The TL;DR
- Pennymac moved beyond annual training to an ongoing, security behavior program
- Fable delivers role-specific messaging based on real user risk, and delivers interventions
- Short-form video dramatically outperforms traditional email training
- Increased video engagement correlated with faster OS patching and reduced vulnerabilities
- Pennymac was able to close the loop, measuring whether security behavior changed
As social engineering threats evolve, and grow more convincing with AI, traditional security awareness training is no longer enough. In this customer testimonial video, the Pennymac CISO Cyrus Tibbs explains why annual refresher courses and generic email training fall short, and how his team uses Fable to deliver timely, role-specific security messaging that keeps pace with a rapidly changing threat landscape.
Cyrus describes a fundamental shift in how attackers operate: instead of breaking systems, they target people. That reality pushed Pennymac to rethink security training as an ongoing, behavioral program that understands individual risk, delivers relevant guidance in the moment, and measures whether behavior actually changes. Rather than relying on one-size-fits-all emails, the team adopted an approach closer to social media marketing: short, direct, actionable messages designed to drive engagement and measurable outcomes.
Using Fable, Pennymac automatically segments employees into cohorts based on role and observed behavior. These include money handlers, privileged infrastructure users, developers, and public-facing roles, each with distinct risk profiles and training needs. By eliminating guesswork around who receives which training, the security team ensures messaging is targeted, timely, and relevant, all without the manual toil.
The impact has been both immediate and measurable. A/B testing revealed dramatic differences in engagement between traditional email instructions and Fable’s AI-generated briefing videos, with employees consistently responding better to video. In one case study focused on OS patching, Pennymac integrated Fable with its vulnerability management system and tracked outcomes from video delivery through patch completion, finding a clear correlation between video engagement and reduced vulnerabilities.
Today, Fable has become Pennymac’s default platform for driving organizational change, not just security training. Cyrus notes that Fable’s automation and targeting capabilities free up significant staff time, while employees consistently respond positively to the short-form video format. The result is a security awareness program that scales with the business, adapts to real risk, and earns employee attention.
