Building a structured security organisation
KGAL has mastered the journey from a person-centred approach and individual measures to a structured security organisation with a strategically embedded security awareness programme.
KGAL is a leading independent investment and asset manager with assets under management exceeding €15 billion. The focus of its investments lies on long-term real asset investments for institutional and private investors in real estate, sustainable infrastructure, and aviation. The pan-European group was founded in 1968 and is headquartered in Grünwald, near Munich. Around 400 employees work to generate sustainably stable returns, carefully balancing yield and risk considerations.
Starting point
When Andreas Scholz took on the role of Information Security Officer at KGAL in 2018, security awareness was still heavily dependent on individuals. The starting point was pragmatic and typical for many organisations at this stage: training was developed in-house, content was prepared internally, and awareness was communicated through presentations.
"I came from IT and then dedicated myself entirely to information security. At the beginning, I simply delivered the training myself."
he recalls.
What worked at first quickly became a burden as the organisation grew. New employees needed to be trained regularly, processes were repetitive, and the responsibility remained concentrated with one person.
At some point it became clear: this model was not sustainable in the long run – despite a solid content foundation and high personal commitment, which without structural support was reaching its limits.
The turning point
The central question was no longer whether awareness was necessary, but how it could be organised sustainably.
The decisive impulse came through exchanges with other companies in the industry that had already successfully drawn on the expertise of HvS.
The recommendation for IS-FOX was clear – not so much as a product recommendation, but as a pointer to a structured solution for a growing problem and a partner to help develop the existing approach further and bring it to a scalable level.
For KGAL, what mattered was not just a single tool, but the idea of a coherent, end-to-end concept.
The decision was deliberately ambitious: if change was to happen, it would not be half-hearted, but rather a complete build-out of a structured awareness programme – with IS-FOX as a methodological and content-driven sparring partner.
The solution
The starting point was classic e-learning formats in the area of information security. It quickly became clear, however, that an isolated approach was not sufficient to bring about lasting changes in behaviour.
From the initial project, a comprehensive awareness programme gradually took shape, connecting and aligning various components in a targeted way:
What mattered was not the volume of measures, but how they worked together – continuously orchestrated by Andreas Scholz and IS-FOX to build a consistent overall concept and actively develop it further through targeted initiatives.
"What is crucial for us is that awareness is not seen as a one-off measure, but as a continuous process."
Scholz summarises the internal perspective at KGAL.
Development
Over time, KGAL developed its own internal awareness ecosystem.
Content was not merely consumed, but actively built upon: training was supplemented, campaigns were integrated into internal portals, and new formats were regularly adapted to reflect current threats.
A key insight from the phishing simulations was just how strongly human curiosity plays into attack scenarios – and how important continuous awareness-raising truly is.
Awareness thus became less of a one-off training format and more of an established part of internal communications.
A further important step came in 2021 with the organisational integration of "information security" and the CISO role into the compliance team.
This gave the entire subject area an additional positive impetus – shifting information security away from a purely technical frame of reference and towards a cross-functional and influential governance element.
Outcome
Today, security awareness at KGAL is no longer an isolated project, but a continuous part of the organisational culture.
The measures work in tandem, are regularly developed further, and are closely tied to real-world threat scenarios – the result of a structured collaboration that has both empowered and provided direction.
The greatest difference from the starting point lies not so much in individual tools, but in a fundamental structural shift:
from individual initiatives to a systematically built, long-term programme.
Conclusion
The collaboration between IS-FOX and KGAL illustrates how security awareness can evolve over the years when it is consistently treated as a process – and when an experienced partner helps to structure, scale and sustainably embed existing approaches.
Not as a campaign. Not as a tick-box exercise. But as a continuous development within the organisation.
Or as Andreas Scholz puts it:
"Awareness is not something you introduce once – it is something you develop together, continuously."
We couldn't agree more.
More success stories
Amadeus wins a Security Awareness Award for an outstanding cyber security awareness campaign and employee sensitization.
How Argos Security efficiently and practically implements mandatory employee training, NIS2 requirements, supply chain compliance, and whistleblowing with IS-FOX awareness trainings.
Lanxess wins Digital Leader Award 2020 with HvS / IS-FOX cyber security awareness campaign