A champagne bottle, a blade, and a clean strike turns into one of the clearest cybersecurity conversations we’ve had. We’re joined by attorney and cyber contracting veteran Drew Tharp, with Todd Wilkinson stepping in as guest host, and we use swords and fencing to unpack why breaches happen and why “just add more tools” rarely fixes the root problem.
Drew walks us through the four quadrant fencing model (active vs passive, offense vs defense) and how most security programs camp out in the obvious corners. We connect the overlooked zones to modern cybersecurity strategy: applying steady pressure that limits attacker options, building aggressive defensive moves that anticipate human behavior, and spotting the “seam” where urgency and confusion let a threat actor land one clean strike. If you work in healthcare cybersecurity, we also dig into why ransomware and business email compromise keep hitting so hard and how internal business pressure makes incidents worse.
On the legal and vendor risk side, we get real about cyber insurance requirements, unlimited liability, and how BAAs and data sharing agreements can smuggle in heavy terms that the wrong reviewer might sign. Then we pivot to AI in legal work, including Harvey AI, and explain the key limitation that matters for both lawyers and CISOs: AI can speed up review, but it cannot understand business context, risk appetite, or which deal is worth the exception.
If you liked this one, subscribe for more practical cybersecurity conversations, share it with a teammate who lives in contracts or incident response, and leave us a review with your biggest “how did that term get in there” story.
On Spotify, Apple Podcasts, or Buzzsprout.
Or watch on our YouTube Channel!
Part 1: https://youtu.be/RFdbo8fjbLM
Part 2: https://youtu.be/lkK58zRdbdQ
Here's the transcript from the whole episode:
00:00:05:16 - 00:00:30:09
Unknown
Thanks for tuning in to Simplify and cyber Aaron. And we're here today with special guest hosts Todd Wilkinson and Drew Tharp. And I'm going to give a little summary of what we're going to talk about, because you probably saw in the opener we were cutting shit with swords and fruits and stream pain that we're now drinking. But drew has been an avid sword collector over 120 since high school.
00:00:30:11 - 00:00:51:16
Unknown
You saw as we champagne the as we saw Sobhraj the champagne that it was it was actually easier than I thought. But I would say we're going to talk about how we got into swords fencing and really how some of these things connect to cybersecurity. So drew, welcome to the show. Thank you. Thank you. Glad to be here.
00:00:51:16 - 00:01:15:12
Unknown
Give us a little intro about you and how you've been in and around cyber and legal and kind of where did you where did you come from? Where are you today? Yeah, yeah, the boring stuff. Got it. Yeah. So I am I'm an attorney. I work for several different companies and and also help out here at Reveal Risk with some, some contracting things.
00:01:15:12 - 00:01:50:16
Unknown
And so I've been involved in cyber security and SaaS contracting and things like that for about 12 years. And I've worked for fortune 500 multinationals and also smaller startups, helping them try to get their contract management systems up and running and, and that sort of thing. Awesome. Yeah. And in the contracts, obviously, a lot of times companies are upping their game of what they're requiring cyber insurance, unlimited liability.
00:01:50:17 - 00:02:12:23
Unknown
Yes. Lots of things that are a tough dance, especially for a boutique and a fortune 200 to work out. Like, where do you land in the middle somewhere? Yeah, yeah. Middle. The, the the risk is especially outsized for for cyber issues because obviously if you if you have a breach that can be, you know, that can cost millions and millions and millions of dollars.
00:02:13:03 - 00:02:39:12
Unknown
And unfortunately there they're fairly common. So we have to so the insurance requirements can be difficult, especially for smaller boutiques to to meet those challenges. But and within pharma med device you spent a lot of time there. What are the what are the emerging things that are on your mind of concerns, both contractual as well as cyber program as as you limited are involved in that?
00:02:39:13 - 00:03:15:21
Unknown
Yeah, absolutely. I mean, I think three things come to mind when it comes to the biotech pharma space. One is is obviously protecting your data, your and your intellectual property. I think a lot of the breaches that we see in the biotech space are sometimes aimed at actually stealing intellectual property, not just getting some, some data so that we can go, you know, find some emails to send people that kind of stuff, steal some Social Security numbers.
