Michael Massey is the CISO at Reminger Co LPA, a defense-focused law firm handling medical malpractice defense, workers compensation defense, and insurance defense across a large portfolio of client matters. With a background that includes time at IBM Watson Health during what he describes as the early days of AI in healthcare analytics, Michael brings a practitioner's perspective to one of the most data-sensitive environments in cybersecurity: a law firm storing thousands of confidential client records, HIPAA-covered medical files, and privileged communications that cannot afford to be compromised.
Here’s a glimpse of what you’ll learn:
- Why Michael's team discovered their own AI-powered security tools were working correctly by accidentally locking themselves out
- How Darktrace Identity and Rapid7 are functioning as the frontline defense layer at Reminger and what real-world triggered alerts actually look like in practice
- Why attorneys citing AI-hallucinated case citations before judges is the most concrete example of what happens when verification stops
- How DLP tools surface genuine insider threat activity and why filtering the noise to find the real signal is one of the hardest ongoing challenges in legal IT
- Why Michael's time at IBM Watson Health gives him a firsthand lens on how fast AI can move from promising to catastrophic when governance is absent
- Why the vendor vetting process has become one of the most time-consuming and frustrating parts of AI adoption in a HIPAA-regulated environment
- Why the cat and mouse game between attackers and defenders will never end and what that means for how security teams should be building their programs
In this episode…
Michael opens with a phrase that stopped the host mid-sentence: you cannot outrun a script. It is the clearest and most economical summary of why AI-powered security is no longer optional that this podcast has captured. When attackers are operating at machine speed, any defensive posture that depends on human reaction time is structurally behind. Michael is not making an abstract argument. He is describing his operational reality at a law firm where confidential client records, HIPAA data, and privileged legal communications are stored across a system that receives attempted intrusions on a regular basis. Darktrace and Rapid7 are not aspirational purchases. They are the tools he relies on daily, and he tells the story of how he knows they work because both he and a colleague locked themselves out of their own systems within the same week by doing something outside their normal behavioral pattern. The AI flagged it, acted on it, and left two security administrators calling each other for help. His conclusion is exactly right: that is not a problem, that is proof.
The legal AI section of this episode is where Michael brings a perspective most security guests cannot. Attorneys at firms across the country are now appearing before judges with case citations that do not exist, sourced from AI systems that hallucinated the precedents with complete confidence and no disclaimer. In the legal world, Michael notes, they have their own term for this now. Law clerks are finding the ghost cases. Judges are calling attorneys to account. Disciplinary counsel is getting involved. Fines, suspensions, and in some cases disbarment proceedings are following. Michael draws the through-line to security directly: the same verification failure that burns an attorney in a courtroom burns a security analyst who acts on a false positive without checking. The tool is only as good as the human process built around it. At Reminger, the challenge is particularly acute because attorneys are naturally risk-averse and because many of them do not realize they are already using AI tools, a fact revealed by an internal survey where staff said they did not use AI while actively relying on AI-powered systems every day.
The IBM Watson Health story is the most historically grounded moment in the episode and one of the more sobering case studies this podcast has featured. Michael was there when Watson Health was doing what he now recognizes as early AI: ingesting thousands of hospital records, building treatment outcome models, identifying that Drug A produced better results than Drug B or C for patients matching specific profiles. It worked. Then it moved into cancer research and it moved too fast, and the result was a patient receiving chemotherapy who did not have cancer, a lawsuit, and the end of Watson Health as a going concern. Michael uses this not as a cautionary tale against AI but as a calibration: the pace of adoption has to be matched to the quality of the governance surrounding it. The organizations and governments that cannot move fast enough to build appropriate guardrails are not being slow. They are being outrun by a technology whose consequences they cannot yet fully anticipate.
Resources mentioned in this episode
CyberLynx Website
Michael Massey on LinkedIn
Reminger Co LPA Website
Darktrace Website
Sentinel One Website
Sponsor for this episode...
This episode is brought to you by CyberLynx.com
CyberL-Y-N-X.com.
CyberLynx is a complete technology solution provider to ensure your business has the most reliable and professional IT service.
The bottom line is we help protect you from cyber attacks, malware attacks, and the dreaded Dark Web.
Our professional support includes managed IT services, IT help desk services, cybersecurity services, data backup and recovery, and VoIP services. Our reputable and experienced team, quick response time, and hassle-free process ensures that clients are 100% satisfied.
