Simplifying Cyber

Part 2: Swords, Subpoenas, & Software

Aaron Pritz, Cody Rivers Season 2 Episode 20

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 28:46

Send us Fan Mail

A champagne bottle, a blade, and a clean strike turns into one of the clearest cybersecurity conversations we’ve had. We’re joined by attorney and cyber contracting veteran Drew Tharp, with Todd Wilkinson stepping in as guest host, and we use swords and fencing to unpack why breaches happen and why “just add more tools” rarely fixes the root problem.

Drew walks us through the four quadrant fencing model (active vs passive, offense vs defense) and how most security programs camp out in the obvious corners. We connect the overlooked zones to modern cybersecurity strategy: applying steady pressure that limits attacker options, building aggressive defensive moves that anticipate human behavior, and spotting the “seam” where urgency and confusion let a threat actor land one clean strike. If you work in healthcare cybersecurity, we also dig into why ransomware and business email compromise keep hitting so hard and how internal business pressure makes incidents worse.

On the legal and vendor risk side, we get real about cyber insurance requirements, unlimited liability, and how BAAs and data sharing agreements can smuggle in heavy terms that the wrong reviewer might sign. Then we pivot to AI in legal work, including Harvey AI, and explain the key limitation that matters for both lawyers and CISOs: AI can speed up review, but it cannot understand business context, risk appetite, or which deal is worth the exception.

If you liked this one, subscribe for more practical cybersecurity conversations, share it with a teammate who lives in contracts or incident response, and leave us a review with your biggest “how did that term get in there” story.

🔗 Connect with Us & Get in Touch  

Tune in to Simplifying Cyber wherever you get your podcasts, or watch exclusive video content right here on the channel. Subscribe for hot takes on emerging technologies, tips and tricks for everyone looking to stay secure, and in-depth conversations about complex cybersecurity topics. 

No gatekeeping and no BS. We’re here to simplify.  

Official Website: www.revealrisk.com  

LinkedIn: https://www.linkedin.com/company/reveal-risk  

🤘 Stay Secure with Us 

If this content helped you understand cybersecurity better, please give it a thumbs up, subscribe to our channel for more expert insights, and hit the notification bell so you don't miss our latest updates. 

Reveal Risk delivers cybersecurity results, not just reports. 

Swords, Champagne, And The Big Idea

SPEAKER_01

Thanks for tuning in to Simplifying Cyber. I'm Aaron Pritz, and we're here today with special guest host Todd Wilkinson and Drew Tharp. And I'm gonna give a little summary of what we're gonna talk about because you probably saw in the opener we were cutting shit with swords and um fruits and champagne that we're now drinking. Um but Drew has been an avid sword collector over 120 since high school. Um you saw as we champagne the um as we sabrage the champagne that uh it was it was actually easier than I thought. Um, but I would say um we're gonna talk about how we got into swords fencing and uh really how some of these things connect to cybersecurity. So, Drew, welcome to the show.

Drew’s Legal And Cyber Background

SPEAKER_01

Thank you. Thank you. Glad to be here. Give us a little intro about you and how you've been in and around cyber and legal and kind of where did you where did you come from? Where are you today?

SPEAKER_02

Yeah, yeah. The boring stuff. Got it. Um yeah, so I am uh I'm an attorney. I work for um uh several different companies and and also uh help out here at Reveal Risk with some uh some contracting um things. And so I've been involved in cybersecurity and uh SaaS contracting and things like that for about 12 years. Um and I've worked for Fortune 500s, multinationals, and also uh smaller startups helping them uh try to get their contract management systems up and running and and that sort of thing.

SPEAKER_01

Awesome. Yeah, and in with in the contracts, obviously, a lot of times companies are upping their game of what they're requiring, cyber insurance, unlimited liability, lots of things that are a tough dance, especially for a boutique and a Fortune 200

Contracts, Insurance, And Liability Reality

SPEAKER_01

to work out like where do you land in the middle somewhere?

