Cybersecurity schools in France: from hibernation to saturation

A critical analysis of the cybersecurity school landscape in France, between training promises and field reality. Through a rich and atypical experience, I share feedback on the shortcomings of the current system and suggest concrete ways to raise the level of future professionals.

Introduction

2020, Parisian basement.

The familiar smell of coffee fills the office of the N3 networks section. As a soldier, I discuss future prospects with my colleagues and the choice, or not, of leaving the army within which I administer some of the most sensitive servers in the country.

Leaving in 2021 in order to launch the career in cybersecurity for which I have been training for 10 years now?

Or stay 5 more years to be trained in cybersecurity by the institution?

“In 5 years schools will have graduated entire classes of cybersecurity engineers, the shortage is now.” a colleague pointedly objects.

5 years later, we would think we were seeing a prophecy come true. Now a cybersecurity expert who has founded my own firm, I don’t go a day without receiving a LinkedIn message from a cybersecurity student desperately looking for a work-study placement or internship.

But what happened in 5 years? Where are we?

This is what we are going to see here. And spoiler alert: there’s still work to do.

Disclaimer: the content of this post comes from my experience and observations. The absence of public figures on the distribution of the teaching force, for example, does not allow me to do more. However, it can be a basis for reflection on resolving issues related to cybersecurity training in France.

Observation

Early 2024, in a tower in La Défense.

As a cybersecurity consultant at Intrinsec, I go through the resumes of my potential future interns. They all look more or less the same: linear and standard route. The CTF scores and open source projects highlighted 10 years earlier are replaced by school projects. Everyone aspires to land an internship as a pentester.

It took me a few interviews to realize there was a problem.

“Give me the different types of SQL injection and how they work.”

Result: approximate answers and little or no practice.

Same for XSS.

XXE? Never heard of it.

The few candidates reaching the testing stage on a dedicated web application don’t really stand out. Use of the browser’s developer tab instead of suitable tools, half of obvious vulnerabilities that go undetected, lack of methodology…

Almost none have actually practiced on CTF.

I finally found a good intern in the middle of BAC+6 who had 2 or 3 years of work-study studies behind him. Is this necessary? Do you need 6 years of study to have the level required for a 5th year internship?

Let me be clear: I am not putting the blame on students. The problem is probably elsewhere. This is what I was able to confirm later, as a lecturer in cybersecurity school.

The cyber curriculum

2025, first year on my own. I continue professional training, penetration tests and cybersecurity school courses.

I have to admit one thing: I LOVE teaching in schools. I really feel useful and inspired by several teachers in my life as an eternal student. During my evening classes at the Conservatoire National des Arts et Métiers, Nicolas PIOCH and Eric GRESSIER were particularly inspiring speakers in their way of teaching.

I was therefore able to discover the diversity of cybersecurity schools open to students wishing to become experts in this field. “Diversity” is the key word. Some schools offer a complete 1-year or 2-year course, which allows you to cover the subject and provide a solid foundation.

Other schools teach computer science and end with a cybersecurity course of… 6 months? It’s very short, most students don’t yet know if they want to do Offensive, SOC or Compliance. The course must therefore give them a sufficient level in all these directions so that they can form an opinion on what they like or not. And 6 months goes by quickly. Most come out having covered a bit of everything, but without any real mastery. Then they have to deal with that in the interview.

Put yourself in their place: you are in M2 cybersecurity, you must find a company to do your end-of-course internship, which is mandatory to complete the diploma. No pressure. The few companies that respond to your applications fail you after the interview. At the same time, you got stuck on a lot of technical questions.

In January, stress increases. So you multiply the sending of resumes and DMs on LinkedIn, but nothing works. You are drowned in the mass of other candidates.

Unenviable, right? Indeed. The lucky ones are the best prepared, or the enthusiasts who learned for themselves on hackthebox. The majority struggle, again and again. But to have the necessary perspective to train early, you need a good dose of maturity, or the right teachers.

Industry professionals vs teaching professionals

As an external lecturer at a school, I quickly noticed that this was not the norm.

A significant proportion of the teaching staff work full-time for the school. More educational, you might say? Possibly. But this partially explains the feeling I had from the outset: very “academic” students and absolutely unprepared for professional life.

A small example: not wanting to see my students struggle to find an internship, I prepared them as best as possible. The exam was a 3-hour practical session. Practical work, internet allowed, ChatGPT allowed (obviously making sure they use it correctly, I have my tips for that), course support allowed. I don’t want to know if they have learned: I want to know if they know how to do, to research, to think. The result: a short professional report.

An observation quickly emerged. The majority think like students. This is seen in their way of writing a “professional report”, their storytelling approach justifying to the professor the steps followed, their thoughtless use of GPT, their frequent questions on “What do you expect to see on this question? How should we word it? Do you want a screenshot or a copy and paste for this section?”

This is a common point between the schools where I have intervened. Students are absolutely not prepared for professional life, and they are asked to undergo interviews to find a compulsory internship? No wonder they are under pressure. And it’s not their fault, the school formats them like this.

