Gérôme Billois is a Partner at Wavestone, where he has spent nearly 25 years helping global organizations strengthen their cybersecurity and digital trust strategies. A recognized expert in cyber crisis management and AI security, he founded CERT-Wavestone and advises executive committees worldwide on turning cyber risk into strategic resilience. Gérôme sits on the boards of Campus Cyber and CLUSIF, contributes to major international initiatives on cyber innovation and sustainability, and frequently speaks in global media and conferences. He is also the author of several reference books on cybersecurity and a driving force behind public awareness programs on digital safety.
Recently, in an exclusive interview with CIO Magazine, Gérôme shared insights into his journey in cybersecurity, the evolving landscape of cyber threats, and strategies for building resilient digital trust. He also shared his personal hobbies and interests, future plans, and much more. The following excerpts are taken from the interview.
What inspired you to pursue a career in cybersecurity, and how has your journey been so far?
I have always loved computing, networks, and understanding how things work. When you combine the two, cybersecurity becomes a very natural path. I started during my studies, when I had the chance to follow a computer security track in my final year, back in 2001; it was quite pioneering at the time!
My journey began with very technical topics: implementing firewalls and managing security alerts, first for an integrator and then on a critical trading floor in London for a large industrial company. That is when I realized the criticality of my work, understanding the impact that a cyberattack on our infrastructure could have on the balance of gas and electricity networks at the EU level.
After that, I decided I wanted to be at the heart of cyber innovation and joined a consultancy named Wavestone in the early 2000s. We were about 30 people at the time, helping large companies secure their information system. I gradually moved towards governance, risk, and compliance, while staying close to technological evolutions. I launched our incident response team at Wavestone in 2013; honestly, that is where I learned the most. During a crisis, one day of work is usually equal to one week in normal life!
Today, Wavestone has a team of 1,000 cyber experts in 17 different countries. I help the organization grow, becoming one of the three partners managing our teams globally. Additionally I have always wanted to stay close to the field, and I still work directly with many of our clients, mainly on strategic topics, helping large organizations build their cybersecurity governance and long-term vision. My current work is mainly oriented towards AI in all its dimensions, but especially on securing AI systems used by businesses to ensure we can benefit from this great new technology safely. A recent example I enjoyed was leading a project where we used AI to simulate thousands of potential attack vectors against AI systems. It was both fascinating and a bit ironic to see AI attacking AI. Exercises like that show how quickly our field evolves and how much creativity it now requires.
In parallel, I am deeply involved in cybersecurity innovation and thought leadership. I have published several studies such as our Startup Radars and Innovation Radars, which identify emerging technologies and new players shaping the future of cybersecurity. Through these initiatives, I work closely with startups, investors, and corporate CISOs to foster collaboration and help innovative solutions gain traction in the market.
What do you love the most about your current role?
The diversity of topics. I work hand in hand with business leaders, technical experts, legal teams, and financial stakeholders to achieve the best risk reduction. It requires a lot of intellectual agility. Cybersecurity spans from highly technical topics such as cryptography all the way to geopolitical discussions at the UN level. I do not know many other fields with such breadth and impact.
My role also allows me to meet very high-level people, as cybersecurity has now become a topic at the executive committee level. Discussing cyber posture or organizing crisis exercises with CEOs of Fortune 500 companies is always a striking experience. You learn a lot by understanding their perspective and taking a step back on the real impact and challenges of embedding cybersecurity in large organizations.
In addition, I am deeply involved in our thought leadership activities. I currently lead a major initiative we are developing with our clients to define priorities for the next cyber strategy cycle, which we call “TOP 30 for 2030.” We have worked extensively to identify key trends and associated projects to give CISOs a clear path for the coming years. This study combines the need to accelerate cybersecurity, alongside AI and better cyber data management, with the need to demonstrate value and show how cyber can truly be a business accelerator. This is the kind of work I like the most, looking forward and shaping the future with our ecosystem!
I also have the chance to regularly speak in major media outlets such as international and national TV, radio, and newspapers. I love doing this, as I think it is critical to raise awareness about cyber risks without creating unnecessary fear. I always try to offer practical, common-sense advice, because I don’t want cybersecurity to be seen as something scary or unmanageable. On the contrary, there’s a lot everyone can do at their own level.
What emerging trends or technologies in cybersecurity are you excited about, and why?
Clearly AI. It is reshaping everything: how attackers develop tools and conduct operations, how we secure new business applications using AI guardrails or red-teaming, and how cybersecurity teams can use AI to accelerate processes that have been bottlenecks for years, such as third-party risk management, data classification, or SOC fatigue. I have seen many illustrations of this already this year and honestly it’s both frightening and fascinating!
At the same time, I am concerned by growing geopolitical tensions. The technological decoupling we are seeing could enable new types of attacks on critical infrastructure, especially if attackers no longer fear retaliation. We need to rapidly raise our level of preparedness.
On a more positive note, I recently worked on integrating sustainability into cybersecurity practices. I led the team that created the world’s first methodology to evaluate the carbon impact of security measures, not only to measure it but also to reduce it while maintaining the same risk level. It was truly refreshing work! We then made it open source through the Cyber4Tomorrow initiative so anyone can join this journey to make the world better, both for sustainability and for cybersecurity. Do not hesitate to have a look!
What are some common myths about cybersecurity that you would like to debunk?
