Towerwall CEO Michelle Drolet On How To Outwit Hackers In 2023

After three decades in cybersecurity, Drolet tells CRN that while much has changed in the field, the key is still to focus on making things as difficult for attackers as possible.

Cybersecurity In 2023

Over her three decades in cybersecurity, Michelle Drolet has seen the many dramatic changes the field has gone through — and a few things that’ve stayed the same. “We’re still battling the bad guys,” Drolet told CRN. “It’s just a bigger business than it used to be.”

The founder and CEO of Towerwall, a provider of solutions and professional services for security based in Framingham, Mass., Drolet said that some of the changes have certainly been positive. For one thing, on the whole, “we’ve become much more sophisticated in locking ourselves down — and understanding that if we lock the door, we need to lock the windows too,” she said. A lot more businesses now are seeing cybersecurity as a core part of their corporate strategy, and as a board-level issue that needs to be measured with key performance indicators, Drolet said. “The boards are now being held accountable.”

[Related: Ransomware Prevention Saw ‘Massive’ Improvement In 2022: IBM X-Force]

All of that has created major opportunities for Towerwall. On the proactive security side, the company specializes in risk assessment services such as penetration testing, vulnerability assessment and security awareness training, as well as security program and policy development. Towerwall also offers incident response and remediation services, while the company has a group focused on privacy and compliance, as well.

What Towerwall is not, however, is a managed services provider (MSP) or managed security services provider (MSSP). “Nor do I ever want to be that,” Drolet said. Among other reasons, that’s because she believes it’s crucial for customers to have a “church and state” separation between the management of their environments and the testing of those environments for security issues.

Ultimately, Drolet said that doing cybersecurity the right way in 2023 means you’re making things so difficult for an attacker that they just give up, and move on to an easier target. As she recalled recently telling a customer, “‘We need to have you be locked down enough, that if somebody starts knocking, that you make it hard enough that they’re going to go to the next guy.’ And that’s really what it’s all about.”

What follows is an edited portion of CRN’s interview with Drolet.

Cybersecurity has become much higher profile in the past few years, but you were doing it long before. What are the biggest things that have changed? And what hasn’t changed?

I’ve been in cybersecurity since 1992, and it looks very different today than it did then. We’re still battling the bad guys though. It’s just a bigger business than it used to be.

From a technology perspective, [one change is that] because of insurance, you can’t say, “I’m not going to do MFA” — or you’re not going to get cyber insurance. They’re pushing hard now on DLP [data loss prevention]. So that leads into data classification projects. Because you can’t have a good DLP program without understanding what kind of data there is, and what needs to be protected or what the crown jewels are. So we’re seeing a lot more data classification projects, and data discovery / data mapping projects, than we have in the past, to be able to implement a solid DLP program.

We’ve also seen a lot of organizations, no matter what the size, putting in an MDR, a managed detection response technology solution. So we work with AlertLogic, who actually takes care of Towerwall. We also work with Arctic Wolf. And then we also are working with a managed security service provider, so if we resell a SIEM [security information and event management] or an EDR [endpoint detection and response]— like a CrowdStrike or a SentinelOne or a Sophos — that they can actually manage the endpoints as well. So we work with a company called Avertium, because we are not an MSP nor an MSSP, nor do I ever want to be that.

You still do a lot of services though — more on the professional services side?

Yes. We’re still doing a lot of penetration testing — network penetration testing. [For instance] wealth management organizations or financial service organizations are all mandated now to have an annual penetration test or they cannot do business. So it can be an organization of 10 people, 25 people — or even two people — they still have to have a penetration test. So a lot more uptick in network penetration testing. After the SolarWinds experience, we’ve had a lot more vendors come knock at our door to do application penetration testing. We’re also having organizations come in and say, “We use Salesforce, we trust Salesforce, but it’s our instance of Salesforce — so can you test us and see what we look like?” Or Office 365 — we’re doing a lot of application penetration tests on their instance [of] Office 365. So we’re doing a lot of that type of testing, what we call vulnerability management.

