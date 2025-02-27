Gone are the days where employees are only subjected to annual cybersecurity training sessions to bolster their security awareness.

Gamification, memorable catchphrases, and inside jokes, these are just a few ways security professionals are making cybersecurity education a little more palatable in their organizations.

According to a 2024 Proofpoint report, computer-based training remains the most popular format for cybersecurity education within organizations (45%), followed by newsletters and emails (38%), as well as in-person training sessions (37%).

However, some security professionals, like LinkedIn CISO Lea Kissner, told IT Brew that traditional approaches to security awareness education have not always been the most enticing.

“There are a lot of trainings that I’ve had to take in the past where they…made my eyes glaze over, even as a security person who loves this stuff,” Kissner said.

IT Brew caught up with four security professionals on how they provide meaningful cybersecurity training and education to employees.

​​The comments below have been edited for length and clarity.

Alissa Abdullah, deputy chief security officer at Mastercard: We create videos that are very short and that are catchy. Our catchphrase that we have here at MasterCard is, “I don’t know you like that.” So, when you look at an email and it could be a phishing email, what’s the catchphrase? I don’t know you like that.

We also have spear phishing tournaments, where if you click on a spear phishing report, a spear phishing email, you’re put into a lottery with prizes and things like that. So, we do gamify it as well. We have a security score. Everybody in the company gets a security score, and there is a lot of trash talking and street cred across teams and across executives on what their security score is.

Michael Adams, CISO at Zoom: We have phishing simulations that we run constantly at the company. We have retraining that folks could potentially go through if that simulation shows a need for that.We’ve also gamified the reporting mechanisms for some of that so that folks can earn, if you will, virtual rewards and status.

We also have a security champions program which really focuses on our engineers and our developers, most particularly on security risk issues, how to mitigate those risks, and how to write secure code. We have security champions plus, which is an even higher level. We have different color belts that can be earned along the way in the journey.

During this past security awareness month, we did a competition for our developers that was around security risk issues and how they’re doing certain things with rewards attached to it.

Kissner: We’ve done bits where we have short videos that are kind of funny. The “Ryan [LinkedIn’s CEO] doesn’t want you to buy gift cards” has become a running joke from our communications team. So, it’s woven in throughout the year. We’ll put things up on the displays in the offices that hopefully are hitting those couple of messages that we want people to know, but are also actually entertaining to look at, so people are more likely to remember them.

John Downey, CISO at GoFundMe: In addition to the big annual training that we do, we also do focused micro training. They’re these monthly videos. They’re short and engaging, and based on what’s going on in the real world because I’m a big believer in learning from failure. If it’s hypothetical, people don’t really identify with it.