Gamification, memorable catchphrases, and inside jokes, these are just a few ways security professionals are making cybersecurity education a little more palatable in their organizations.

According to a 2024 Proofpoint report, computer-based training remains the most popular format for cybersecurity education within organizations (45%), followed by newsletters and emails (38%), as well as in-person training sessions (37%).

However, some security professionals, like LinkedIn CISO Lea Kissner, told IT Brew that traditional approaches to security awareness education have not always been the most enticing.

“There are a lot of trainings that I’ve had to take in the past where they…made my eyes glaze over, even as a security person who loves this stuff,” Kissner said.

IT Brew caught up with four security professionals on how they provide meaningful cybersecurity training and education to employees.

​​The comments below have been edited for length and clarity.

Alissa Abdullah, deputy chief security officer at Mastercard: We create videos that are very short and that are catchy. Our catchphrase that we have here at Mastercard is, “I don’t know you like that.” So, when you look at an email and it could be a phishing email, what’s the catchphrase? I don’t know you like that.

We also have spear phishing tournaments, where if you click on a spear-phishing report, a spear-phishing email, you’re put into a lottery with prizes and things like that. So, we do gamify it as well. We have a security score. Everybody in the company gets a security score, and there is a lot of trash talking and street cred across teams and across executives on what their security score is.

Read the rest here.—BM

First, the good news: The AI revolution is still underway The bad news? Security might be falling by the wayside.

That’s one of the concerns around DeepSeek, the Chinese OpenAI alternative that exploded onto the global scene in January, erasing $1 trillion in technology stocks due to its cost-effectiveness compared to its competitors. It’s not all bad—the new large language model could provide a new way of deploying the technology due to its lower cost. Potential benefits aside, there are questions about how safe it is and how it might introduce vulnerabilities to the overall AI landscape.

Nerve center. For Chuck Herrin, field CISO at application security provider F5, those threats include dangers to application programming interface (API) frameworks across the industry. When the “hype cycle” of AI began in earnest, Herrin said, most APIs weren’t “under control”—meaning that once attackers were able to deploy powerful AI automation, defenders were already on the back foot.

“The rush to ‘AI all the things’ is just exacerbating that attack surface even more with new types of attacks we need to worry about,” Herrin said.

Read more here.—EH

Google revealed to Forbes this week that it’s moving away from six-digit codes to QR codes, when verifying new email account holders.

The transition by the popular email provider targets phishers preying on cell carriers, and text messages sent via short message service (SMS) technology.

“If a fraudster can easily trick a carrier into getting hold of someone’s phone number…any security value of SMS goes away,” Google Workspace spokesperson Ross Richendrfer told Forbes in February.

QR correct, sir! Richendrfer told the publication that the company will take the next few months to “reimagine” phone number verification and consider QR codes, displayed on the non-mobile device, as authentication mechanisms.

Currently, when a new Gmail account is created, Google verifies a person’s phone number by sending an SMS text message.

There are security limitations with this option: The verification codes can be accidentally shared with the phisher, through false sites and social engineering.

Keep reading here.—BH