DARE #2 - Mayeul Berger - Head of IT & Security @CybelAngel

Sometimes, we meet people who inspire us. Who make us believe that a different approach is possible. Who immerse us in their energy. 

“DARE.” is the series of optimists. Those who have the courage and creativity to continuously reinvent our businesses and daily lives.

Dive into the universe, strategy, and methods of those who are changing the game.

Strong personalities for concrete interviews.

In a hurry? Here are the 3 concrete insights from this article to implement tomorrow morning:

• Project yourself into a cyber attack like a character in a comic book to stimulate your creativity and prevention.

• If you feel like you are at the end of a cycle, don't dramatize the change. The key is to find the right timing to shake things up.

• It is crucial to listen to your teams, but you must set boundaries. There is a time for empathy and another for execution. It’s the latter that will allow them to regain confidence.

The Discussion

Mayeul, thank you for participating in this interview for “DARE.” I suggest we start at the beginning. How did you get into the Cyber world? 

At first glance, my journey seemed like it would not lead me to where I am. But from a higher perspective, there is still some logic, a common thread between my childhood dreams and my current work.

My family background played a significant role. We have several military members in the family, and I have always had an attraction to subjects related to defense and commitment. I was indirectly immersed in it, whether through scouting or my readings: I was (and still am) a big fan of spy novels, for example. As a teenager, I thought about a military career.. 

But time passed, and by the end of high school, I had to face the truth: I would not have thrived in that environment and I might not have been very good at it. I had a rather romanticized view of it, but when projecting myself into the reality of military life, I understood that the framework wasn’t right for me. 

And as I recall, you didn’t do things by halves; you took the plunge …?

Indeed, I ended up leaning towards political science and literature. I joined the Albert-le-Grand Institute (Angers) for a double degree in Literature and Political Science - a program I loved. It was truly what I imagined a complete intellectual education to be. We worked a lot and on a wide range of subjects. It ranged from market economics to political philosophy to theater. I found a lot of intellectual depth there and a real education in work. It was challenging to master disciplines so different, but it was especially very enriching.

Being exposed to so many disciplines led me to ask myself a lot of questions by the end of the program, but I ultimately directed myself towards international relations. I found it fascinating and thought that there would be things to do. When I see the news, I feel like I wasn’t wrong.

It was through this path that I fell into Cyber. It was already burgeoning at the time and it was becoming essential. I started looking into the subject through dissertations, projects, during my Master’s years, etc., which allowed me to begin to grasp the stakes.

I began working for two years in monitoring and public relations. One day, I saw a job posting in Cyber, I applied, and it went well. I immediately thrived there, and I haven’t really questioned my choice since. 

What predisposed you, as a student in political science and literature, to be good at cyber security? 

It wasn’t obvious. I started from scratch; I had everything to learn, particularly on the technical side. But I have a good capacity to immerse myself in subjects that interest me, so I learned pretty quickly. My colleagues at the time were very welcoming and encouraging, which helped me to grow. 

I was also aided by a few personality traits that allowed me to be quite effective in this work.

Which traits? 

I am said to have a certain imagination. For the record, the only field in which I nearly gave it all up was comics - I wanted to be an illustrator. (Laughs) I loved to draw and tell stories. I have been doing it forever. In my opinion, it is a true asset as an analyst first, and now as Head of IT & Security. I think I have the right blend of imagination, allowing me to easily project myself into a threat and into the shoes of an attacker.

This helps to prevent but also to identify weaknesses quickly. With the volumes of data we are required to handle, in addition to methodical analysis, there is something instinctive to locate the breach, the flaw, the risk. By becoming an analyst, I was able to put myself in the attacker’s shoes quite well and imagine “everything I could do wrong” with the elements detected by our systems (data leak, vulnerability, etc.). This certainly also serves me today in risk management, this time for my company and no longer for our clients.

So it corresponded to your personality and your talents. Was there anything else that attracted you to this world? 

I would say the concrete aspect and the impact of the work, even daily tasks. As a security manager, we spend our days trying to dismantle what could harm a company. That company can be huge or tiny. Even if it’s not always a national issue - as it could be for a critical infrastructure or essential service, for example - there are always stakes involving operational, legal, human (jobs), etc., security - and often very significant financial stakes as well.

