So the question I get asked a lot is, for how long do I continue to do the security work as 10% or 20% of my job? At what point do I hire someone to be focused on security? The right time is when you're not able to focus enough on your other strategic responsibilities as a CTO or as a CIO. For a lot of smaller startup organizations, that can be the task of responding to vendor security questionnaires. So, as part of the sales process the things to be considered would be: who has built your security program? Who's running it? Who's communicating that to your customers and to your business partners? It really has to do with a specific organization's risk profile. What's the potential damage of a breach? How might that breach occur at your organization, and therefore, how do you invest in that? It's going to be different for every organization, depending on the industry, geography and technology infrastructure. Building this program will depend on identifying the software that provides the most critical functions to your business, and figuring out how to protect it.