Q: How does the recent acquisition of Acuvity change the company’s value proposition in the Mexican market?
A: Proofpoint was founded in email security and effectively created that category, establishing itself as a market leader for over 20 years. About a decade ago, we began to recognize the growing importance of the human factor in cybersecurity. We understand that individuals represent both a critical line of defense and a significant source of risk within an organization. On one hand, employees must be able to identify potential cyber threats appropriately. On the other hand, there is also the dimension of insider risk.
Organizations must be able to detect behavioral signals that may indicate potential threats, such as unusual data downloads, changes in file naming conventions involving sensitive information, or patterns that deviate from normal activity. These signals serve as early warning indicators that enable organizations to act proactively and protect sensitive data.
This focus on the human factor has been central to Proofpoint’s continued leadership over the past decade. We are entering a third phase of evolution driven by agentic AI. We see strong parallels between the risks we have historically managed at the human level and those emerging in the world of AI agents and Generative AI assistants. Just as individuals can be targeted through social engineering, AI agents can be manipulated through prompt engineering. Both humans and agents operate with identities, permissions, and privileges that can be compromised. Additionally, just as a person may unknowingly execute malicious code, an AI agent can also be induced to perform harmful actions.
In Mexico, we are already seeing rapid adoption of AI technologies. By 2027, about 93% of organizations are expected to have deployed AI agents. Businesses are eager to transform, differentiate themselves, and improve efficiency through these tools. However, while adoption is advancing quickly, many organizations are not yet fully addressing the associated security implications or ensuring that proper controls, governance, and policies are in place.
Q: In an ecosystem saturated with security providers, what is the competitive differentiator that allows Proofpoint to be the trusted partner of more than 80 Fortune 100 companies?
A: Our primary differentiator lies in our ability to understand and translate human risk into a technical and digital context. This applies particularly to identifying malicious intent in communications. Ten years ago, email security solutions focused on detecting malicious attachments or suspicious links. However, now there is often neither an attachment nor a URL, just a short message with clear intent. The challenge is how to detect risk that is embedded in behavior and semantics rather than in technical indicators.
This is where Proofpoint has significantly evolved. We have enhanced our capabilities to detect risk at the level of human behavior and intent. Achieving this requires advanced AI, specifically language models. For example, we have integrated multiple new language models into our platform to address emerging threats that did not exist in the past. This continuous evolution allows our solutions to remain effective as threats become more sophisticated.
Cyber risks are no longer confined to purely technical environments. They increasingly operate within business processes, supply chains, and organizational workflows. Our approach enables us to detect and mitigate these risks in a way that aligns with how modern threats actually manifest.
Q: How does Proofpoint balance its growth and technology acquisition strategy with the need to offer solutions that have a clear and measurable return on investment (ROI) for local CFOs?
A: This is always a central discussion. Many stakeholders, particularly those in finance, tend to question cybersecurity spending, as they look for clear indicators of return and profitability. However, the role of the CISO has evolved significantly in recent years. Cybersecurity is no longer just a cost center; it has become a business enabler and an accelerator of growth. As organizations adopt technologies such as AI, automation, and digital agents, the potential consequences of inadequate security become far more severe. These may include the loss of intellectual property, operational disruption, or even a direct impact on the company’s overall value.
The mistake lies in adopting technologies such as Generative AI without fully considering the associated risks and implications for the business. Cybersecurity must be integrated from the outset, not treated as an afterthought. In this context, the role of the CISO is increasingly focused on communicating risk effectively — both within the organization and at the board level. It is about helping leadership understand that cybersecurity is not a barrier, but rather a key enabler of secure digital transformation.
While there is still work to be made, we are seeing more CISOs gaining a seat at the executive table and contributing to strategic decision-making. This marks a significant shift from the past, when cybersecurity was often confined to IT functions with limited visibility. Its role within organizations is becoming increasingly critical.
Q: How does Proofpoint Satori solve the dilemma of allowing AI agents to access critical data without compromising the integrity of company assets?
A: Satori is part of a broader strategy within the Proofpoint platform to secure what we refer to as the agentic ecosystem. This approach is not limited to a single solution, but rather encompasses multiple components. First, there is the aspect of AI governance. Second, there are existing and evolving capabilities in data protection. Third, we have incorporated new capabilities, such as those derived from the acquisition of technologies designed to implement what are commonly referred to as “guardrails.” These guardrails establish clear boundaries around what AI agents can and cannot do, including what data they can access and with whom they can share it.
This is particularly important because AI agents do not operate in a fully deterministic manner. Unlike traditional systems, they do not always follow a predefined set of steps. Their autonomy introduces a level of unpredictability, which becomes a significant concern when these agents are granted access to sensitive corporate data. By combining governance, data protection, and guardrail mechanisms, we enable organizations to adopt AI securely from the outset. This ensures that security is embedded into the design and deployment of these technologies, rather than added later. At the same time, there is a separate but equally critical challenge in cybersecurity operations: the shortage of skilled talent. Organizations increasingly struggle to find professionals with the expertise required to manage and respond to daily cybersecurity demands, such as alert triage, incident response, and ongoing system monitoring.