00:03:15:22 - 00:03:50:01
Unknown
A lot of it is, is focused around actual corporate espionage. And so, so I think that's something that we have to keep in mind. Another issue that I see coming up more and more often is on bars business associate agreements, where a lot of times the the business associate who's trying to contract will send a pretty onus agreement that includes limits of liability, includes sometimes even subrogation or or indemnity.
00:03:50:01 - 00:04:20:03
Unknown
And basically they're trying to shoehorn real legal issues into what's effectively a data sharing agreement. Right. And when you try to shoehorn those in, then you have somebody who's not accustomed to looking at those issues and IT person looking at that agreement and going, okay, whatever, and signing signing away some very important rights on that bar. We actually talked before.
00:04:20:05 - 00:04:57:05
Unknown
It kind of reminds me of the Disney World thing, where Disney World actually put some terms and conditions about their physical locations into the Disney Plus terms and conditions, which resulted in some people having issues at Disney. I don't remember what it was probably slip and fall, but then they have these issues and they couldn't sue Disney because they'd agreed to arbitration in the Disney Plus agreement, and that bound them to Disney World as well, which is which is at best disingenuous, at worst unconscionable.
00:04:57:05 - 00:05:18:23
Unknown
So I think that a lot of people, or I think a lot of companies are or a lot of places are trying to kind of slip some of those past the radar by having a quote unquote, lower level person sign a low risk agreement, like a bar or a CDA with some with some onerous terms. All they were trying to do is watch Star Trek online.
00:05:19:00 - 00:05:41:07
Unknown
Exactly, exactly. It's over. Star Star Wars, I believe. Star Wars. Yeah yeah yeah. Disney hasn't acquired. Not yet. Yeah, I mixed up my Paramount's next, I'm sure. Does anybody know what happened to Cody? Did he get cut with a sword? I don't understand. Well, yeah, we took him out. All right, well, the body had cut in half. Take one for the team.
00:05:41:08 - 00:06:03:01
Unknown
Exactly. Anyway, thanks for joining. I'm here now, I think. Let's go back to swords, because I think that's what we came for, that we make some connections here. But I think when we were prepping before the show here, you were talking about fencing was kind of your path into sword collection. Yes. So what we got into was the four quadrant fencing model, which I think has a lot of applicability, and we're not going to do it.
00:06:03:01 - 00:06:36:15
Unknown
The classic RSA conference, at least 3 to 5 topics on Sun Tzu, Art of war. But let's at least talk about fencing, strategy and things that we might be able to learn from that. Yeah, absolutely. Well, and I think I, I think that it ties in really well to cybersecurity today because when I learned the four quadrant strategy, which I'll explain here in a moment, I was it really changed the way that I fenced and that also, I think can really change the way that we think about cybersecurity.
00:06:36:15 - 00:07:06:08
Unknown
So the four quadrant strategy says that there are that a strategy can either be passive or active, and it can be defensive or offensive. Right. So that gives you four quadrants. And if you ask most people they'll say yeah, it's it's an aggressive offensive strategy. That's the norm. Right? I'm going to go get them I'm going to chase them actors.
00:07:06:08 - 00:07:35:13
Unknown
That's all they got. Right. Right on the defensive. Yeah. Right. And then there's and then most people think of defense passivity. We're going to set up firewalls. We're going to set up things that people keep people from getting in that sort of thing. So you've got you've got aggressive offense and you've got passive defense. But where most people aren't looking and aren't working is in the passive offense and the aggressive defense.
00:07:35:18 - 00:08:12:22
Unknown
And you can actually have aggressive defensive strategies and you can have passive offensive strategies. So in fencing a an aggressive defensive strategy is actually called second intention. And I want to talk about that in a minute and how that might relate to cybersecurity. And then in fencing in a passive offensive strategy is a press. It's a it's an attempt to, to gain space to, to push them towards the other end of the strip, but not necessarily attacking them the whole time.