To learn more, visit cyberlynx.com, email us at help@cyberlynx.com, or give us a call at 202-996-6600.
Check out previous episodes:
Why AI Rollouts Fail and What Employers Did Differently with Kelley Kage - Ep 219
Machine Speed Attacks, Voice Agents, and Why Bad AI Excuses Fail with Keith Trawick - Ep 218
Why the Credit Union Peer Network Is a Security Advantage Banks Cannot Buy with Nico Stein - Ep 217
Transcript:
Michael Massey
CISO
Reminger Co., LPA
Matthew Connor: Matthew Connor here, host of the Cyber Business Podcast. Today we're joined by Michael Massey, CISO at Reminger Co., LPA. Michael, welcome to the show.
Michael Massey: Thank you.
Matthew Connor: Before we get too far in, a quick word from our sponsors. Hackers are getting smarter — is your security keeping up? Cyberlynx sells industry-leading, AI-powered cybersecurity solutions that detect threats in real time, so you know about an attack before the damage is done, not after. Learn more at cyberlynx.com. And now back to our show.
Michael, for those who aren't familiar, can you tell us about Reminger and your role there as CISO?
Michael Massey: Sure. Reminger is a defense law firm. We handle medical malpractice defense, workers' compensation defense, and insurance defense. We store a significant volume of records — client information that is obviously proprietary and confidential, including a great deal of HIPAA data. Keeping all of that locked down is a core part of what we do, and that's where I come in.
Matthew Connor: And that's front and center today given the pace at which the threat landscape is evolving. With AI on both sides — good guys and bad guys — we're in a different era. Zero-day exploits are being weaponized at machine speed, and I don't think traditional layered security alone cuts it anymore. It's still necessary, but we need to fight fire with fire. I'm excited about products like Darktrace using machine learning to detect anomalies in real time and shut things down before damage is done — rather than discovering a breach six months after the fact. As someone boots on the ground every day at a firm with highly sensitive data, where do you see AI playing a role in security?
Michael Massey: AI is playing a big role right now, and the fundamental reason is that you cannot outrun a script. When you're facing machine-speed attacks, your defenses have to be machine-speed as well.
We get a lot of requests from our user community to leverage AI for legal research, document creation, and streamlining workflows. And immediately the questions become: where does that information go? What are the guardrails? Who has access? Is it going into ChatGPT, Microsoft Azure, Copilot — and what does that mean for our data governance?
On the security side, we're using Darktrace pretty heavily and we rely on it significantly. It does exactly what you described — triggers alerts through machine learning and allows us to respond quickly, or lets the SOC take action to quarantine a machine or user account. We also use Rapid7, which has been very effective and uses AI on the back end to trigger alerts in a timely way.
And I'll share a recent story that actually illustrates both the power and the challenge. It happened this past week. My colleague was working on a Saturday and reached out saying he thought Darktrace Identity had locked him out because he was doing something outside his normal pattern. I went in and released it for him. Then a couple days later, I made some changes to conditional access policies — not something I do daily, but periodically. Darktrace Identity flagged it and signed me out of everything. I'm sitting there thinking, what did I break? Did I just lock us out of our tenant? It was a brief panic moment. But then you step back and realize: OK, the system is actually doing exactly what it's supposed to. I'd rather have that happen and know it works than find out it doesn't work during an actual breach. We can now legitimately tell auditors we've tested our response — because we accidentally ran the test on ourselves.
Matthew Connor: I love that. "You can't outrun a script" is now one of my favorite phrases. And the fact that it flagged two administrators doing unusual things within the same week — that's the system working. The flip side is that you need a plan for when you lock yourself out. Having only one admin is a problem in that scenario. But still — better to have it and discover the gaps in a low-stakes way than not have it at all.
Michael Massey: Exactly. And the other dimension we're paying close attention to is the insider threat problem. With traditional tools, it's genuinely hard — you catch things after the fact, after damage is already done. AI changes that. On the DLP side specifically, we're getting alerts when someone downloads a large number of files outside their normal pattern. It works. But then you have to tune out the noise. If we're doing a records cleanup project and pulling a lot of archived material, that triggers alerts — and the challenge is filtering that expected activity to catch the signal underneath: someone who's actually trying to exfiltrate data because they're planning to leave the firm. It's a calibration problem, but it's a much better problem to have than flying blind.