SPEAKER_02

Yeah, they the the risk is especially outsized for for um cyber issues, because obviously if you if you have a breach, that can be you know that can cost millions and millions and millions of dollars. And um uh unfortunately they're they're fairly common. So we have to so the the insurance requirements can be difficult, uh especially for uh smaller boutiques to meet those challenges. But yeah.

SPEAKER_01

And within Pharma Med Device, you've spent a lot of time there. What are the what are the emerging things that are on your mind of concerns, both contractual as well as cyber program, as limit as you limited are involved in that?

SPEAKER_02

Yeah,

Biotech Threats And BAA Traps

SPEAKER_02

absolutely. I mean, I I I think three things come to mind when it comes to the uh biotech pharma space. One is is obviously protecting your data, your um and and your intellectual property. Uh I I think a lot of the breaches that we see uh in the biotech space uh sometimes aimed at actually stealing intellectual property, not just getting some some data so that we can go, you know, find some emails to send people and that kind of stuff, um, steal some social security numbers. A lot of it is is focused around actual corporate espionage. And so um, so I think that's something that uh we have to keep in mind. Another issue that I see coming up more and more often is on BAAs, business associate agreements, where um a lot of times the the business associate who's trying to contract will send a pretty onerous agreement that includes uh limits of liability, includes um sometimes even subrogation or um or indemnity. And basically they're trying to shoehorn real legal issues into what's effectively a data sharing agreement, right? And when you try to shoehorn those in, then you have somebody who's not accustomed to looking at those issues, an IT person uh um uh looking at that agreement and going, okay, whatever, and signing, signing away some very important rights on that BAA. Um we actually talked before, um, it kind of reminds me of the Disney World uh thing where Disney World actually put some terms and conditions about their physical locations into the Disney Plus terms and conditions, which resulted in some people having issues at Disney. I don't remember what it was, probably slip and fall or something. But then they have these issues and they couldn't sue Disney because they'd agreed to arbitration in the Disney Plus agreement, and that bound them to Disney World as well, which is which is at best disingenuous, uh at worst unconscionable. So I think that a lot of people, or I think a lot of companies are or a lot of places are trying to kind of slip some of those past the radar by having um a quote unquote lower level person sign a low-risk agreement like a BAA or a CDA with some with some onerous terms. All they were trying to do is watch Star Trek online. Exactly, exactly. Exactly. Star Wars, I believe. I think Disney hasn't acquired it. Not yet.

SPEAKER_01

Yeah, I mixed up my genres.

SPEAKER_02

Paramount's next, I'm sure it's on there.

SPEAKER_01

Does anybody know what happened to Cody? Did he get cut with a sword? I I don't understand. Well, yeah, we took him out. All right, or the the body cut in half. Take one for the team. Exactly. Anyway, thanks Todd for joining. I'm here now.

The Four Quadrant Fencing Model

SPEAKER_01

I think let's go back to swords because I think that's what we came for. That you know, we make some connections here. But Drew, I think when we were prepping before the show here, you were talking about fencing was kind of your path into sword collection. Yes. So what we got into was the four quadrant fencing model, which I think has a lot of applicability. And we're not gonna do with the classic RSA conference at least three to five topics on Sun Tzu art of war. But let's at least talk about fencing strategy and things that we might be able to learn from that.

SPEAKER_02

Yeah, absolutely. Well, and and I think um I I think that it ties in really well to cybersecurity today, because when I learned the four quadrant strategy, which I'll explain here in a moment, um, I was um it really changed the way that I fenced, and that also I think can really change the way that we think about cybersecurity. So the four quadrant strategy says that there are that uh a strategy can either be passive or active, and it can be defensive or offensive, right? So that gives you four quadrants. And uh if you ask most people, they'll say, yep, it's a it's an aggressive offensive strategy. That's the norm, right? I'm I'm gonna go get them, I'm gonna chase them to threat actors, that's all they got, right?

SPEAKER_01

Right. On the defensive, yeah.