00:08:12:23 - 00:08:41:16
Unknown
Right. It's just that that pressure, that push on them. And I think that can be applicable as well. Nice. Is there a connection into the alley? Rope a dope. Yeah. Yeah certainly I of defense. Yeah. Yeah, that would definitely be. Well I think that'd be an active defense probably. Right. But. Well no, it's a passive defense. Yeah yeah yeah it's it's yeah that can definitely be a passive defense.
00:08:41:17 - 00:09:08:14
Unknown
And I think that yeah sure. We'll get into more of those connections as we progress. But as we were champagne the champagne saber and the champagne earlier by the way. Cheers, fellas. Yeah, sure. There's no clink because these are safe. They look classy on the on the camera. So. Yeah. Drew, you taught us pressure applying pressure a seam and one clean strike.
00:09:08:17 - 00:09:36:20
Unknown
Yes. This is kind of what a breach looks like, right? Like there's a weakness there. You know, the seam and there's some sort of pressure, whether it's social engineering or urgency, sense of urgency and panic. And then that one clean strike you're in. So it definitely feels like, especially in healthcare with some of our healthcare clients, have heavily been a target in both ransomware and BSE since Covid really was kind of a pass on healthcare before that.
00:09:36:20 - 00:10:04:14
Unknown
And then really during Covid, the threat actors went all in and it's a shame, but it's the reality now, right? But what else can we learn from kind of the four quadrant model and ways that individuals could both reduce the seams as well as be more? Maybe, maybe we can talk about active offense or really I think we said aggressive defense aggressive seems like the best option on the other end of the table.
00:10:04:15 - 00:10:26:18
Unknown
Yes, yes. So a you know, I really like your your analogy with the opening, the champagne bottle because you're exactly right. It's about pressure. It's about and it's the pressure that's inside the bottle too. Right. And so you can reduce that pressure. And actually we talked before the show, you said, hey, I want to set up these champagne bottles.
00:10:26:18 - 00:10:52:03
Unknown
And I said, make sure you cool them before we come in. I, they need to be chilled champagne balls. And the reason why that is, is because the pressure inside the champagne bottle will rise if it's warmer, because gases expand in more spray. So there will be. Right. And and it can actually completely destroy the bottle. Just just blow up the bottle when you try to do the sabotage.
00:10:52:04 - 00:11:28:03
Unknown
So that really makes me think of are you working when you're a cybersecurity professional or a CSO? Are you working with the business to reduce the internal pressure to make sure that things that aren't necessarily cybersecurity related? When I think of that pressure building inside the bottle, I think of it in the healthcare space, right? The pressure is there because you've got Fi, you've got Hippo requirements, you've got you've got lives on the line.
00:11:28:04 - 00:11:52:19
Unknown
Right. That creates that pressure. And obviously in healthcare, it's easy to think about how that pressure is built up. But in as people are listening to this in your business, where is the pressure building and how can you and how can you release the pressure, relieve the pressure? That's not necessarily cybersecurity, so that when the breach does happen, you're not all running for the door trying to get out.
00:11:53:00 - 00:12:16:12
Unknown
That's good. Let's go back to your story. I think in my Intel report here. I think maybe we found out that you in middle school, you were into Dungeons and Dragons and then not get into real fencing, fencing lessons, fencing teams, what has that? And then obviously your story collection hobby. What? What if some of those skills have you applied into your legal profession?
00:12:16:14 - 00:12:53:13
Unknown
Yeah, absolutely. I actually remember when I was in law school, the NCAA released a commercial that was a fencer, a collegiate fencer, fencing. And then it kept juxtaposing and cutting into the courtroom, showing them fencing and then doing litigation activities. And and I was like, oh, that's really cool. That's that's my life. That's awesome. And so I think that they're absolutely are connections between fencing and legal.
00:12:53:15 - 00:13:28:05
Unknown
You know, it's it's it's competitive. It's it's adversarial. At the end of the day, in both legal aspects and fencing, there's only going to be one winner. You have to and you have to be strategic about who you're talking to. And a lot of times it's about the other person more than you. A lot of times the other person, if you know them, if you fence them before, if you've worked with them or if you've competed against them before, you can know what kinds of things they're going to do.
00:13:28:06 - 00:13:49:00
Unknown
Well, there is exactly. And so so I think that that is true in law too. You know, as as I become more experienced, I know more of the players and more of the, the places. I think actually, it's funny, even you, Aaron, have sent me some things to review and I've been like, oh yeah, I know what they're going to do.