Matthew Connor: And the LLM versus machine learning distinction matters a lot here. People conflate them as if they're the same thing, but they serve fundamentally different purposes. You can't just bolt an LLM onto an email security gateway — now you've created prompt injection risk on top of everything else. Machine learning for behavioral analysis and anomaly detection, LLMs for things like SOC analysis and summarizing what happened — those are the right tools for the right jobs.
Michael Massey: Agreed. And the vendor vetting challenge around this is real. We have vendors constantly trying to sell AI-powered products, and when we ask the security questions — SOC 2, HIPAA, FedRAMP compliance, where data is stored, what the guardrails are — a lot of their salespeople don't even know the answers. We handle significant volumes of HIPAA data. If the data center isn't certified, we can't use it. Full stop. But getting clear answers out of vendors right now is frustrating. A lot of them just want to move product.
The thing that surprised me when I did an internal survey about AI usage was that many of our users said they don't use AI — but they were already using tools that have AI built into the backend. They didn't know it was there. Which underscores why vendor diligence matters so much: the AI is in the product whether you chose it or not.
Matthew Connor: And on that note, tools like the Gartner Magic Quadrant are genuinely useful as a first filter. The pool of candidates is smaller, they've been evaluated by people who do this full-time, and you're working from a baseline of known quality. The downside is you potentially miss newer cutting-edge options. But for a law firm where attorneys are risk-averse by nature, is that a tradeoff you're comfortable making?
Michael Massey: Yes, that's exactly right. In a law firm, attorneys want tried and true. Bleeding edge isn't where we want to be. And I think that's actually the right instinct — especially when we've seen what happens when AI moves faster than the safeguards. You mentioned hallucinations — in the legal world, that's become a documented crisis. Attorneys relying heavily on AI for case research and citing cases that don't exist. A law clerk catches it, brings it to the judge, and suddenly the attorney is facing sanctions, fines, and in some cases potential disbarment proceedings. The tool is powerful, but the obligation to verify the output is still entirely on the human.
Matthew Connor: That's a stark real-world consequence. And it connects to a broader point about where AI is going. You mentioned your time at IBM Watson Health — can you walk us through that, because I think it's a really instructive example?
Michael Massey: Sure. Watson Health was in many ways an early incarnation of what we now call AI. We aggregated thousands of hospital records — essentially training a system on patient outcomes. Person with diabetes treated with Drug A, Drug B, Drug C, same baseline metrics — which drug produced the best results? The system could synthesize that at a scale no human team could match, and it worked well in those defined parameters.
The problem came when it moved faster than the evidence supported. They expanded into oncology — cancer treatment — and the system ended up recommending chemotherapy for a patient who didn't have cancer. The patient died. Lawsuits followed, and Watson Health effectively ceased to exist. That is the lesson in controlled growth. The best intentions, a genuinely powerful tool, and catastrophic consequences from moving before the safeguards were there. It's the same dynamic playing out today across the industry, just at a different scale.
Matthew Connor: And yet despite that history, the trajectory is unmistakably forward. Self-driving cars are the most visible parallel — years of incremental improvement, still requiring human supervision, but statistically already safer than human drivers in the conditions where it's deployed. Every day we delay adoption of a technology that demonstrably saves lives is itself a cost. The challenge is managing the transition intelligently rather than either charging ahead recklessly or getting paralyzed by fear.
Michael Massey: That's exactly it. Controlled growth. Analyze where you are at each point in time, make informed decisions, and recognize that right now those decisions still require human judgment in the loop. And I'm grateful for that when it comes to things like autonomous weapons systems. I think the day will come when AI makes better decisions than humans in those contexts too — just like with driving — but we are nowhere near ready for that to be fully autonomous. Hopefully by the time we get there, the governance has actually caught up.
Matthew Connor: Michael, this has been a great conversation. Before we go, can you tell everyone where they can find out more about you and Reminger?
Michael Massey: Absolutely. You can find me on LinkedIn. And Reminger's website is reminger.com. We primarily do defense work, but we also have attorneys who practice in estate planning and estate administration, so if anyone needs that kind of assistance, we're happy to help.
Matthew Connor: Fantastic. Thanks for coming on, Michael. Until next time.
Michael Massey: Thanks, Matt.