Cybersecurity marketers are navigating a market where AI can generate content instantly, competitors can copy positioning overnight, and buyers are increasingly skeptical of vendor claims. For Karen Buffo, CMO of Veracode, the answer is not louder messaging. It is credibility, proof, third-party validation, and a willingness to push back on claims that are not defensible. In this Q&A, Buffo talks about how her team is using AI, what damages trust, and why cybersecurity marketing has to become more advisory, more educational, and more grounded in reality.
Q: You talked about how AI is changing everything. How is your marketing team using it?
Karen Buffo:
On my side, we’re using all kinds of AI. It’s making the team so productive. I’ve got a couple of tools that are proprietary to us that we can feed with everything — our brand, our messaging, everything — and then the team uses that to create campaigns, battle cards, everything.
I can put a whole campaign together in 10 minutes now. It gives me the email cadence, the blog, the white paper. You name it. You still iterate on it, but we can turn things around so fast right now.
I’m still learning like crazy. My head of product is masterful, and I learn from him every day. I’m like, how did you do that? He’s become a design partner for one of the tools because they reached out to him and said, basically, you’re a super user. He’s helping them evolve the application itself.
I’m getting better. I’m nowhere near what he’s capable of, but I’m learning every day. Sometimes I’m like, how did I exist without this?
Q: With all of that AI-generated content and noise, what does trust mean now in cybersecurity marketing?
Karen Buffo:
On the marketing side, people are going to ask, is this just smoke and mirrors? Is this real?
We need to prove what we’re saying is real. It has to be grounded in how we’re actually solving your biggest challenges. It’s not just marketing hype. Let me show you how it’s done, whether that’s a real demo or a walkthrough demo.
I’m a big believer in third-party attestation. Anytime I can get a third party — not me, because people don’t trust marketers, they think we spin everything — but if I can get somebody credible, like a customer using our technology, that matters. If they’re talking publicly, great. If they don’t want to talk publicly, peer-to-peer can be just as effective.
I’m a big proponent of peer-to-peer. Let me get you somebody on the phone who’s a peer in your industry so you can understand how they’re leveraging it. Public customer references are always hard in security because people don’t like to talk publicly, but peer-to-peer works.
Analysts matter too. Gartner, IDC, Forrester, and all the big firms, but also independent analysts. We also do technical validation where a third party tests and shows proof points.
For me, everything needs to be provable and defensible.
Q: What makes credibility harder in this current environment?
Karen Buffo:
AI can spin up anything and it looks real. I get caught. I’ll be mindlessly scrolling TikTok sometimes, and I’m thinking, that has to be AI, right?
The deepfakes and everything being put out there are getting so much better. You start asking, what do I believe in? What’s real? Did they just create that with an agent?
As a marketer, I have to be able to show what’s real. More than anything, third-party proof matters. I could create something with AI that makes it look like we can do the impossible, and people will say, come on, can your platform actually do that?
But if I have somebody saying, “I’m using this and my return on investment went from this to this, or my compliance was at 20 percent and totally in the red and now here’s where I am with the platform,” then you have credibility. People believe it.
It’s trickier now. It’s getting really, really hard.
Q: What is one example of cybersecurity marketing that instantly loses credibility?
Karen Buffo:
Putting claims out there that are ridiculous and unprovable. I think it ultimately hurts you in the long run because as soon as you put something out there and people think it’s just hype, it’s hard to regain trust.
You have to be very careful about what you put out there because you’re going to get the eye roll. People are going to think it’s a bunch of crap, and you’re going to lose credibility.
I’ll push back even on my own executive team because they’ll see competitors saying something and say, “we need to say the same thing.” I’m not saying anything that’s not credible.
One of the things I’m most proud of at Veracode is that our power and share of voice are always at the very top. People believe in my brand. They trust the brand. So I’m going to be very careful in keeping that trust.
Even if it means maybe I’m not first to market with something, I’d rather be credible because the trust in my brand is so strong.
Q: How are buyers changing the way they evaluate vendors?
Karen Buffo:
Everybody’s skeptical. I know I am, even when I buy as a consumer. The first thing I do is look at reviews. People put stuff out there and make it look amazing, and I’ll think, oh my God, I have to have that. Then I check myself and look at what other people are saying. If it has 80 percent one-star reviews, I’m not buying it.
That’s true on the enterprise side too. People are going to evaluate software more and more carefully. They don’t have unlimited budgets, and it’s really hard to rip and replace something.
You have to prove what you’re offering is real. That can be through trials, through POVs, through letting people experience the value out of the box. Not just demo it, but take a real use case from the customer and show it in their environment, using their data.