00:13:49:01 - 00:14:08:16
Unknown
They're going to be they're going to push on this, this and this, because I've signed contracts with this company before and I know what they're going to request. And so I think that that's a that's a big connection there. I was going to say I see that in cyber all the time. There might be a laundry list of things they're worried about.
00:14:08:16 - 00:14:26:08
Unknown
But when you really get down to it, there's 2 or 3 things that really matter to them in the business and the ones they're going to come back with and make sure are right. So knowing, knowing those pinch points or their own pain points and why they why it matters to them, usually that helps lower that pressure a bit.
00:14:26:10 - 00:14:50:13
Unknown
Awesome. Absolutely. Todd, any questions that you want to ask? Well I was the the the the offensive pressure you apply in there. Like what is your strategy when you're going into are you are you the type of person that leads on the offense? Do you kind of test with your defenses? What's here's some of your secrets? Yeah. When it comes to like a contract negotiation, is that what you're asking about or more on the cybersecurity side?
00:14:50:14 - 00:15:14:19
Unknown
Well, I was going to say on the fencing side, what's your what's your fighting style? What's my personal fighting style? I was taught when I was on IU's fencing team to be a Swiss Army knife, and that has become my style. I'm not great at any one particular thing, but I'm pretty good at a bunch of things and I use that as a strategy.
00:15:14:19 - 00:15:51:08
Unknown
So I wouldn't say that I stay in one quadrant. My whole goal is to score a point in each of the quadrants, or in each of the kind of ideas in the first few points of the bout. Because if I push you, then you decide, oh, I can't be defensive. He's he's going to be aggressive in. And then if you come and you be aggressive to me and I defeat you defensively, then you go, oh what can I do.
00:15:51:13 - 00:16:09:23
Unknown
And you I try to whittle down your choices until you're at a point where you're just like, I don't know what to do. And then I just hit you until it nice. Yeah. Exactly. The follow on to that. If we pivot that to cyber and some of the own contracts that we have to deal with, how does that approach carry over?
00:16:10:00 - 00:16:46:22
Unknown
Do we do we kind of let the let the other side lead? What what are your thoughts there. Well, I think that, you know, I'm not I'm definitely not as a I'm not an expert on cybersecurity like you guys are. But I think that a lot of times the you're going to be in a defensive posture no matter what, because unless you are literally a cyber security company, you're not going to be able to stay on top of what's going on, what every single person is doing.
00:16:46:22 - 00:17:21:21
Unknown
Right. And and it's it's always the attackers. Whether this is going to Sanzo or fencing, it's always the attackers who are going to have the the opening move because they have to by, by nature, if you're defending your, you're waiting. And so I think that when we think about that, though, I think that we think about how the.
00:17:21:22 - 00:17:51:20
Unknown
How threat actors can use that they're use these tactics against us. So one example is they actually can be aggressively defensive because you may think, well, you know, we're on defense. We're waiting for them to come try to attack us. And that's true. But what they may do is bait you. And this is called a second intention action in fencing.
00:17:51:20 - 00:18:11:00
Unknown
It's when I try to get you to do something, knowing what you're going to do and then take advantage of that. So it feels very much to you, like I'm giving you, like I'm saying here, come attack me here in social engineering and fishing. I think that's the lure, right? The first action is getting you to do something benign.
00:18:11:00 - 00:18:41:04
Unknown
And then the second one, once you've had a little bit of trust or an interaction, the second one is really where the payload is delivered. Exactly. And in order to pull that off, you have to kind of know what's going to make the person move, right? If you if you send me an email and it comes from, you know, a bunch of random letters at, you know, Hotmail dot a, you know, I'm going to go, that's stupid.
00:18:41:04 - 00:18:59:13
Unknown
That's, that's somebody you're telling me. But if you send me an email that has the that's masked so that it appears as though it's one of my friends or family, then that's obviously going to work better. And so I think that's the bait. That's the yeah. Yeah. That's awesome. Well that's not awesome. But that's that's real world. That's what happens.
