With over 30 years of experience in cybersecurity – as a CEO, investor, and trusted advisor – Jim Pflaging has a unique and detailed perspective on the cyber industry. Jim has served on over 20 Boards and, as CEO and Board member, he has participated in 13 exits with a combined enterprise value of over $15 billion.
His current company, Cynergy Partners, focuses exclusively on cybersecurity – helping new and established vendors navigate growth, and advising enterprise Boards and CISOs on managing their cybersecurity governance.
Jim kindly met with our Global Technology and Software Partners, John Smith and Tim Chamberlain, to share his insights on the cybersecurity landscape, the impact of AI, and the key traits that define great companies.
What trends are shaping the cybersecurity landscape today?
Cybersecurity has evolved from a niche market to one that is central to most board risk discussions and, more recently, a critical element of national security and economic well-being. Over the years, I developed a model called “The Three Ts of Cybersecurity” to frame how we can anticipate cybersecurity evolution and its impact on our future:
Technology (each wave of Innovation brings opportunity AND risks),
Threat (Actors ranging from lone wolves to nation-states with a vast range of motivations and capabilities),
Trust (without which commerce, governance, and society break down).
The 3 T’s help explain why cyber risks are rapidly intensifying in volume, complexity, and impact – and that’s forcing companies and governments to rethink how they defend themselves. For instance, AI is changing the way we work and live. On the other hand, AI, is a godsend for attackers. As a result of this never-ending spiral of complexity and potential risk, technology buyers and vendors are fundamentally rethinking their approaches.
From a security vendor perspective, the largest vendors are positioning themselves as ‘1-stop-shops’ (the trendy term is ‘platformization’) as a response to complexity and risk. Expect the largest vendors to become aggressive buyers in the M&A market in order to expand their ‘platforms’. In many respects, this is a natural evolution of a maturing market.
From a customer perspective, expect the largest to continue buying best-in-breed products. They have the budget, expertise, and regulatory mandates to make this path work.
For everyone else – small, medium, and mid-sized enterprises – the shift is toward “security delivered as a service.” The traditional separation between product and services companies is blurring, focusing on operational outcomes rather than tools. Terms like ‘XDR’, ‘MDR’, and ‘MSSP’ all point to this convergence of tech and services, aimed at buyers who can’t manage complex security stacks internally and will rely on external providers instead.
In parallel, two critical infrastructure areas are undergoing reinvention:
– Security Operations Centres (SoC) are evolving, especially as tools like XDR and next-gen SIEM compete to be the new “source of truth” for security data.
– Identity is becoming the centrepiece of the modern SoC. Where identity used to live under the CIO, it’s now a CISO-level responsibility. The once-siloed landscape – authentication, privilege management, governance – is converging into unified platforms, especially to support SaaS-first, cloud-native environments.
I also see growing regional divergence. In Europe, data sovereignty and privacy concerns drive a renaissance in on-prem solutions. Enterprises are increasingly hesitant to send logs or security data to the cloud, both due to privacy concerns and sheer cost. This trend is now spilling into how AI is adopted as well.
How is AI impacting the security vendor landscape?
AI is reaffirming what Marc Andreessen said years ago: software is eating the world. And with AI, it’s evolving and accelerating again. If the first generation of software ran the back office and the second generation powered the business via SaaS, the third generation – AI-driven agents and inference – is about reinventing the business itself.
This shift will impact every security vendor. But to succeed in this era, vendors need two things:
1. A defensible moat, which starts with proprietary data. The more unique and networked your data is, the more valuable and accurate your AI becomes.
2. Cost advantage. Companies using open-source tools, small language models (rather than massive LLMs), and efficient infrastructure will have a significant edge.
Not surprisingly, AI is also spawning a wave of startups that are challenging the old guard across core domains like SoC, identity, and threat detection. Some recent examples that I have seen include:
– Agent-based models trained on proprietary data
– Small, industry-specific LLMs that run locally
– AI co-pilots for threat hunting, detection, and response.
Companies that win will focus on tight vertical use cases, show clear ROI, and embed AI deeply within the product, not just as a bolt-on. My advice is to forget generic “AI for security.” Be focused, own your data and build for outcomes. Whether you are an established vendor or a new entrant, the key constraint in AI is compute. Access to GPUs defines the battlefield, but cost and data strategy will ultimately determine the winners.
What are the security implications of AI for the enterprise?
The risks are real—and growing. Since the rise of ChatGPT, there’s been an explosion in socially engineered threats, with attackers now generating persuasive phishing emails, often free of spelling errors or “tells.” Within hours of the Zelensky–Trump Oval Office meeting, a video link was circulated via email, looking very legitimate. One click, and malware was installed. Thirty per cent of malicious emails today are AI-generated, just one of many new threat vectors.
Enterprises are also grappling with governance: how to safely experiment with AI without exposing sensitive data or intellectual property. There is one critical question: “How do we safely leverage the knowledge of the firm?”. Every department is affected, but developers are a focal point. Many developers are using AI-powered code assistants. But how do companies manage developer risk? Are AI tools improving good coders or helping poor coders create insecure software faster?
In Europe, especially, concerns about data control and AI model privacy are accelerating the move toward small, on-prem language models, tailored to an enterprise’s own data—rather than sending sensitive information into public LLMs. This divergence between Europe and the U.S. appears to be a growing fault line.
What makes a great scale-up and what advice do you have for Founders and CEOs?
I boil it down to a few key patterns:
– Growth + Profitability: In software more broadly, the bar has moved from the Rule of 40 to the Rule of 50. Companies that hit this threshold are rare and highly valued. Those who miss, mainly by lowering guidance, get punished hard.
– Customer Retention: Great companies have 90%+ gross retention, and ideally 95%+ in cybersecurity. It shows product value and a foundation for healthy net revenue expansion.
– Customer Orientation: Great companies market to the customer’s problem, not their product functionality. “If buyers believe you understand their pain, they’ll engage. If all they see is a feature dump, they tune out.”
– Culture: “Culture eats strategy every time.” Loyal, focused, and productive teams are the core of lasting success.
– Go-to-Market Design: High-performing companies invest in dedicated customer success teams, build pricing and packaging that encourages fast time-to-value. Also, don’t underestimate the impact that channel partners and MSSPs can have to help you scale.
– AI-Native Mindset: Lastly, great companies today have AI at the core – not as an add-on. From product strategy to pricing to security architecture, AI needs to be built in, not bolted on as an afterthought.
Want more candid conversations with industry leaders? Subscribe to get our Heads Up interviews delivered straight to your inbox before they’re published anywhere else.