SPEAKER_02

Right. And then there's and then most people think of defense passivity. We're gonna set up firewalls, we're gonna set up things that people keep people from getting in, that sort of thing. So you've got uh you've got aggressive offense and you've got passive defense. But where most people aren't looking and aren't working is in the passive offense and the aggressive defense. And you can actually have aggressive defensive strategies and you can have passive offensive strategies. So in fencing, uh a an aggressive defensive strategy is actually called second intention. And um I want to talk about that uh in a minute and how that might relate to cybersecurity. And then in fencing, an a passive offensive strategy is a press. It's a it's an attempt to gain space to push them towards the other end of the strip, but not necessarily attacking them the whole time, right? It's just that that pressure, that push on them. And uh I think that can be applicable as well.

SPEAKER_01

Nice. Is there a connection into the Muhammad Ali rope dope?

SPEAKER_02

Yeah, yeah, certainly passive defense. Yeah, yeah. That would definitely be, well, I I think that'd be an active defense, probably, right? But well, no, it's a it's a passive defense, yeah. Yeah, yeah. Uh it's it's um yeah, that that can definitely be a passive defense, I and I think that uh yeah.

SPEAKER_01

We'll get into more of those connections as we progress, but as we were champagne the uh or champagne, sabering the champagne

Seams, Pressure, And The Clean Strike

SPEAKER_01

earlier. By the way, cheers, fellas. Yeah, cheers. There's no clink because these are plastic, but they look classy on the on the camera. So yeah, Drew, you taught us pressure, applying pressure, a seam, and one clean strike, which is kind of what a breach looks like, right? Like there's a weakness, there, uh, you know, the seam, and there's some sort of pressure, whether it's social engineering or urgency, sense of urgency, and you know, panic, and then that one clean strike you're in. So um it definitely feels like, especially in healthcare with some of our healthcare clients, have heavily been a target in both ransomware and BEC since COVID, really. There's kind of a pass on healthcare before that, and then really during COVID, the threat actors went all in. And it's a shame, but it's the reality now. Right. But what else can we learn from kind of the four quadrant model and ways that individuals could um both reduce the seams uh as well as um be more maybe maybe we can talk about um active offense or really I think we said aggressive defense. It sounds like the best option on the other end of the table, right?

SPEAKER_02

Yes, yes. So um, you know, I really like your analogy with the opening the champagne bottle because you're exactly right. It's about pressure, it's about uh, and it's the pressure that's inside the bottle too, right? And so um you can reduce that pressure. And actually, we talked before the show, you said, hey, I I want to set up these champagne bottles. And I said, make sure you cool them before we come in. I they need to be chilled champagne bottles. And the reason why that is, is because the pressure inside the champagne bottle will rise if it's warmer, because gases expand in more spray, so there will be right, and and it can actually completely destroy the bottle, just just blow up the bottle when you try to do the sabrage. So that really makes me think of are you working when when you're a cybersecurity professional or a CISO, are you working with the business to reduce the internal pressure to make sure that things that aren't necessarily uh cybersecurity related, when I think of that pressure building inside the bottle, I think of it in the healthcare space, right?

SPEAKER_01

Business urgency.

SPEAKER_02

The the pressure is there because you've got PHI, you've got HIPAA requirements, you've got you've got lives on the line. Right. That creates that pressure. And obviously in healthcare, it's easy to think about how that pressure is built up. But in uh, as people are listening to this, in your business, where is the pressure building and how can you um and and how can you release the pressure, relieve the pressure that's not necessarily cybersecurity, so that when the breach does happen, you're not all running for the door trying to get out.

SPEAKER_01

No, that's good. Let's go back to your story. I

Fencing Lessons For Legal Negotiation

SPEAKER_01

think in my Intel report here, I think uh maybe we found out that you in middle school you were into Dungeons and Dragons and then not get into real fencing, fencing lessons, fencing teams. Um, what has that, and then obviously your story collection hobby, um what what have some of those skills have you applied into your legal profession?