00:18:59:19 - 00:19:19:23
Unknown
So when we were chatting the other day, we, we discussed kind of AI and the trends that you're seeing. And obviously we can talk about some of the lawyers that have kind of not been prepared as they used it and didn't make it their own and elucidated. But we also talked about Harvey AI, so maybe cover both those topics, tell us what Harvey AI is and go from there.
00:19:20:04 - 00:19:41:11
Unknown
Yeah, sure. So Harvey AI, I think and I don't want to be a promoter here. I'm not I'm not a affiliate. I'm not affiliated with Harvey at all. I just have a client who uses Harvey, and I've. And they've requested me to to use their instance to, to do some things. And frankly, I've been really impressed with it.
00:19:41:13 - 00:20:02:07
Unknown
What it can produce, what it can do, how it can streamline work. I think Harvey was named after the suits character, Harvey, is that I think that I think that's right. I think that's right, which I, I pointed out, I find kind of funny because they tell us the they tell the lawyers that they're selling it to use it like an associate.
00:20:02:08 - 00:20:27:13
Unknown
But but Harvey's not the associate Harvey. It's the, the partner. But Mike probably wouldn't have been as quick as a name. Right. So so I have used Harvey and really think that it has a lot of advantages. I think that it has some major issues still too. And of course, anybody who's in job preservation mode right now, AI isn't perfect.
00:20:27:13 - 00:20:52:20
Unknown
I you know, you obviously hire me, but why? Why do you still need a lawyer when you've got Harvey AI that can do a lot of the things that you may hire a lawyer to do. And to me, it's really about threat assessment, which ties back to cybersecurity as well. Right? It's about it's about looking and and deciding where certain risks are.
00:20:53:02 - 00:21:20:04
Unknown
What I've noticed with Harvey, for instance, is it saves me a lot of time because I can plug a contract in and I can say, hey, can you review this for me? And Harvey will determine what what particular clauses are important, what particular clauses are outside of industry norms, things like that. But at the end of the day, it's not Harvey doesn't know.
00:21:20:06 - 00:21:40:17
Unknown
Is this an important customer that's going to make or break our year? Is this something that we're willing to take a risk on? Harvey. Know the risk context, which is something we talk about all the time. When you bring a contract to me, I go, you know, I don't like this term, but if you want their business, it's probably something we're going to have to accept.
00:21:40:17 - 00:22:05:02
Unknown
And that's that's your choice. And I totally understand it saying more back and forth parrying and 18 month MSAs and things like that. There's this concept in cybersecurity. What's your risk appetite? How much risk are you willing. And that is that is a hard thing to quantify. And it's a lot of personal intuition. It's a lot of knowing who to talk to in the context of what's happening in that moment.
00:22:05:02 - 00:22:28:04
Unknown
And that that one is hard to put down into, like an algorithmic process that AI can take on. Absolutely. And that's exactly the same in legal two. Right. It's I think we actually have a very similar I think that we have a very similar profile to the business when we're partnering with the business, because I don't think they want to spend money on either of us.
00:22:28:04 - 00:22:53:07
Unknown
We're not fun. We don't produce. You know, the return on investment is not instantly identifiable. And and something that you can that you can write to the state, to the shareholders about. But you'll find out real quick if you don't have quality there, you'll find out real quick. Oh, we have gaps. And yeah, it's it's hard to convince people that your value.
00:22:53:08 - 00:23:19:05
Unknown
So two last questions and one question Cody usually asks all of our guests. And you've already given us a bunch of fun facts and personal stories. But what is one fun fact that most people don't know about drew that we've not already covered? I think the fun facts that I'll give you guys and this, this may make it harder for me to win it to Tristan away in the future, but and it ties into the swords.
00:23:19:06 - 00:23:44:14
Unknown
Fun fact about me I was a professional model, and I know those of you looking at the video right now are going, man, I mean, I obviously assumed that you were a professional model and it was not a professional model for, for, you know, ALS it was I was a professional model because I worked at a company that makes thoughts, is actually an importer of swords called Casse Iberia.