This is where Satori plays a distinct role. Satori is Proofpoint’s AI-driven agent designed to support cybersecurity operations. It enhances efficiency by automating routine and time-consuming tasks, allowing teams to focus on higher-value activities. For example, instead of requiring highly specialized personnel to manually analyze large volumes of alerts, users can interact with Satori through natural language queries, such as identifying the most critical incidents that require immediate attention. In doing so, Satori reduces the dependency on highly specialized talent, lowers the operational barrier, and makes cybersecurity management more accessible. Ultimately, it enables organizations to operate more efficiently while maintaining a strong security posture.
Q: What actions should companies take to ensure the successful deployment of AI initiatives?
A: Virtually every organization we engage with is actively exploring or implementing AI-driven initiatives. The primary challenge lies in data readiness. For AI agents to operate effectively, the underlying data architecture must be properly structured and accessible. Many organizations still rely on legacy systems, particularly in their data lakes and databases, which can slow down or complicate adoption. What the agent is expected to consume must be prepared and organized in advance. Without this foundation, scaling AI initiatives becomes significantly more difficult.
That said, we are seeing widespread adoption across a variety of use cases that extend beyond purely technical domains. For example, AI agents are being deployed to support legal teams, human resources, financial analysis, and customer service, particularly through AI-enabled chatbots.
Where we do observe some friction is when security teams appropriately challenge deployments that are not designed with security in mind from the outset. In many cases, organizations move quickly to implement AI solutions and only consider security at a later stage, often just before going into production. This approach introduces risk. Security must be embedded from the design phase, ensuring that governance, controls, and protections are in place before deployment.
Q: The Voice of the CISO 2025 report reveals that Mexico ranks first in the world in identifying the human factor as its main vulnerability. What actions are necessary to enhance safe behavior?
A: This reflects a growing awareness that more needs to be done in terms of cybersecurity education and awareness in Mexico. While organizations recognize that the human factor is a key vulnerability, there is still work to be done to ensure that knowledge translates into consistent, secure behavior.
Cybersecurity is a shared responsibility across the organization. Every employee plays a role in protecting the company, and strengthening that sense of accountability is essential. This represents both a challenge and an opportunity for organizations to reinforce their security culture.
Q: Most Mexican CISOs anticipate a material attack in the next 12 months. What responsibility does senior management have to reduce exposure?
A: CISOs are fully aware that an attack is not a possibility, but an inevitability. The question is not whether an attack will occur, but rather where and how the organization will absorb the impact. Organizations cannot always invest in securing every single asset, process, and user at the same level. A full cybersecurity stack — covering infrastructure, identity protection, patch management, and threat prevention — requires significant resources. As a result, companies must make strategic decisions based on cost-benefit and risk mitigation analyses.
Organizations must identify their most critical processes and allocate resources accordingly. In some cases, this may mean accepting a certain level of risk in less critical areas. For example, one organization may determine that a large portion of its revenue depends on specific business processes. In that case, it will focus its cybersecurity investments on fully protecting those areas, ensuring that any potential attack does not disrupt what is essential to the company’s operations.
Q: How is the adoption of Generative AI reshaping the Mexican market?
A: The market is moving fast and is now quite different from what it was a year ago. At that time, many organizations were still evaluating Generative AI and, in many cases, restricting its use entirely. However, this has changed significantly. Now most companies are allowing at least one controlled solution within their environment, typically the one embedded in their collaboration platforms. This shift is driven by a better understanding that these tools operate within controlled environments, where data remains within the organization’s existing privacy and security frameworks. Most organizations are moving toward selective enablement rather than full restriction.
It is also important to distinguish between two key use cases. The first is the assistant model: tools that enhance employee productivity, such as conversational interfaces. These have been adopted quickly because they are easy to deploy and deliver immediate value. The second is autonomous agents, which are designed to transform business processes. Adoption in this area is progressing more gradually, as it requires greater preparation, including data readiness, defined use cases, and validation of outcomes. As a result, the time to market for agents typically lags behind that of assistants by several months. However, we are already seeing organizations piloting these use cases and preparing for broader deployment. The momentum is clear, and adoption is expected to continue accelerating.
Q: What are the key pillars or strategic priorities that Proofpoint is focusing on in the Mexican market?
A: Organizations are asking how to begin and how to structure their strategy. In response, we typically outline four key recommendations. First, organizations must establish visibility and trust in communications. This extends beyond email to include chats, interactions between individuals and agents, and even agent-to-agent communication. It is essential to monitor these interactions and detect or block any activity that may pose a risk.
Second, organizations need full visibility into their data. This means understanding what data they have, where it resides, and how it is distributed across platforms such as cloud environments and collaboration tools. Third, it is critical to implement governance over AI agents by defining clear boundaries: what they are allowed to do, what data they can access, and how they can interact with users. Given the autonomous nature of these systems, this level of control is essential to prevent unintended outcomes.
Finally, organizations should leverage AI to strengthen their own cybersecurity operations. As the industry continues to face a shortage of skilled talent, AI can help improve efficiency and support teams in managing increasingly complex environments. Together, these pillars provide a structured approach for organizations to adopt AI securely while maintaining control over risk and enabling long-term competitiveness.