SPEAKER_02

Yeah, absolutely. I I actually remember when I was um in law school, the NCAA released a commercial that was a fencer, a collegiate fencer, um fencing, uh, and then it kept juxtaposing and and cutting into the courtroom, showing them fencing and then um doing litigation uh activities. And um and I was like, oh, that's really cool. That's that's my life. That's awesome. Um, and so I I think that there absolutely are connections uh between uh fencing and legal. Um, you know, it's it's kind it's competitive, it's uh it's adversarial. Um at the end of the day, in both legal uh aspects and fencing, there's only going to be one winner. You have to uh and you have to be strategic about uh who you're talking to. And a lot of times it's about the other person more than you. Uh a lot of times the other person, um, if you know them, if you've fenced them before, if you've worked with them before, if you've uh competed against them before, you can know what kinds of things they're gonna do while they're in details. Exactly, exactly. And so um so I think that that is true in law too. You know, as as I become more experienced, I know more of the players and more of the the places. Um, I think actually it's funny, even um you, Aaron, have sent me some things to review, and I've been like, oh yeah, I know what they're gonna do. They're gonna be, they're gonna push on this, this, and this, because I've signed contracts with this company before, and I know what they're going to request. Um, and so I I think that that's uh that's a big uh connection there.

SPEAKER_00

I I was gonna say I see that in Cyber all the time. There might be a laundry list of things they're worried about, but when you really get down to it, there's two or three things that really matter to them in the business, and the ones they're gonna come back with and make sure are right. So knowing knowing those pinch points are their own pain points and why they why it matters to them, usually that helps lower that pressure a bit. Awesome. Absolutely.

SPEAKER_01

Uh Todd, any questions that you want to ask from Drew?

The Swiss Army Knife Approach

SPEAKER_00

Well, I I was the the the the offensive pressure you apply in there, like what is your strategy when you're going into it? Are you are you a type of person that leads on the offense? Do you kind of test with your defenses? What's uh share some of your secrets?

SPEAKER_02

Yeah, right. When it comes to like a contract negotiation, I is that what you're asking about, or more on the cybersecurity side?

SPEAKER_00

Well, I was gonna say on the fencing side. What's your uh what's your fighting style?

SPEAKER_02

What's what's my personal fighting style? Um I I was taught um when I was on IU's fencing team to be a Swiss Army knife, and that has become my style. Um I'm not great at any one particular thing, but I'm pretty good at a bunch of things, and I use that as a strategy. So I wouldn't say that I stay in one quadrant. My whole goal is to score a point in each of the quadrants or in each of the kind of ideas um in the first few points of the bout. Because if I push you, then you decide, oh, I I can't be defensive. Uh he's he's going to be aggressive. And and then if you come and you be aggressive to me and I defeat you defensively, then you go, Oh, what can I do? And you you I try to whittle down your choices until you're at a point where you're just like, I don't know what to do, and then I just hit you until yeah, exactly.

SPEAKER_00

The follow-on to that, if we pivot that to cyber and some of the own contracts that we have to deal with, how how does that approach carry over? Do we do we kind of let the let the other side lead? What what are your thoughts there?

SPEAKER_02

Well, I I think that um, you know, I'm not I'm definitely not as the I'm not an expert on cybersecurity like you guys are, but I think that uh a lot of times the uh you're going to be in a defensive uh posture no matter what, because unless you are literally a cybersecurity company, you're not going to be able to stay on top of what's going on, what every single person is doing, right? And and uh it's it's always the attackers, um, whether this is uh going to Sun Tzu or or Fensec, it's always the attackers who are going to have the the opening move because they they have to. Um by by nature, if you're defending your you're waiting. Um and so I think that when we think about that though, I I think that we think about how the um how threat actors can use that their um use these tactics against

Second Intention And Social Engineering

SPEAKER_02

us. So one example is um they actually can be aggressively defensive um because you may think, well, you know, we're on defense, we're waiting for them to come try to attack us, and that's true. But what they may do is bait you. Um and this is called a second intention action and fencing. It's when I try to get you to do something, knowing what you're going to do, and then take advantage of that. So it feels very much to you like I'm giving you open, like I'm saying, here, come attack me here.

SPEAKER_01

I think in social engineering and efficient, I think that's the lure, right? The first action is getting you to do something benign, and then the second one, once you've had a little bit of trust or an interaction, the second one is really where the payload is delivered. Exactly.

