The CISO of Orvis, the oldest mail-order retailer in the United States, plans to replicate his success at a Fortune 500 outdoor apparel company. At that Fortune 500 retail clothier, the original driver was meeting PCI-DSS compliance; however, the training initiative there ended up creating an engaging apprenticeship and security champion program for the company. Plus, the team showed genuine excitement to participate in the training and use lessons learned to better protect the enterprise. This case study is about that rewarding story, in the words of the CISO.
The Need to Mix Things Up
PCI-DSS has a requirement to provide annual security awareness training to development teams. Historically we had relied on mandatory video training followed by tests to demonstrate completion. Unfortunately, while this training might have achieved a compliance requirement, it didn’t engage our development teams in ways that helped them build our teamwork or innovate on the material.
We had the idea to try a CMD+CTRL Cyber Range event with Security Innovation. The concept they pitched was simple: an instructor-led “capture the flag” tournament on a live vulnerable web application. The idea looked a lot more engaging than our traditional training so we decided to try it as a fresh approach to meeting our PCI DSS training requirement.
We hoped for more enthusiastic participation, but never expected to get such wildly successful results:
“We began training with a single CMD+CTRL event. It generated lots of excitement and the teams are already asking when we’re running the next one. We used a Security Innovation instructor for our first event and hope to use internal security champions to run future events. We’re off to a great start and I am excited for the future of the program.”