hires or mistaken hires drag out. So, making those decisions quickly.

And I say that not in a kind of, oh, let’s just be cruel and callous about it, and just hire and fire everyone and kind of create, because that’s really bad for the culture. But there genuinely is, for most people, a stage of company where they will shine and a stage of company where they will not. And we’ve hired a couple of times people who I think would be really great fits for companies where there was a little bit more infrastructure. And maybe if the company were 50, or a hundred, or a thousand people, they would be a really, really strong A-level player. But when you’re five people, when you’re 10 people, there’s just so much ambiguity and so much comfort that you need to be able to do without that, it just wasn’t the right fit for them or for us, right?

It’s not really fair for them to be wasting their talent at a place like us. And it’s not really fair for us to be bringing them in where they’re not contributing what they could be, right? So I think making decisions quickly. Also, smaller point — hire more junior than you think, especially at the earlier stages. Like someone who is earlier in their career, maybe, or not as experienced, but really hungry and learns really quickly. I will take that 10 out of 10 times over someone with a bit more experience who’s maybe coasting.

Vivek: Yeah. In fact, it feels like we’ve actually had more success in that type of hiring, and watching those people grow, and do all the tactical sort of get in the mud working versus bringing in someone senior. There’s a time for that. But I think, as you say, for seed series A, early-stage companies, that kind of role makes a lot of sense. Last question for you, Harley. Looking out five years, where do you see this market and where do you see Anagram?

Future of Security Awareness Training

Harley: I think that the current incarnation of security training disappears. I think it has to. One of the nice things about the way the current compliance frameworks are written is that they’re actually very vague. They just say, “Well, you have to train your employees annually on security relevant to their jobs.” That’s pretty vague. And what that has meant so far is we’ve done the lowest hanging fruit like, “Okay. Well, we’re going to give employees annual training about security,” and it doesn’t work.

And I think that as AI attacks become more sophisticated, so as these emails, that phishing farms can create become more personalized, become higher quality, become more relevant, the email security platforms are going to struggle to detect that as effectively and struggle to prevent those from landing in employees’ inboxes. I think we’ll see it with AI language models and these tools that we’re using. Even companies that are banning them outright, they’re still getting a ton of data leaked into them because employees are just putting it on their phone or taking a screenshot of the code and loading it into ChatGPT.

These are all stories that I’ve heard. And AI is just this kind of massive tailwind towards the humans needing to become better at detecting and preventing these security breaches, right? Already, humans account for 70, 80% of the number of breaches that big enterprises face. I think that number is just going to get higher and higher and higher because the tools that attackers are used get more and more sophisticated.

And so, the only way that we can solve that is to actually create behavior change and actually impact the way that users think about security. And for us, as I say, annual training is not a way to do that. And so, that’s where we are really focused on innovating in terms of both the simulations and the tests that you can use to train your employees, the format of the training itself, and then also ultimately the workflows, and getting into those workflows, and pointing them in the right direction.

Vivek: It’s awesome. Well, Harley, this has been great. We’re so excited to be on this journey with you. It’s a pleasure to have hosted you here, and I’m excited for everything you do in the future. So thank you again, Harley.

Harley: Awesome. Thank you for having me.