Conversation
Highlights

From VC to Founder: How Anagram is Revolutionizing Security Awareness with a Human-Driven Approach

Security breaches cost companies millions, yet most organizations treat their biggest vulnerability—human error—with outdated training videos and quizzes that fail to change behavior. In a recent episode of Category Visionaries, Harley Sugarman, Founder and CEO of Anagram, revealed how his $10 million-funded startup is transforming security awareness by making humans a security asset rather than a liability.

The Disconnect Between Risk and Solution

When Harley was exploring opportunities in cybersecurity, one glaring contradiction stood out.

“If you ask 100 CISOs, probably 90 to 95 of them, if you’re asking them where is an attack going to come from, they’re almost always going to say, most likely it’s going to be one of my people,” Harley explains. “And at the same time, if you look at how they’re addressing that big risk, you’ve got this really dreadful set of tooling.”

The standard approach to security awareness training hasn’t fundamentally changed in over two decades: annual training videos followed by basic comprehension quizzes. This disconnect between perceived risk and investment presents a massive market opportunity.

The Problem with Traditional Security Awareness

Traditional security awareness training remains stuck in the past for three key reasons:

First, it’s driven by compliance rather than behavior change. “You can’t fix humans… We need to check our compliance checkbox, and this is an easy way for us to do it,” is the typical CISO mindset Harley encountered.

Second, the market became commoditized. “You got into this vicious cycle of tooling and spend on tooling, where this training was dreadful. So it didn’t actually make a difference. And so CISOs said, well, I just need to check the box,” Harley observes.

Third, vendors stopped innovating meaningfully. “There were marginal innovations… But they are not fundamentally addressing the core issue of behavior change,” he notes.

The result? Security awareness became a checkbox exercise rather than a serious security strategy—despite being the top vulnerability for most organizations.

From VC to Founder: Harley’s Journey

Harley’s path to founding Anagram wasn’t straightforward. After studying engineering with an eye toward entrepreneurship, he realized his skill gap wasn’t in building products.

“The thing that was missing from my skill set was basically everything outside of the product building elements of starting a company. How do you build a team, how do you think about fundraising, how do you create a culture,” he explains.

This led him to venture capital at Bloomberg Beta, where he made a bold request to partner Karen Klein: “I’d love to work for you, but I want you to fire me in two years so that I go and start a company.”

She agreed, setting Harley on a path to explore opportunities in cybersecurity—a field he’d specialized in during his engineering career.

The Pivot that Changed Everything

Anagram wasn’t Harley’s first attempt at building a security company. Initially, his team built security training software for security professionals. But when many companies began implementing layoffs, keeping security teams lean, the market disappeared.

“The biggest decision that we made was pivoting,” Harley reflects. “I’m really proud of the fact that we very quickly made the decision to basically throw away all this work that we had done and move into this more general purpose awareness tool.”

The pivot paid off dramatically. “In the first three months of launching that product, we generated more revenue than we had in the past year of selling the first version,” he explains.

This willingness to adapt rapidly based on market feedback proved crucial to Anagram’s success and demonstrates a key lesson for founders: sometimes abandoning sunk costs is the best strategic decision.

Reimagining Security Awareness from the Ground Up

Anagram’s approach to security awareness differs fundamentally from traditional solutions in three key ways:

1. Personalized Training

“The new way is going to have very personalized training that is targeted towards a specific user, their specific roles and the tools and the threats that they are exposed to,” Harley explains. This contrasts sharply with the one-size-fits-all approach of traditional solutions.

2. Puzzle-Based Learning

Instead of passive videos and quizzes, Anagram uses what Harley calls “puzzle-based learning.”

“We focus on giving users little micro examples of the kind of thing that they are interacting with day in and day out and having them shift mindset and think about things through the lens of an attacker,” he explains.

This approach was inspired by capture-the-flag competitions in security culture, encouraging users to actively engage with potential threats.

3. In-the-Moment Training

Perhaps most innovative is Anagram’s contextual approach to training.

“Looking at the user’s workflow and proactively nudging them in the right direction,” Harley describes. “The analogy I use is Grammarly, not Clippy. We want to be in the user’s workflow, but in a very sort of subtle and thoughtful way.”

This approach acknowledges a crucial reality: “Security is a cost center, not a revenue center. And people just want to do their jobs. They need to make their company money.”

Reframing the Category: From Risk Mitigation to Human-Driven Security

A critical part of Anagram’s GTM strategy involves reframing how the industry thinks about human security.

The industry term “human risk management” frames employees as liabilities. “I hate that framing so much because it puts the onus on the human,” Harley says passionately. “It sees humans as risks to be mitigated.”

Instead, Anagram promotes “human-driven security,” which positions employees as assets rather than liabilities.

“Let’s actually take humans and make them a line of defense. Let’s take them and teach them how to spot and respond to these kinds of threats,” Harley explains.

This reframing isn’t just semantic—it represents a fundamental shift in how security teams approach their work and measure success.

The Land-and-Expand Go-to-Market Strategy

To overcome skepticism from security leaders accustomed to ineffective solutions, Anagram employs a methodical land-and-expand approach.

“We very much take a land and expand strategy where we’ll go in, augment a specific part of the program, show them that this is actually making a meaningful difference in the data, and then that becomes a very easy business case to make,” Harley describes.

This strategy leverages data to overcome the inertia of “it’s always been this way, it’s never worked, why is this going to work?”

Their customer acquisition relies primarily on traditional outbound methods: emails, LinkedIn outreach, and surprisingly, cold calling.

“I didn’t think we would get a single meeting booked from cold calls. But shockingly, it still seems to bear fruit,” Harley admits, reminding founders that even “old-school” tactics can still be effective outside the tech bubble.

The AI Challenge That Makes Human-Driven Security Essential

The rise of AI is making Anagram’s approach increasingly relevant. While AI enhances security tools, it disproportionately benefits attackers.

“AI is like a big wooden club for the defenders, but it’s like a machine gun for the attackers,” Harley explains vividly. “Now all of a sudden, I can generate a thousand fully personalized phishing emails going to a thousand different employees… with the click of a button and a language model.”

This evolution makes human training more critical than ever. “You can’t rely on your tools to catch everything now because the surface area of what they have to detect is just so much greater,” Harley points out.

The Future of Security Awareness

Looking ahead, Harley envisions a complete transformation of workplace security training within ten years.

“I think that we have completely changed the way that people treat human security at work. I think that we don’t do these annual or even these monthly training courses anymore. Phishing simulations are a thing of the past,” he predicts.

Instead, security will become integrated seamlessly into workers’ daily activities, nudging them toward safer behaviors without disrupting productivity.

For B2B founders, Anagram’s journey offers valuable lessons: identify market disconnects between stated problems and actual solutions, be willing to pivot when necessary, use data to overcome skepticism, and don’t be afraid to challenge fundamental industry assumptions.

As AI-powered attacks continue to evolve, Harley’s vision of human-driven security may not just be innovative—it may become essential for organizations seeking to protect their most valuable assets.