Like so many of us, Cindy Valladares fell into cybersecurity. 17 years later, she’s still here, and she wouldn’t have it any other way.

Now Head of Brand, Community, and Communications at Filigran, Cindy has built her career across some of the industry’s most recognizable brands: Tripwire, Onapsis, and Cisco, where she went from a team of 300 to a workforce of 80,000.

We spoke about AI’s impact on trust and brand, the ungated content dilemma, and the why the industry needs to do away with jargon for good.

How did you start in cybersecurity marketing, how did you get to where you are today?

I would love to tell you it was deliberate, that I was targeting cybersecurity because I thought it was a fascinating industry. But at the beginning, it was just another product marketing role. I was bored in a previous job, not learning enough, and a new opportunity came up. It happened to be in cybersecurity.

Once I got into it, I was hooked. There’s never an opportunity to be bored in this space. The community pulled me in, and I transitioned from product marketing into brand and corporate communications, which I loved (and still do). Looking back, I’d say it was written in the stars, and I didn’t realize it until later.

Seventeen years in, and it’s still full of opportunities to learn. You’re always on your toes.

You’ve been in different environments over those 17 years, walk me through the journey

I started at Tripwire, where I held a few different roles: solutions marketing, product marketing, social media, corporate comms, customer advocacy. Then I went to lead the product marketing team at Onapsis, focused on ERP security, a very niche area.

Cisco was the biggest difference for me; I’d never been in a company that large and matrixed. I was used to companies of around 300 people, so going to 80,000 was quite an adjustment. I met someone new every day and still hadn’t met everyone by the time I left.

After Cisco, I spent about 15 months doing contract work, mostly strategy and content-focused, with various security companies and startups, and now I’ve been at Filigran for about three months. The company is growing fast: we started the year with 200 people, and the goal is to finish with over 300 and double revenue. I had a blank slate to carve my space, which is an exciting place to be.

What’s been the biggest shift in how cybersecurity buyers evaluate vendors compared to five years ago?

Some things haven’t changed at all. Security buyers are a skeptical group. Word of mouth, peer recommendations, building relationships. These have always been part of the buying cycle, and they still are.

What has changed is AI. When people search online now, the first results they see are AI-powered. That puts a lot more emphasis on being cited by trusted sources. It’s shifting the balance back towards communications and PR, towards trust earned over time, rather than demand gen tactics alone. It’s also why analyst recognition matters more now. Being cited in a Forrester or Gartner evaluation isn’t just a sales tool — it feeds directly into how AI search surfaces you as a credible answer.

I’ve been in organizations where 95% of the budget goes to demand gen or lead gen, with very little left for brand and communications. That mix has never made sense to me. AI search is making that case harder to ignore than ever.

How are you using AI internally to create content, and what should never be touched by it?

The “never touch” question is a difficult one, because with the right guardrails, there’s no question that AI can make almost any process more efficient. But without the right guardrails or proper verification, your data might be wrong and your conclusions biased.

I use it for brainstorming and editing, not as a starting point for a finished piece. I don’t just say “here’s a topic, give me a response.” Those results tend to be very obviously AI, and people can smell them from a mile away.

What I find useful is giving it a problem and a user profile and asking for topic ideas. Or using it to smooth text flow once something’s already written. I also challenge the outputs: if I disagree with something in a response, I’ll ask why it included it. Often AI will acknowledge I’m right (so does my husband), which raises the obvious question of why it suggested it in the first place.

We’re also using AI in more structured ways at Filigran. We’re working on our State of Threat Management Report, and a colleague built an AI agent to surface regional and vertical differences from raw survey data. We don’t have a data scientist in-house, so for providing insights that a plain reading of the data would miss, it was genuinely valuable.

Are you measuring your brand visibility in AI search yet?

Honestly, I’m figuring it out.

I’ve built LLM visibility into my metrics dashboard. I want to showcase that we’re making a difference – here’s is where we were, here’s where we are now. Going beyond the traditional share of voice charts that you can pull from PR reports.

Really, I want to find out what’s making the difference. Is it the content that we’re producing? The comments that we’re sharing? Or the articles that we’re writing. I haven’t cracked that yet, but it’s my plan.

Which marketing activities are influencing revenue, and which ones keep getting budget even when the link is hard to prove?

Marketing is always a mix of art and science. You will never get all the answers from a purely quantitative point of view.

Throughout my career, I’ve made deliberate choices to ungate some content. At Cisco, we removed form fills for our biggest thought leadership asset, the State of Security Report. Sure, that makes attribution harder. But then a prospect says, “I read your report” or “I saw you at that event,” and you can’t trace it in a CRM. That’s the trade-off. I’m not suggesting that we stop tracking entirely. Because if someone gave us $100,000 tomorrow, we need to know where we’d spend it.

I think the other component is our community. We have spent a lot of love and nurturing hours with that community, and they see that, they feel that. Not every community member will become a prospect we can sell to, but word of mouth carries.

The fact that our solutions are open source is a powerful and unusual marketing resource. Filigran’s community has over 6,500 Slack members, a public roadmap users can vote on, and an ecosystem (XTM Hub, Filigran Academy) that competitors simply don’t have. Additionally, our solutions are not in a black box, so even complex organizations, whether they’re the Ministry of Defense or the FBI, can look under the hood before they buy. That creates differentiation and drives revenue. This is an example of word of mouth and trust – and the impact is hard to quantify on a dashboard.

Maybe it’s because I love it, but I’ll always fund customer advocacy and thought leadership, even without a direct line to revenue. That word of mouth I was talking about, from peers, not vendors, is still the most credible thing in this market. And thought leadership that educates and builds trust is essential to everything else working.

If you could reallocate 20% of your budget to one initiative tomorrow, what would it be?

It depends entirely on the problem you’re trying to solve.

If you have a pipeline problem, spend on things that drive the pipeline. If you have a deal acceleration problem, spend it on sales enablement, or removing things that block sales. If you’re in a new space, like Filigran is, make more noise on the brand and communication side of things. At Cisco, we were synonymous with networking, not security, so we invested in reshaping our brand.

At Filigran right now, we’re seeing nearly 4x North America revenue growth and 119% net revenue retention — which tells you the product is working. The job now is making sure the market knows it. So, the answer for us is both brand and pipeline acceleration, working together.

What’s the uncomfortable truth about cybersecurity marketing most won’t say out loud?

We’re still too jargony. There needs to be more human-centric marketing in this industry, and most of us aren’t doing it. We still lead with FUD at times. And we all sound alike: the logo swap is real. You could swap the logo on most vendors’ messaging and not know who you were looking at.

And here’s another one: almost no one talks about crisis communications until they need it. In cybersecurity, that’s a real problem. You’re selling to organizations that deal with breaches, nation-state attacks, critical infrastructure failures. And yet most vendors haven’t thought through what happens when something goes wrong on their own side.

Brand is not just what you say when things are going well. It’s whether people trust you when they’re not. Building that infrastructure before you need it, the messaging frameworks, the escalation paths, the spokesperson preparation, that’s unglamorous work that never shows up in a pipeline report. But it’s foundational.

Cindy Valladares is Head of Brand, Community, and Communications at Filigran. She has 17 years of experience in cybersecurity marketing, having previously held roles at Tripwire, Onapsis, and Cisco.

ABOUT BORA

We’re Bora. We work with security companies to turn complex technical capabilities into clear, credible market narratives.

Get in touch for a free 30 minute consultation. If we’re not the right fit, we’ll help find someone who is.