Then you point them to third-party validation, peer sites, analyst reports, customers, and peer-to-peer conversations. That helps overcome some of the noise and helps people understand that what we’re delivering is real, differentiated, and actually solving the pain points they’re experiencing.
Q: You said companies often focus too much on features. What should they focus on instead?
Karen Buffo:
Way too many companies focus on features and functionality, and nobody cares. It’s like, what does it do for me? I don’t care that you have a new tool. What’s the benefit? What am I going to get out of it?
Everything we do needs to be outcome based. Here’s your challenge, and this is how we solve it. Then you can get to the technology. But you start with the outcome and how you solve their challenges.
Q: Are cybersecurity marketers being forced to become educators again?
Karen Buffo:
Yes, I do think so in a lot of ways.
I have an advantage in that Veracode has been at this for 20 years. We have deep expertise and have led the market in so many ways. That foundation helps.
But the world is changing so fast, and the things we’re bringing to market are new. So yes, I need to educate. Outcome-based education is key. Not, “I’ve got this new tool and here are the features and functionality.” It’s more like, “Here’s what’s happening with AI, here’s what’s happening with open source, here are the things happening in today’s environment.”
It shows you have a pulse on the current challenges people are facing. Then you educate them on what’s needed to overcome those challenges, and then how you can help.
I’m trying to educate myself too because things are moving so fast. I’m trying to understand what’s happening with agents. Is agentic even real? How far away is that? What does that mean?
It’s important to take an advisory approach. Be a strategic advisor in that education. I don’t want to be a fearmonger, because people become skeptical when you do that. I want them to understand I’m here to help.
Q: What content formats help you build that trust?
Karen Buffo:
We do a lot of video because we’re a TV society. People want to see it.
We do customer testimonial videos, demos, walkthroughs. Walkthrough demos are one of our higher-performing assets because they allow people to experience the platform, walk through it themselves, and see how they would leverage it and use it.
We’re on every social network for the most part. We’re on YouTube. We’re doing those things. And I do a lot of A/B testing. We brought in some new tools that help us do better A/B testing so we can really understand what’s resonating, then tweak and change things quickly.
You have to be flexible and able to pivot quickly. Sometimes the results are surprising. I’ll think one thing will outperform, and then it doesn’t.
Q: You also mentioned learning from other cybersecurity marketers. Why has that become more important?
Karen Buffo:
I’m trying to do more on the networking side. I never did much of that before, and then I started learning that marketers have a lot to share.
I’m talking to other CMOs and asking, what are you doing? What’s working for you? I’ve participated in different networking groups and started presenting at more conferences, sharing what’s working for me.
I presented recently at CyberMarketingCon and met a ton of peers. It was great because I learned a lot from them. It was very interesting to see what other people were doing and what was working for them.
We’re all so busy, so I used to get invited to things and think, I don’t have time for this. But now I’m trying to make the time for a select few because I’ve learned interesting things from other people that I want to try.
Learning from others is really important.
Q: What will separate cybersecurity brands people trust from the ones they ignore?
Karen Buffo:
You have to truly solve their problems. It has to be real. It can’t be smoke and mirrors.
You also have to show them you understand where things are going. We’re doing something right now where we’re showing customers their risk. Here’s your potential risk right now. Here’s where you’re not compliant. Here’s what’s happening in your environment. Here are the possible ramifications, whether that’s fines or prosecution or other consequences.
A lot of them are blind to it because things are moving so fast.
We approach it as, we want to help you. We want to help you get from being in the red and not compliant to where you should be. We want to be a strategic adviser. I’m not trying to just sell you something.
That helps them understand, "Wait, I wasn’t thinking about that." You do have a pulse on the market. They think, "I do trust you because I’ve been with you for several years, and you’ve led the market through these pivotal moments."
It’s walking the walk. They have to trust you and understand that you’re there to help, not just chasing the next dollar.
As AI accelerates both cybersecurity innovation and cybersecurity marketing, Buffo believes the companies that stand out will be the ones that can back up their claims with real proof, real outcomes, and real customer value. In an environment where buyers are increasingly skeptical and content is easier than ever to generate, she sees credibility, education, and third-party validation becoming more important than ever. For cybersecurity marketers, that means focusing less on hype and more on helping customers understand what’s changing, what matters, and how to navigate it.
About Karen Buffo
Karen Buffo is Chief Marketing Officer at Veracode, where she leads global marketing strategy and brand growth for one of the cybersecurity industry’s most established application security platforms. With deep experience in enterprise technology and cybersecurity marketing, she focuses on helping organizations build trust through outcome-driven messaging, customer advocacy, and market education.