That's not a skills gap. It's a thinking gap.
Security consultants and in-house engineers learn to find problems. They're not taught to design the organizational answer to them. That shift, from executing security tasks to structuring a security posture, takes time. Or it takes someone who's been there walking them through it.
I work with your consultants or employees. Over four weeks, they learn to think like architects, produce the kind of deliverables that hold up in front of a CISO or a steering committee, and then shadow a real engagement to see how it works under actual conditions.
They're good at it.
What clients increasingly ask for is something different: someone who can define what Secure by Design means for their context, get teams to apply it before problems happen, and explain the residual risk to management in plain language.
That's not a certification. It's a posture. And it's teachable.
Nothing on this list is theory I haven't lived myself inside large organizations and as a consultant. Each phase builds on the last. Each one produces something real.
Before you can protect anything, you need to understand what you're protecting and why. Most security people skip this and spend years fighting the wrong battles.
The CIA triad. Impact types: financial, operational, reputational, legal, physical. Real incident stories from 15 years inside enterprises: employees deleting servers, CISOs spying on CEOs, phishing attacks on Christmas Eve, call centers stealing customer data.
Then we go wider: every attack vector attackers actually use against Windows endpoints, Linux servers, Active Directory, and cloud infrastructure (Azure, GCP, M365), and the countermeasures (preventive, detective, corrective) that neutralize each one.
By the end of this phase your people will see the full spectrum of what can go wrong, know how attackers move on every major surface, and evaluate each risk by probability and impact the way companies actually need them to.
The single most important skill: how to become the person everyone consults before making IT decisions. This is what turns a security professional into someone the business cannot route around.
How to get informed early about IT needs. How to evaluate risks of proposed solutions. How to propose security measures that get accepted. How to get formal risk acceptance from business owners. The documentation that saves your career the day something breaks.
We learn the process by dissecting the disasters that happen when it's missing: the first CISO who discovers shadow IT across the entire company, the security approval given over coffee that leads to a breach, the VPN failure costing 250,000 euros per day. Each case comes from inside enterprises I've lived through, and we rehearse the conversations against real stakeholders.
Your people will walk out of this phase running the exact process that turns them from "the security guy" into the checkpoint no project can bypass.
The 2026 architect problem: every company is racing to deploy AI agents inside IT support. Almost none have risk-analyzed them. This is the exact question your team will be asked to answer.
Identify the threat actors: the prompt injection attacker, the malicious end-user, the compromised third-party connector, the over-permissioned agent itself. Map attack scenarios: data exfiltration via tool calls, privilege escalation through ticket creation, social-engineering the model into resetting the wrong password, leaking PII through chat history. Design the full control taxonomy (preventive, detective, corrective, deterrent, compensatory) against each scenario. Build the risk register an executive committee will actually sign.
I review the work line by line.
Your people will leave this phase with a complete AI-agent risk analysis they can show any client, plus a methodology that transfers to any IT project they'll encounter.
The last phase is different. No exercises. No structured content.
Your consultant brings a real task from their current job or client engagement. We work on it together, me alongside them, not ahead of them. I watch how they think, where they hesitate, what they miss. I ask the questions that help them find the answer, rather than giving it.
This is where the framework becomes instinct. And the only way that happens is on real work, under real conditions.
1-on-1 or Small Group · 4-Week Program · Remote
I've spent fifteen years in cybersecurity across large and medium organizations in every sector: finance, retail, industry, public services, high-tech startups. I started as a consultant (IT financial auditor, compliance for internal control, forensic investigator, pentester, security analyst), then moved inside as a security architect. For the last 7 years I've been doing this for international retail companies across the globe (Americas, Europe, Asia, Africa, Australia), designing security for strategic projects: infrastructure core services, cloud and data platforms, API-first strategies, SAP migrations, and more. I've taught this Secure by Design methodology at Paris 1 Pantheon Sorbonne university. I also founded dmarc-expert.com, an email security SaaS used by large companies. I know how hard it is to get security taken seriously before something breaks. I know what it takes to shift a team's habits.
This program doesn't promise miracles. It gives your people a structured path and someone to work through it with them.
If they put the work in, the change is visible. If they don't, no program will fix that. That's the deal, and it's the only one I'd ever offer you.
Security consultants, in-house security engineers, or technical IT generalists who are expected to give security guidance but haven't been trained to structure it. They need to be technically comfortable but don't need to be senior. The program works best when they have at least one current project or client context to bring to the work.
Yes. I work in small groups of two or three when the participants come from the same team or firm. More than that and the work loses its depth: everyone needs real feedback on their actual reasoning, not a group presentation.
Roughly half a day per week for the structured phases, plus whatever time they put into the exercises. It's designed to run alongside their current work, not replace it.
Remote, via video call and shared documents. If you're based near the North of Spain, the South of France, or close to an international airport and prefer in-person for some sessions, that's something we can discuss.
You'll see it in how your people talk about security decisions, and how their clients respond. The clearest signal is when a project team starts consulting them before a problem appears, rather than after. That shift doesn't happen overnight, but it's visible within 3 months.
French, English, or Spanish. Most participants from French firms prefer French, but the written deliverables are often in English. We adapt to what's most useful for your team and your clients.
Other languages are possible. For those, I delegate to senior security architects in my international network — people I know personally and trust to deliver at the same level.
One-on-one or small group. Always adapted to your context.
Write to me on LinkedIn →A short message, no pressure. I'll tell you plainly if I think I can help or not.