SPEAKER_02

Yeah, and uh in order to pull that off, you have to kind of know what's gonna make the person move, right? Um yeah, if you if you send me an email and it comes from you know a bunch of random letters at um, you know, hotmail.au.co, I'm gonna go, well, that's stupid. That's that's somebody attacking me. But if you send me an email that has the that's masked so that it appears as though it's one of my friends and family, then that's obviously gonna work better. And so I I think that's the bait. That's the uh yeah. Yeah, that's awesome.

SPEAKER_01

Uh well, that's not awesome, but that's that's what it's real world, that's what happens. Um, so

Harvey AI And Risk Context

SPEAKER_01

when we were chatting the other day, we we discussed kind of AI and the trends that you're seeing. And obviously, uh we can talk about some of the uh the lawyers that have kind of uh not been prepared as they used it and didn't make it their own and it hallucinated. Uh but we also talked about Harvey AI. So maybe cover both those topics, tell us what Harvey AI is and go from there.

SPEAKER_02

Yeah, sure. So Harvey AI, um, I think, and and I I don't want to be a promoter here. I'm not uh I'm not a filiated with Harvey at all. I just have a client who uses Harvey and I've um and they've requested me to use their instance to to do some things. And um frankly, I've been really impressed with it, um, what it can produce, what it can do, um, how it can streamline work.

SPEAKER_01

Um I think Harvey was named after the suits character, Harvey.

SPEAKER_02

Is that yeah, I I think that I think that's right. I think that's right, which I I pointed out, I find kind of funny because they tell us the they tell the lawyers that they're selling it to, use it like an associate, but but Harvey's not the associate. Harvey, it's the partner, but Mike probably wouldn't have been as uh quick as a name, right? So um, so I I have used Harvey and really think that it has a lot of advantages. I think that it has some major issues still, too. And of course, anybody who's in job preservation mode right now, AI isn't perfect. I, you know, you obviously need to hire me. But why why do you still need a lawyer when you've got Harvey AI that can do a lot of the things that you may hire a lawyer to do? And to me, it's really about threat assessment, which ties back to cybersecurity as well, right? It's about um it's about looking and and deciding where certain risks are. What I've noticed with Harvey, for instance, is it saves me a lot of time because I can plug a contract in and I can say, hey, can you review this for me? And Harvey will determine what uh what particular clauses are are important, what particular clauses are uh outside of industry norms, things like that. But at the end of the day, it's not Harvey doesn't know is this an important customer that's going to make or break our year? Is this something that we're willing to take a risk on? Harvey doesn't know the risk context, which is something we talk about all the time. When you bring a contract to me, I go, you know, I don't like this term, but if you want their business, it's probably something we're gonna have to accept. And that's that's your choice. And and I I totally understand what you said.

SPEAKER_01

Right more back and forth parrying and 18 month MSAs and things like that.

SPEAKER_00

There's this concept in cybersecurity of what's your risk appetite, how much risk are you willing to take on? And that is that is a hard thing to quantify. And it's a lot of personal intuition. It's a lot of knowing who to talk to and the context of what's happening in that moment. And that that one is hard to put down into like an algorithmic process that AI can take on.

SPEAKER_02

Absolutely. And that's exactly the same in legal too, right? It's it's I I think we actually have a very similar I think that we have a very similar profile to the business when we're partnering with the business because I don't think they want to spend money on either of us. We're not fun. We don't produce, you know, we're the return on investment is not instantly identifiable and and something that you can uh that you can write to the state to the shareholders about. But you'll find out real quick if you don't have quality there. You'll find out real quick, oh, uh we have gaps. And um yeah, it's it's it's hard to convince people of your value.

SPEAKER_01

So

Samurai Armor And The Modeling Union

SPEAKER_01

two last questions, and one question Cody usually asks all of our guests. And we you've already given us a bunch of Drew fun facts and personal stories, but what is one fun fact that most people don't know about Drew Tharp that we've not already covered?