We’re also doing a lot on the governance, risk and compliance side — doing the risk assessments — whether it’s for the New York or California privacy [rules]. And now Massachusetts is going to have its own privacy [rules]. So we have a whole privacy arm, as well as the security arm, helping organizations with SOC 2 — Type 1 and Type 2 — and ISO 27001. So there’s a lot from a risk perspective, a program perspective, and then also a regulatory compliance perspective.

You mentioned you wouldn’t want to become an MSP or MSSP.

What’s happening is, you have these managed services providers [that are] adding information security arms. And so it’s not church and state anymore. Now it’s, “I’m monitoring your endpoints, I’m managing your firewalls. And hey, I could do penetration testing — on myself.” It’s getting really muddy now. The same thing goes with managed security service providers.

You really need to have a trusted third party like a Towerwall, where that’s all we do. We don’t do any of that other stuff. And so we can be that test. When it gets gray, it’s never good.

What are some other big things you’ve seen change in cybersecurity over the past few years?

Organizations are being held accountable to not only protect themselves but know who they’re working with. So [companies are] sending questionnaires out to make sure that [third parties] are doing what they’re supposed to be doing. But then they’re also getting the questionnaires and having to fill them out, so that their salespeople can sell stuff. It’s an interesting dynamic, because cybersecurity is not necessarily seen as a cost center anymore. It’s helping [with sales]. The same thing with cyber insurance. And while before people were shooting from the hip, I think cybersecurity right now is part of their corporate strategy. So doing ongoing tabletop exercises against your incident response plan, a tabletop exercise on your disaster recovery plan, your business continuity plan. …

Then what we’re seeing as well is [an interest in] putting key performance indicators around cybersecurity. We’re doing a lot more risk registry type projects, and building KPIs for CISOs that then go up to the board. Because the boards are now being held accountable.

What would be some examples of KPIs for cybersecurity today?

One is user awareness — the success of a user awareness program. And tracking what that looks like from a phishing perspective, from a testing perspective, from a corporate culture perspective. Vendor risk management is another KPI, because you can show sales increasing potentially. Another one is data management, and vulnerability management.

Are there certain vendors that you’re working with a lot right now? I believe that you’ve been doing a lot with AWS, for instance?

Two years ago, we actually got all our services up on [the AWS] marketplace. It makes it really easy for organizations that are doing business with AWS, and have their enterprise agreement, to just use that contract. And it’s escalating now from a service perspective.

Other vendors that we’re really working closely with — Alert Logic, we were their partner of the year last year. It was our first year with them, and we did a lot. Varonis continues to be one of our go-to partners, and we do quite a bit of business with them as well. On endpoint, we’re working with SentinelOne and CrowdStrike quite a bit, and [VMware] Carbon Black, as well. We still do quite a bit of work with Sophos. We did a very large Fortinet deal this last December. So they are awesome to work with. Proofpoint is another. And we have a lot of smaller ancillary organizations that we’re working with, just to make sure that we’re helping our customers. CASB we’re seeing a lot, and like I said, DLP and MFA.

What’s the key to effective cybersecurity in 2023?

I made up a word a long time ago called “programmatize.” And programmatize means that we need to make things repeatable. And so with people, with your user awareness, they’re not your weakest link — they’re your greatest asset, they’re your first line of defense. And then it’s the processes — you put in Tenable, you put in Rapid7. And you document who’s going to install it, how often is it going to get updated, how often is it going to get run? Who’s going to run it, who’s going to get the reports, who’s going to do remediation? OK, now we have a program. The same goes with everything.

The technology has gotten better, as long as you’re not always trying to find the most shiny new object. [The key is] utilizing the technology stack to the best of its ability, putting the EDR solutions in, having that 24/7 monitoring, doing the penetration test. I think we’ve become much more sophisticated in locking ourselves down — and understanding that if we lock the door, we need to lock the windows too. I told one of our customers the other day, “We need to have you be locked down enough, that if somebody starts knocking, that you make it hard enough that they’re going to go to the next guy.” And that’s really what it’s all about.