Training executives in cybersecurity? Fine. But not like this.
Today, some top business schools pride themselves on adding a cybersecurity module to their management programmes. EM Lyon, HEC, ESCP: they have all understood that digital security is now a strategic subject. Good.

Today, some top business schools pride themselves on adding a cybersecurity module to their management programmes. EM Lyon, HEC, ESCP: they have all understood that digital security is now a strategic subject. Good.
But let's not kid ourselves: we are still scratching the surface. We sprinkle on a little "risk culture", we run two crisis simulations, and we think we have trained "cyber-aware" managers.
That is not enough. It is not equal to the stakes.
Cybersecurity does not boil down to an optional course
Training people in cybersecurity is not about showing a few slides on ransomware or running a case study on a fake breach. Nor is it about ticking a box on an ISO compliance grid.
Training people in cybersecurity means changing the way we look at the digital world.
It means training people to see the flaws, in the systems, in the teams, in the behaviours. It means understanding that a software bug can trigger a social crisis, that an Excel file can wreck a reputation, that a poorly protected password can bring a company down.
And above all: it means learning to think outside the frame.

Hackers are artists
I know this because I am one. Because I grew up in that culture where you learn on your own, where you take systems apart to understand how they work. Because I have spent time with brilliant, curious hackers, sometimes on the margins, but driven by a thirst for knowledge that no programme ever gave them.
The hacker is not a thief. The hacker is a craftsman of doubt, an architect of the flaw. Someone who searches, tests, gets it wrong, starts again. Someone who sees what others do not see. A critical mind above all.
And that is exactly what we need in executive committees.
The leaders of tomorrow
They are not technicians, but cyber strategists.
We do not need every executive to be a technical expert. But they must understand the fundamental mechanics of the digital world: architecture, dependencies, exposure, value chain. It is not about knowing how to code. It is about knowing how to ask their CISO the right questions.
It is also about getting past technocratic naivety: no, cybersecurity does not boil down to "buying a solution". No, the cloud is not secure by default. No, GDPR compliance does not protect you from cyberattacks.
Cybersecurity is not a product. It is a culture.
My proposal: a real paradigm shift
If we want leaders who are competent in the face of cyber risk, we have to go further than business schools do today.
Here is what I propose:
Bring voices from the field into the lecture halls: vulnerability researchers, independent experts, former hackers, whistleblowers. The ones we do not invite often enough, because they do not fit the corporate mould.
Create a national cyber apprenticeship programme, where future decision-makers spend time alongside cybersecurity professionals. Not in a classroom: in the field, in the SOCs, the CSIRTs, the crisis units.
Integrate hacker thinking into management training. Not to train pirates, but to introduce the logic of workarounds, vulnerability analysis and digital creativity.
Cross the disciplines: law, sociology, philosophy, design, cybersecurity. Because attacks exploit human, social and political flaws. Systemic thinking is needed.
Thinking of cybersecurity as strategic thinking
What I am defending here is not an educational gadget. It is a strategic emergency.
Digital crises are no longer exceptions: they are the background noise of the modern world. Security can no longer be handed to an IT department disconnected from the business stakes. Cybersecurity is a governance subject. It puts liability, reputation and relationships with clients, partners and states on the line.
We need leaders who are clear-eyed, critical, agile, able to understand the invisible. Able to navigate uncertainty without waiting for an audit to react. And able to work with experts, not to steer them from a distance.
It is time to hack the schools
Training people in cybersecurity is not about running a course. It is about reforming the way we train the elites. It is about breaking the silos between technical and strategic. It is about valuing atypical profiles, non-linear experiences, alternative visions.
It is about telling younger generations that they can understand the digital world differently. That they can make it a tool of sovereignty, of resilience, of freedom.
And that for this, we need to hack teaching itself.
Discover my appearances in the press and media
Questions fréquentes
Is it enough to add a cybersecurity module in management schools?
No. It is a good start, but we stay at the surface: sprinkling on some risk culture and running two crisis simulations is not enough to train leaders who are equal to the stakes.
Does an executive need to be a technical cybersecurity expert?
No. They do not need to know how to code, but to understand the fundamental mechanics of the digital world, architecture, dependencies, exposure, value chain, so they can ask their CISO the right questions.
Why talk about "hacker thinking" for executives?
The hacker is a critical mind, a craftsman of doubt who searches, tests and sees the flaws others do not see. This is exactly the logic of workarounds and vulnerability analysis that executive committees need.
What concrete proposals are there to better train executives?
Bring field voices into the lecture halls (researchers, independent experts, former hackers, whistleblowers), create a national cyber apprenticeship programme in the field, integrate hacker thinking and cross the disciplines (law, sociology, philosophy, design).
Is cybersecurity an IT subject or a governance subject?
It is a governance subject. It can no longer be handed to an IT department disconnected from the business: it puts liability, reputation and relationships with clients, partners and states on the line.

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