SPEAKER_02

Um I I I think the fun facts that I'll give you guys, um, and this this may make it harder for me to win at two truths in a while in the future, but um uh and it ties into the swords. Fun fact about me, I was a professional model. And I know those of you looking at the video right now are going, man, I mean, I obviously assumed that you were a professional model. And it was not a professional model for uh for you know ales. Um it was uh I was a professional model um because I worked at a company that makes swords. Uh it was actually an importer of swords called Cass Iberia. And this was in college. It was um uh it was fun. There was this girl I liked who lived in Tennessee, and so uh I went and followed her and went and worked at a sword company, and now I'm married to her, but I it was it was a fun place to work. And one day they said, Hey, you actually sort of know how to use swords, and I said, Yeah, sorta. And they said, Okay, can we dress you up in armor and go take pictures of you out in the field? And I was like, Sure, why not? So I put on this full suit of samurai armor and I went out into the field across the the road and you know just did some did some uh movements with the swords.

SPEAKER_01

Crouching tiger, hidden dragon.

SPEAKER_02

Exactly, exactly. And pictures came out, crouching tiger, crouching tiger, hidden dragon. There you go. Um the uh the pictures came out awesome. It was this uh it was this field of of uh wild grass and there were the mountains of Tennessee behind us, and it just looked and they were kind of foggy, it just looked awesome. Very nice. Um, but then a a couple weeks later, um my boss there at the time came to me and he goes, Hey, I need you to sign this and uh we're gonna add 40 bucks to your check this week. And of course I was in like college. I was like, I don't know, okay, whatever. And he handed it to me and I signed it and I said, It was before I was a lawyer. And I signed it and I said, What am I doing? And he said, Well, you've got to be in the model guild, you've got to be in the model union because we want to put your your the pictures that we took on Blade Magazine, which is uh you know a uh magazine, uh knife magazine. And I said, Okay, and so there we go. I am a I was a dues-paying member of the modeling union.

SPEAKER_01

Very nice. All right, and then last question if you or your career were a sword, which one and why?

The Rapier Choice And Final Takeaways

SPEAKER_02

That's a good question. And one that you did not prepare me for. So I have to. Yeah, yeah, I know.

SPEAKER_01

There's a lot of AI generated notes. There were a lot of notes. I'm doing offense. You are, you are, you are.

SPEAKER_02

I I I think I'm I'm uh I think I have to use passive defense because I think I was caught off guard here. Um but when I think about it, um, you know, I think that I would say a rapier. A rapier is the sword that you'd normally think of as the three musketeers. Um it's a it's a it's a longer, skinnier sword that's used for um for dueling uh in particular. And um the the rapier was was a big um change in technology when it came around. Uh because what people were discovering is people were wearing less and less armor because firearms were becoming more and more common, and armor doesn't stop bullets, and so why why wear big heavy pieces of armor when you don't need to? Um and so the rapier came around as uh you know, firearms didn't start being great. You had one shot and then you then you needed a sword. And the whole idea was the rapier is if I can poke you from all the way over here and you're all the way over there, then then I win. And so actually, uh it's funny, over time there we see uh there were laws put in place in places like Vienna and Paris and London that limited the length of rapiers because people were getting 50, 60 inch rapier blades. Long range, the very long range, and then of course knocking over people when they're walking through the streets and doing all this kind of stuff. And so, but to me, the reason why I say I, you know, my career, my my philosophy as is a rapier is because um it's all about setting up the right strategic decision point and then acting on that with uh with uh decisiveness.

SPEAKER_01

So that makes sense. And all three of us desire to be skinny, and we're all working on that. Exactly, exactly, exactly. I think Todd, you said suck it in right before we went on.

SPEAKER_00

That's that was the plan.

SPEAKER_02

No, I mean if you asked me what I'd actually use in real life, it'd definitely be a Scottish bronze. Why is that? Uh, because I'm a big guy and I like to hit things hard. Okay, all right.

SPEAKER_01

Awesome. Well, Drew, thanks for coming on the show. Really enjoyed this. Is probably my favorite episode, and we've destroyed the most fruit and uh champagne. And uh yeah, I appreciate it. Yeah, absolutely. Thank you guys for having me. It's been great. Awesome. Cool.