First, the idea that we can be “secure” just by purchasing a solution or making a single decision. Cyber is not magical; it is a multifaceted discipline. You can have the best technical solutions, but if nobody maintains them or reacts to alerts, you will not be secure. AI providers are again pushing this “magical solution” narrative, and we always need to take a step back. While everyone would like a simple fix, the reality is that true security requires continuous effort.
Additionally, when meeting executive committees or boards, I often hear the question, “Are we secure?” They want a simple yes or no, but this question cannot be answered like that. It requires defining what “secure” means for the business, how long we can withstand an attack, what financial loss is acceptable, and what risks we are ready to take. Cybersecurity is a shared responsibility, not a state you can simply buy.
What skills or qualities do you think are essential for a successful cybersecurity professional?
Cybersecurity can be daunting for many people because of its breadth. If your strength is technology, you quickly encounter legal and regulatory constraints and feel a bit lost. If your strength is risk management, you realize you need a solid understanding of the technical side and feel equally challenged. No matter your starting point, there’s always more to learn. Even job postings often look for what we call in French “a five-legged sheep.”
You need to understand the basics of all these areas, but you cannot and should not try to be an expert in everything. To succeed in cyber, I believe you need curiosity and humility. Curiosity gives you the desire to understand what others are doing and ask questions. Humility reminds you that you will never know everything or stop every attack. Combining the two helps you explain risks clearly to different audiences. The way you discuss a vulnerability with a developer is not the same as how you talk about third-party risk with procurement or a data breach with the executive committee. Communicating effectively across all these levels is essential.
What role does mentorship play in shaping the next generation of cybersecurity professionals?
It is crucial. The field is evolving fast and covers many dimensions, so nobody can manage everything alone. Supporting newcomers, sharing experience, and helping them find their place in the ecosystem makes the entire community stronger.
As a side note, I worked very closely with a young consultant who later became the deputy CISO of the 2024 Olympics, one of the world’s most complex cyber environments. That’s one of the many examples, and I think it’s incredibly rewarding to see how much people grow and how far they can go. Beyond Wavestone, I also mentor startup founders in the cybersecurity ecosystem, helping them structure their strategy, approach clients, and navigate regulatory challenges. These exchanges are mutually enriching; I learn as much from their agility and creativity as they do from my experience.
Can you recommend any books, podcasts, or resources for someone looking to learn more about cybersecurity?
It really depends on your starting point, beginners or already experts in a field. There are plenty of contents but I have written or co-written several books myself, including by order of expertise : Cyberattacks: Inside a Global Threat (Hachette, 2022), The Cyber Risk Handbook (Wiley, 2017), IT Security for CIOs, CISOs and Administrators (Eyrolles, 2016), Data Breaches and Security Failures (Larcier, 2016), and Cybersecurity of Industrial Systems (Cépaduès, 2015).
Books are great to create your baseline of knowledge, but the most important thing is to stay connected to our very fast-moving ecosystem. For that, I read a lot on specialist websites and blogs but what I find most valuable are discussions within trusted professional communities, live with real people or on social networks!
And for podcast fans, I would recommend for beginners “Le Monde de la Cyber” and for advanced listeners “NoLimitSecu”. Both are in French, but with today’s AI translation capabilities this is no longer a barrier, and they offer distinct perspectives, refreshing insights, and a relaxed tone.
What are your passions outside of work?
I make a clear distinction between work and personal life, which I think is essential to last in cybersecurity. Our field can be intense, with vulnerabilities discovered every day and pressure during incidents. Therefore, I disconnect, spend quality time with my family, and do sports to recharge!
At the same time, I am a bit of a tech enthusiast. I enjoy setting up and experimenting with technology at home. It helps me stay curious and understand how technology really behaves in the real world. In a way, it is both funny and useful, as it keeps me connected to the practical side of what we try to secure every day.
What is your biggest goal? Where do you see yourself in five years?
I have been in cybersecurity for almost 25 years, and the field has undergone many transformations. Predicting five years ahead is always difficult, but I am sure I will still be working in cyber, and I hope AI will help us solve some of the major operational challenges we have faced for years! At Wavestone, I helped grow our cybersecurity team from a small group in Paris to a recognized player at European level. To my joy, we were recently recognized as a “Strong Performer” in Forrester’s Cybersecurity Consulting Services Wave for Europe Q4-25. So very concretely one of my goals is to attain the same level of recognition but at a global level! It’s not going to be done in 5 years, but why not in the future!
Outside of Wavestone, I also helped create and lead an exciting initiative in France called the Cyber Campus. It is a government-backed project designed to build a strong community connecting all major cyber disciplines: research centers, universities, technology providers, CISOs, and specialized communities. The goal is to shape a more resilient and collaborative cybersecurity ecosystem for the future. The initiative is embodied by the Cyber Campus tower in La Défense, Paris, but it also exists nationwide through regional branches. Looking ahead, I believe the next step is to expand this model at the European and global levels, to create a true network of cybersecurity communities that work together across borders. Strengthening cooperation between countries and closing the gaps between research, industry, and government are, in my view, essential to shaping a safer and more trusted digital future.
And to conclude, on a longer timeframe, I wish that cybersecurity becomes a natural part of school education, just like mathematics or languages. Everyone should know the basic principles to enjoy a safe and confident digital life. That will be the real sign that cybersecurity has become fully embedded in our societies!