How a Lean Team Built a Scalable, Policy-Aware Human Risk Program

Operating in a fast-paced, data-heavy environment, Escalent has to meet stringent client expectations on both operational integrity and security maturity. Running a global program with lean resources demands a platform that reduces friction, not one that adds to it. Before OutThink, Escalent's security awareness processes were manual, time-intensive, and increasingly out of step with the business. As Escalent grew, it became clear the existing approach wasn't sustainable and couldn't deliver the clarity or consistency expected by internal stakeholders or clients.

Escalent, a global leader in data analytics and consulting, manages highly confidential client data across technology, healthcare, and consumer sectors – making security awareness a critical pillar of its operations. As an ISO 27001-certified organization with annual SOC 2 reporting obligations, Escalent has to maintain a security awareness and human risk program that is accurate, consistent, audit-ready, and trusted by clients.

Matt Benard, VP Governance, Risk, & Compliance at Escalent, oversees this across a workforce of more than 2,000 employees and a growing global footprint. To keep pace with scale, reduce manual overhead, and lift the quality of training and reporting, he needed a modern, automated, policy-aligned approach. OutThink enabled that shift – replacing outdated workflows with an adaptive, operationally efficient human risk program.

Before adopting OutThink, Escalent relied on a legacy platform that satisfied the compliance checkbox but did little to change behavior. Training was long, generic, and one-size-fits-all: 30–45 minute courses that pushed the same awareness material to every role, generated complaints from busy teams, and made it hard to drive consistent engagement and timely completion across the workforce.

Campaign setup consumed far more time than it should have, creating bottlenecks for a lean team. And administrative work was entirely manual: 1. new joiners were not enrolled automatically 2. reminders had to be sent out individually 3. late completions required repeated/individual follow-ups

The phishing program fell short too. Simulations became predictable, users learned the pattern rather than building real resilience, limiting Escalent's ability to measure true susceptibility. And because Escalent regularly presents results externally, the bar for reporting and audit-ready evidence was high – something the previous platform consistently struggled to meet.

Escalent chose OutThink because it offered a modern, adaptive, policy-aligned approach that fit how the business actually operates. The shift was immediate.

Short, engaging microlearning modules (typically 4–5 minutes) replaced lengthy courses, with content adapted to role rather than pushed uniformly to everyone – lifting user sentiment and reducing fatigue. Campaign creation took half the time, turning a bottleneck into a streamlined process. As Matt noted, "Going in and building a campaign takes half the time. OutThink was much more streamlined and intuitive."

Day-to-day program management became easier to oversee, with routine manual follow-up on enrollments, reminders, and late completions largely removed from the compliance team's workload.

OutThink's realistic phishing simulations introduced a meaningful uplift in resilience. Instead of predictable templates, simulations challenged users genuinely; and when someone fell for one, instant contextual reinforcement landed in the moment, not weeks later.

Crucially, OutThink let Escalent embed internal policies and brand standards directly into the learning journey. That coherence combined with a strong capability-to-cost ratio made the platform a clear fit.

After going live on 1 January 2025, Matt designed a program built for scale, clarity, and long-term consistency with minimal oversight. Training cadence became structured and predictable: onboarding is automatically assigned via Okta, annual training is completed within a defined one-month window, and phishing simulations run quarterly across the organization. Role-specific depth ensures each team receives training aligned to their responsibilities, with developers receiving deeper OWASP-aligned content for technical rigor.

Policy-aware customization means modules now embed Escalent's internal security expectations directly into the learning journey. This makes the program relevant, coherent, and more impactful; reinforcing the behaviors Escalent actually expects, while removing ambiguity for end users.

Escalent's partnership with OutThink delivered measurable improvements across the program.

Phishing resilience increased significantly, with click rates dropping from roughly 15% to 5–10% – a real behavioral shift driven by more realistic simulations and immediate post-click reinforcement, rather than completion metrics that don't move risk.

Role-based training meant developers received deeper, OWASP-aligned content while other teams received material matched to their responsibilities, lifting relevance across the workforce.

Operational efficiency improved dramatically too: campaigns were built in half the time, and the day-to-day admin burden of enrollments, reminders, and chasing late completions was effectively eliminated. Documentation became clearer and more valuable in client conversations.

Clients also gained confidence in Escalent's approach, particularly the instant reinforcement delivered after failed simulations. As Matt observed, "I love that follow-up training launches immediately… clients love to hear that we do this."

1. Training and policies aligned to how Escalent actually operates 2. Role-specific depth that adapts to responsibility, not one-size-fits-all 3. Automation that removes administrative overhead entirely 4. Realistic phishing with instant, in-the-moment reinforcement 5. Microlearning that respects users' time and lifts engagement 6. A clear value-to-capability advantage