Real security coverage before you can justify a security hire

You are 14 people. You do payroll on Friday, sit in on the hard sales calls, and you are still the person who approves a new hire's laptop. Last week a customer sent a security questionnaire, and you answered it from memory at 11 p.m. because there was no one else to ask.

You know you should have someone on security. You also know what a seasoned security lead costs, and what they do all day, and that 14 people cannot keep one busy or pay one well. So you do the thing every founder does. You park it. You tell yourself you will hire when you hit 50, or after the next round, or once the revenue is boring enough to feel safe.

The problem is that the risk does not wait for the headcount. An attacker does not check your org chart before phishing your finance lead. A prospect's procurement team does not grade you on a curve because you are small. You are stuck in a gap: too small to justify a full-time security hire, too exposed to do nothing. This is about what covers that gap in practice, and why the answer is probably not a person you cannot afford.

Here is the reframe that gets founders unstuck. When you picture "doing security," you picture hiring a security person. That is the wrong unit. Security is not a seat on the org chart. It is a set of things that have to happen on a schedule, whether or not anyone owns the title.

Walk through what those things are at your size:

• Someone watches identity. New accounts get the right access, leavers lose it the same day, and a strange login from a new country gets noticed.
• Someone keeps the basic controls on. Multi-factor authentication is enforced everywhere, not just where it was convenient. Risky sign-ins get blocked before they become incidents.
• Someone answers when a tool flags something. An alert that nobody reads is not a control; it is a notification you are paying to ignore.

None of that requires a full-time hire. It requires the work to get done reliably. The hire is one way to make that happen. For a 14-person company, it is the most expensive and least flexible way.

Most small companies are not missing security tools. They are missing the hours to operate the ones they already bought.

If you run Microsoft 365 or Google Workspace and a cloud account on Amazon Web Services (AWS), you are already paying for serious capability. Microsoft Entra ID can enforce Conditional Access policies that block a login from an untrusted device. AWS includes Amazon GuardDuty, a threat detection service that watches your account for suspicious activity. (Microsoft documents Conditional Access in Entra; AWS documents GuardDuty.)

The catch is in the operating, not the buying. Conditional Access does nothing until someone writes the policy, turns it on, and tests that it did not lock out the sales team. GuardDuty produces findings, and findings only matter if a human reads them, decides which are real, and acts. The license is the easy part. The hours are the part that falls to you at 11 p.m.

A control you bought but do not operate is not coverage. It is a receipt.

Coverage in the gap is not a watered-down version of a security team. It is the same work, sized to a small company and run by people who do this for a living across many environments at once. Practically, that looks like a few specific things.

The basics stay on and stay tested. Multi-factor authentication enforced everywhere. Conditional Access tuned to your real working patterns. Leavers offboarded the day they leave, not the Friday someone remembers. The boring controls are the ones that stop most incidents, and the boring controls are exactly what gets skipped when one founder is doing everything.

Alerts reach a human who acts. When GuardDuty or your identity provider raises a flag, it lands with someone whose job is to triage it, not in an inbox you check between meetings. That is the difference between detection and a detection product.

And the work shows up as a record. When the next questionnaire arrives, the answers come from how the environment is run day to day, not from your memory at night. That record is also what an auditor or a serious buyer will eventually ask to see.

This is the honest part, so it is worth saying plainly: if you have a deeply specialized risk profile, regulated workloads with their own mandates, or a security function you want to build in-house and grow, a full-time hire or a dedicated team may be the right call. Operational coverage is for the long middle stretch where you need the work done well and cannot yet justify the seat.

Go back to that 11 p.m. questionnaire. The real strain was not the form. It was the quiet knowledge that the work behind the answers was not happening on any schedule but your own attention, and your attention is the scarcest thing in the company.

You do not solve that by hiring a person you cannot keep busy. You solve it by making sure the work happens, reliably, run by people who already do it everywhere else, using the tools you are already paying for. Small does not have to mean exposed. It means you cannot afford waste, and a full-time hire before you need one is waste.

So here is the question worth sitting with before you park security again: what would change if the work were already getting done, and the only thing you had to do was trust the record it left behind?