Customer Success: Orvis - How Cyber Ranges Transformed our Team


The CISO of Orvis, the oldest mail-order retailer in the United States, plans to replicate his success at a Fortune 500 outdoor apparel company. At that Fortune 500 retail clothier, the original driver was meeting PCI-DSS compliance; however, the training initiative there ended up creating an engaging apprenticeship and security champion program for the company. Plus, the team showed genuine excitement to participate in the training and use lessons learned to better protect the enterprise. This case study is about that rewarding story, in the words of the CISO.

The Need to Mix Things Up

PCI-DSS has a requirement to provide annual security awareness training to development teams. Historically we had relied on mandatory video training followed by tests to demonstrate completion. Unfortunately, while this training might have achieved a compliance requirement, it didn’t engage our development teams in ways that helped them build our teamwork or innovate on the material.

We had the idea to try a CMD+CTRL Cyber Range event with Security Innovation. The concept they pitched was simple: an instructor-led “capture the flag” tournament on a live vulnerable web application. The idea looked a lot more engaging than our traditional training so we decided to try it as a fresh approach to meeting our PCI DSS training requirement.

Needle-Mover Results

We hoped for more enthusiastic participation, but never expected to get such wildly successful results:

"We began training with a single CMD+CTRL event. It generated lots of excitement and the teams are already asking when we’re running the next one. We used a Security Innovation instructor for our first event and hope to use internal security champions to run future events. We’re off to a great start and I am excited for the future of the program."
Joe Minieri, CISO, Orvis
  • General Excitement & Passion

    The challenges are so much fun that the team no longer dreaded the annual training. In fact, they couldn’t wait for the next one! We went from training being met with sighs to our teams asking for multiple sessions so more could play. They were literally begging to be part of the training program.

  • Increased Collaboration

    During CMD+CTRL events, players were sharing ideas, techniques, and solutions with each other. Junior developers were able to learn from the more senior members. This was impossible with the training they used to take individually.

  • Groomed Security Champions

    Though this was not planned, we were the beneficiary of an amazing byproduct of the CMD+CTRL training. Several developers continued their pursuit of security principles beyond the events, so much so that they were able to lead future events and provide on-the-job mentorship. Security champions emerged as a natural occurrence from the program.