Ah, that's a better choice then. If they have no idea about security, both opsec and product, they should get someone who can help them get better (or take the risk and take no systematic approach to security). You're right, full CISO role is a bit too much, but someone who takes care about security and might have some internal power to say "don't do that insecure stuff". Security Manager sounds good.

(Ah, well, obviously I have no idea about startups ;))