Working in cybersecurity, whatever my position, I truly feel like I am contributing concretely to something (and to someone). It’s genuinely rewarding.. 

You talk about rewarding tasks. What are the thankless tasks of your week? 

I tend to think in terms of phases rather than tasks. 

I like to see life as an alternation of chapters. However, there are two major types of energy-draining chapters for me.

The first is “boredom.” This generally occurs when daily life is consumed by routine matters. When there’s less innovation and you feel like you’re not learning much anymore (this naturally happens at some point in a career). In my case, my alarm system goes off when I feel like I’m having the same day as I did 3-4 months ago. This is usually followed by a whole phase of questioning, self-reflection, a review of actions and skills, and preparation for what’s next. 

And the second?

The second type of “thankless” phase comes with impostor syndrome; a syndrome that can drive you upwards and make you progress if managed well, but can also be destructive. There’s always a moment in a career, or even in a year, when the work we’re doing seems beyond our capabilities, or we feel we don’t deserve the trust that our clients or colleagues place in us. 

One must maintain a fair perspective and balanced expectations of oneself, not to get complacent, but also to know how to move forward in moments of doubt. Ultimately, with the right support around you, these doubts can also be motivators to advance and progress. Every time I reached this stage of worry, I learned to lift my head from the handlebars and opportunities opened up.

The key in these phases of doubt is to identify the right moment to shake things up. In my experience, staying open and not dramatizing change generally pays off.

I imagine that this ability to maintain distance from subjects must have helped you on a managerial level? Any anecdotes to share on this subject, by the way? 

Without going into a specific anecdote, I’ve had some very enriching experiences over the past few years.

Twice, I welcomed employees in my team who were in a fragile situation. Brilliant individuals who were facing personal and professional difficulties. I had been warned about the situation, but I believed in their potential, so I decided to move forward with them.

This didn’t happen overnight, but establishing a clear framework, engaging in many exchanges, and allowing a lot of freedom of action worked well. Little by little, they regained confidence until they rediscovered a strong spirit of initiative. They were able to reclaim their place in the company and thrive with the team. 

One must accept that this takes time. It involved a lot of listening, and a few beers at the bar. There were even times when boundaries had to be set. Not out of a lack of empathy, but because sometimes it’s helpful to maintain the balance between autonomy/control and confidence/management. Some moments lend themselves to being confided in, while others focus on execution. It’s by overcoming these challenges that we rebuild our self-esteem.

Those must have been quite rich human moments. If we take a step back and look at the company level, how do you get the entire company on board with your projects?

I don’t have anything very specific to share on that point. I’m fortunate to work in a company where the whole team is dedicated and willing on cyber issues; naturally, it’s our job. This applies to my subjects (security, IT, cyber) but also to all departments more generally. Therefore, I rarely face blockages, whether due to disinterest or bad will. 

Very clear. And how do you see the role of CISO / Cybersecurity Director evolving in the coming years?

Information security is in constant and rapid evolution, predicting the future of these professions is therefore very uncertain. 

Overall, I believe that the short- and medium-term challenges are the role of the CISO, which tends to take on an increasingly strategic role within management and collaborate more closely with other functions/teams/divisions. Risk management is evolving in a more holistic way, whereas previous decades compartmentalized the different issues more. The regulatory complexity is increasing.

And of course, in cyber as elsewhere, managing the technological revolution of artificial intelligence in all its forms remains one of the biggest challenges, or at least one of the most transversal. 

Beyond the general transformation of working methods, common to all businesses, one element I imagine to be crucial is the asymmetry between the development of “defensive” AIs, which so far have tended to improve the existing, and that of “offensive” AIs, which seem more oriented towards exploring the unknown and making cybercrime more accessible. 

What advice would you give to yourself ten years ago? No talking about Bitcoin.

This ties back to what I just said, but I would invest more time in my technical progression, in the knowledge and mastery of fundamental systems and the exploration of innovative technologies. I see every day how this mastery nourishes inventiveness in our profession.

There is a whole movement promoting the appointment of CISOs without an IT background. This is healthy to some extent if it pushes the strategic and business role of this profession forward; but it is important not to allow a dichotomy to develop between the vision held by management and the technical expertise on the ground.

For everything else, if I had to do it over again, I would continue to listen to my wife’s advice.