As a professional, I know what is expected in business. The clear impression that struck me at school is the following: career teachers have spent too much time outside the business world and train students in entire cohorts. And unfortunately, in the end, it is the students who are toast.

Likewise, programs are not always well-structured. I was able to meet students who had taken offensive security courses but had never touched the security of a web application. Do you know what is asked first of any trainee who wants to play offense? Yep. Having the basics to do web intrusion testing.

These programs are generally not designed by external professional stakeholders. It is essential to get closer to real-world requirements when designing a cybersecurity program.

A quick digression to finish, can we talk about the famous paper code exams? I underwent this type of exam in 2010 and, even at the time, I found this format unsuitable and obsolete, especially when you lose a point for a missing semicolon on paper that does not underline syntax errors.

Budget and organization

The eternal problem, and more particularly in schools.

Are you a public or partially public school? Congratulations, you are part-dependent on state subsidies, which are rarely sufficient. In addition, you have organizational constraints that considerably slow down any decision-making. And as many external service providers have the unfortunate tendency to want a contract signed before the start of the service and to be paid on time, this scares away a lot of competent workers. This is a problem that I have experienced, and that many of my peers experience. Very few schools stand out on this point.

Are you a private school? Congratulations, you are the master of your choices. On the other hand, financially speaking, we will have to count on students to pay more for registration. The same students who eat pasta to stay in the black and, for some, cannot find accommodation.

Regardless, the budget remains an even more impactful issue in schools. A school service pays around half as much as professional training. And I don’t count the time for correcting exams as well as the time for preparing courses which are never included in the envelope. This pushes stakeholders to favor more lucrative services, such as professional training.

So when I’m asked to produce a resit exam subject for free, I can’t really do 3 hours of transportation to monitor a 2-hour resit exam.

“It doesn’t matter, do a MCQ subject, provide us with a correction and we’ll take care of it.”

Wait…what? I produce a qualitative course, a relevant exam, to tell my students “it doesn’t matter if you fail, you can pass the subject with a multiple choice question”?

The message that was given to me half-heartedly is the following: it increases the pass rate, so it suits them a little.

The choice of metrics

The success rate: an essential metric. But what is its relevance?

I will discuss 2 points of view: that of the student, and that of the company.

The student

When choosing his school, he had several concerns. Sometimes this is the place if he wants to stay close to his family. Sometimes it is his ranking which will allow him to target a more or less prestigious school. Or the price of school, which overlaps with the budget section.

Ok but ultimately, what is he aiming for? What does he expect from a cybersecurity school?

The aim is above all to find a good job, well paid, and to have the skills required to land said job.

So OK, one school has a 98% success rate, another has 40%. On paper, one offers the diploma more easily. But if it means sacrificing exit-level skills, is it worth it? More mature students will find the answer to this question. For the others… too bad.

Especially since, having spoken this year with companies recruiting pentesters, they do not want juniors. They were too disappointed by the level observed at the end of school and wish to recruit less, prioritizing more experienced profiles.

The company

As a consultant, I was looking for a competent intern above all. On the resume, the name of the school didn’t matter to me. What interested me was the rest: personal projects? A git? Contributions? CTFs? Anything that shows an interest and passion for cyber.

The challenge of recruitment is not to make mistakes. Ok there is the trial period for that, but it’s not magic. Furthermore, a failed trial period is above all a double failure, for the candidate and for the employer.

The company is therefore looking for a guarantee of quality.”A school known for producing graduates with a strong skill level? I’m in. It doesn’t matter that this school only produces 45% of graduates, I know that the graduates have the required level to work for me.”

Here again, the success rate is clearly not a relevant metric. And yet, it is in the eyes of schools.

Towards higher standards?

Whether businesses or students, everyone would benefit from seeing schools that are more demanding of both their students and their teaching staff. In this respect, several complementary avenues are possible:

  • Greater fluidity in internal processes in order to attract better external stakeholders. Like any viable business: signing of the contract and purchase orders before the service, invoicing at the end, payment of the invoice on time.

  • A requirement towards the teaching staff who must train future professionals, and not students, with all that this implies: adapting to modern tools, never again examining code on paper, and staying up to date on what the market expects.

  • At least a full year of cybersecurity, ideally 2 years. This is the minimum for training cybersecurity professionals. It is a demanding field for a reason: cybersecurity is not just a narrow “specialty”, but a vast domain within IT. Saying “I do cyber” is like saying “I do IT”: it can mean “I am a pentester”, “I am a SOC analyst”, “I am a CISO” or “I sell firewalls”.

  • Rely on real indicators such as the hiring rate or the average exit salary, and not the success rate which is more often a sign of economy or laziness. Students want real training and a job upon leaving. Companies want graduates with a suitable skills base.

Conclusion

When I was studying in 2010, the only cybersecurity school was in Maubeuge. Today there are dozens, flooding the market with poorly prepared students.

The objective of a school, in this respect, is the same as any business: to solve a problem for remuneration.

By improving the level of higher education in this area, we could give the French cyber landscape the engineers and master’s graduates it deserves.

We could give students the future they want.