South terminal, gate 42, overpriced triangle sandwich. Off to Madrid. Officially: a long weekend, Thursday to Monday. Unofficially: I am boarding with a carry-on packed with professional curiosity. When you spend your days working on cybersecurity training, you end up seeing the digital world differently. Every trip becomes a field observation. Every airport wifi network becomes a case study.
And Madrid, as it happens, is a city worth stopping at beyond the museums and the tapas. It is a serious economic capital, a dense network of SMEs, and a gateway to a Spanish-speaking market of 500 million people. That is a lot of potentially exposed employees, and a lot of companies that need to train their teams to face today’s digital threats.
The official plan
Four nights in Madrid. Thursday to Monday. Enough time to decompress, to walk through a city that breathes differently, eats late, and seems to have collectively decided that permanent stress is not an acceptable way of life. But also enough time to observe how an economy comparable to Paris handles the question of corporate cybersecurity.
Because cyber training is not just a French concern. It is a global issue, affecting a SME in Malasaña just as much as a mid-size company in central Paris. And risky behaviors, whether clicking a phishing link or connecting to public wifi without a VPN, do not speak Spanish or French. They speak universal.
What I am carrying in my head
A few questions I intend to explore on the ground, without a forced agenda, just by observing and talking:
- Are Spanish companies as mature as French ones when it comes to cyber risks? Or are we looking at a gap similar to where France was five years ago?
- How do Madrid-based employees react to phishing attempts, social engineering, CEO fraud? Are the reflexes different?
- Is cyber training seen as a regulatory burden or as a genuine strategic investment by local decision-makers?
- And most importantly: do immersive training platforms like Cyber Investigation have a real card to play in the Spanish-speaking market?
No conference scheduled, no meetings blocked in the calendar. Just conversations in coworking spaces, observations in cafés with wifi open to anyone within range, and a few hours of field research slotted between cultural visits. The ethnographic method, consultant-cyber edition, on a reasonable tapas budget.
Why cyber has no borders
Something people often forget when working in training: digital threats do not stop at borders. A poorly trained Spanish employee is just as vulnerable as a French one who has never seen a serious phishing simulation. Attackers use the same techniques everywhere. Ransomware does not ask for your nationality before encrypting your files.
What does vary is the level of awareness, the risk culture, and the quality of training programs available in each market. That is exactly what I am going to observe over four days in Madrid.
Why Madrid rather than anywhere else
Because Spain is a serious market, often underestimated from Paris. A dynamic economy, ambitious companies, and a fabric of SMEs that is starting to take cybersecurity seriously after a few years of painful wake-up calls. Incidents are multiplying, European regulation is pushing in the same direction, and leadership teams are beginning to understand that training employees is no longer optional.
NIS2, GDPR, the growing number of compliance audits: the regulatory context is creating real pressure on Spanish businesses. But regulatory pressure alone does not build good reflexes. It creates compliance on paper. What is needed is genuine engagement. That is the difference between ticking a box and training someone who will actually change their digital behavior.
Boarding in 20 minutes. We will pick this up on the other side with a full field report. Spoiler: croquetas will probably appear in every article that follows. And the hotel wifi question will too.