Stéphane Tournadre, CISO of Servier Group, a builder of digital fortresses

PCs cobbled together in shoeboxes, a first software sold at 14, and 27 years of loyalty to Servier: Stéphane Tournadre’s path, Group Chief Information Security Officer, looks like an architecture patiently constructed over time. An engineer turned strategist, he defines himself as a “builder of fortresses” serving a vital mission — protecting the ability to heal.

“My Lego sets were PCs built inside shoeboxes.” The image is striking, and it says it all. Behind the phrase lies a childhood memory: his father, a computer maintenance technician, bringing home spare parts. With his brothers and sister, Stéphane Tournadre became an impromptu tinkerer. No chassis? A shoebox would do. At nine years old, his games were made of cables, circuit boards, and electronics. Curiosity was fueled by resourcefulness, and resourcefulness became learning.

At 14, he sold his first piece of software — a real estate management tool. The venture didn’t last: “I didn’t know what the Urssaf was.” No self-employed status back then, and impossible taxes to pay. But he sees this early entrepreneurial failure as a step forward: “I’d eaten all the recipes.” The anecdote says a lot about his path — a taste for risk, an early encounter with economic reality, and a refusal to be discouraged.

Loyalty and competition

Twenty-seven years after walking through Servier’s doors, Stéphane Tournadre now serves as Group Chief Information Security Officer. A remarkable tenure in a field where CISOs often move from one company to another. “I’m loyal — I really love this company,” he says simply. Loyalty, however, doesn’t preclude competitiveness: in 2018, he was named “Best CISO in France” at the Assises de la Cybersécurité, a title confirmed in 2021 by Républik IT.

He defines himself in these words: “a builder of fortresses.” Builder, because cybersecurity is built over time, with patience and rigor. Fortresses, plural, because there’s more than one — human, technological, organizational. “My role is to bring these lines of defense into every part of the Group.” These fortresses protect digital assets, but above all the company’s mission: accelerating therapeutic innovation for patients.
“We work on rare cancers, such as brain tumors. If one day we can’t deliver our treatments, the health impact would be immediate.”

Systemic risk beyond attackers

For him, the biggest threats are not always sophisticated attacks. What struck him most in his role as CISO was the CrowdStrike bug in July 2024, which paralyzed millions of machines worldwide. “We could have been affected. If we had, we’d have had to bring back and reformat over 10,000 devices across our subsidiaries and plants. That’s the worst-case scenario.”

This experience underscores his deeper concern — dependence on the cloud. “The cloud is necessary for agility and performance. But if tomorrow an extraterritorial law or a state-level attack takes down a major provider, we’d be helpless.” The issue isn’t the technology, but the potential loss of access — sudden and systemic.

Moving beyond the geek cliché

When he talks about clichés surrounding his job, Stéphane Tournadre doesn’t mince words: “People imagine us as bespectacled coders in hoodies, speaking jargon in their bubble.” He prefers another metaphor: a Formula 1 car is fast only because it has brakes and a roll cage. Cybersecurity, he insists, isn’t a constraint — it’s a condition for performance. “It’s a lever, not a barrier.”

And if he could change one thing with a magic wand? “I’d give every employee a Spider-Man-like sixth sense to spot scams. I wish vigilance could become instinctive, not something learned in training.”

Toward a shared defense

Looking ahead, he envisions a more collective cybersecurity — one built on solidarity. “Today, a hospital under attack is often alone. Public and private resources are too disconnected.” In ten years, he hopes for shared defense — a continuum across sectors. Once again, his background in healthcare shines through: for him, cyber and human impact are inseparable.

He’s already involved in national defense initiatives, convinced that the line between cyber and physical worlds is fading fast. “A digital incident always has real-world consequences.”

The engineer turned strategist

He never planned to become a CISO. The opportunity came by chance — a retirement opening a door. But that chance, combined with major crises like WannaCry and NotPetya, shaped his path. “Cybersecurity shifted from theory to action — that’s what hooked me.”

Today, the child who once built PCs in shoeboxes — turned chemical engineer and now master of machines — stands as a strategist. Loyal to his company, competitive by nature, a builder of fortresses: his portrait breaks the cliché of the hooded geek. Instead, it reveals a man who conceives cybersecurity as an architecture of trust — invisible, yet indispensable.