00:23:44:14 - 00:24:03:09
Unknown
And this was in college. It was it was fun. There was this girl I liked who lived in Tennessee. And so I went and followed her and went and looked at the sword company. And now I'm married to her. But I it was it was a fun place to work. And one day they said, hey, you actually sort of know how to use swords.
00:24:03:09 - 00:24:26:11
Unknown
And I said yes or no. And they said, okay, can we dress you up in armor and go take pictures of you out in the field? And I was like, sure. So I put on the full suit of samurai armor, and I went out into the field across the road and, you know, just did some, did some movements with the swords and Crouching Tiger, Hidden Dragon.
00:24:26:13 - 00:24:57:10
Unknown
Exactly. And pictures came out in Crouching Tiger, Crouching Tiger, Hidden Dragon. There you go. The the pictures came out awesome. It was this. It was this field of of wild grass. And there were the mountains of Tennessee behind us. And it just looked and they were kind of foggy. It just looked awesome, very nice. But then a couple weeks later, my boss there at the time came to me and he goes, hey, I need you to sign this.
00:24:57:10 - 00:25:12:04
Unknown
And we're going to add 40 bucks to your check this week. And of course, I was in college. I was like, I don't know. Okay, whatever. And he handed it to me and I signed it. And I said, before you were a lawyer. It was before I was a lawyer. And I signed it and I said, what am I doing?
00:25:12:04 - 00:25:34:02
Unknown
And he said, well, you've got to be in the model guild. You've got to be in the model union because we want to put your, your the pictures that we took on blade magazine, which is a, you know, a magazine, knife magazine. And I said, okay. And so there we go, I am I was a dues paying member of the modeling union.
00:25:34:03 - 00:25:47:00
Unknown
Very nice. All right. And then last question. If you or your career were a sword, which one and why?
00:25:47:02 - 00:26:12:23
Unknown
That's a good question. And one that you did not prepare me for. So I have to say. Yeah. Yeah, I know there's a lot of AI generated notes. There were a lot of just now. So I've got the upper I'm doing offense. You are, you are, you are. I know are you going to use aggressive offense or. You know I think I'm, I'm, I think I have to use passive defense because I think I was caught off guard here.
00:26:13:01 - 00:26:18:19
Unknown
But when I think about it, you know.
00:26:18:21 - 00:26:52:12
Unknown
I think that I would say a rapier, a rapier is the sword that you'd normally think of as the Three Musketeers. It's a it's a, it's a longer, skinnier sword that's used for, for dueling in particular. And the rapier was, was a big change in technology when it came around. Because what people were discovering is people were wearing less and less armor, because firearms were becoming more and more common, and armor doesn't stop bullets.
00:26:52:12 - 00:27:20:08
Unknown
And so why? Why where big, heavy pieces of armor when you don't need to. And so the rapier came around. As you know, firearms didn't start being great. You had one shot and then you needed a sword. And the whole idea was the rapier is if I can poke you from all the way over here and you're all the way over there, then then I win.
00:27:20:09 - 00:27:42:19
Unknown
And so actually, it's funny, over time there we see there were laws put in place in places like Vienna and Paris, in London that limited the length of rapiers, because people were getting 50 60 inch rapier blades, long range, the very long range, and then of course, knocking over people when they're walking through the streets and doing all this kind of stuff.
00:27:42:19 - 00:28:09:12
Unknown
And so but to me, the reason why I say I, you know, my career, my, my philosophy is, is a rapier is because it's all about setting up the right strategic decision point and then acting on that with with decisiveness. So that makes sense. And all three of us desire to be skinny and we're all working on that.
00:28:09:13 - 00:28:26:23
Unknown
Exactly, exactly, exactly. Todd, you said suck it in right before we went. That's that was the plan. Yeah. No, I mean, if you asked me what I'd actually use in real life, it definitely be a Scottish broadsword. Okay. Why is that? Because I'm a big guy, and I like to hit things hard. Okay. All right. Awesome. Well, drew, thanks for coming on the show.
00:28:26:23 - 00:28:38:18
Unknown
Really enjoy. This is probably my favorite episode, and we've destroyed the most fruit and champagne and. Yeah. Appreciate it. Yeah, absolutely. Thank you guys for having me. It's been great. Awesome. Cool.