CrowdStrike — As the Dust Settles
Microsoft’s Satya Nadella is undoubtedly one of the best CEO’s on Wall Street. He is ever measured, calm and positive with excellent subject matter mastery. But even he must have lost his cool when CrowdStrike brought down millions of Windows systems across the globe.
What happened?
In a nutshell: Behaviour of the CrowdStrike Falcon security software is driven by data in a configuration file deployed separately from the software itself.
A configuration file update caused the CrowdStrike software to violate memory usage rules and Windows stopped working. A so-called blue screen of death, or BSoD incident. This was not technically a software update but a data/configuration update.
Microsoft was quick to clarify that this was a ‘CrowdStrike outage’ and not a Windows (or Azure or Microsoft) outage.
The incident on July 24th, 2024, was significant enough to hit headlines worldwide, cause incalculable economic damage and earn the company a Wikipedia entry and a shareholder lawsuit.
In Whom We Trust
We do business with firms and people whom we trust. Being a trustworthy participant in the marketplace is critical to survival.
In a digital business context, trust means having confidence that information shared is properly protected and that the integrity of transactions is maintained.
Reliable cybersecurity measures reinforce this trust: When an organization demonstrates a strong commitment to cybersecurity, it not only protects its own assets but also reassures its partners and customers that it is a trustworthy participant.
What just happened has not only impacted CrowdStrike, but the software industry as a whole. It has emphasized our enormous economic and social reliance upon it. And its potential to cause disasters.
Cybersecurity is not Compliance
Cybersecurity is easily conflated with compliance. While there are areas where they intersect, they are fundamentally different — being compliant doesn’t necessarily mean being secure, and vice versa. CrowdStrike has multiple compliances.
The Post Incident Review
The Preliminary Incident Review by CrowdStrike on July 24th made pretty dry reading — not unusual for this subject matter.
About 19 hours after initial publication, the PIR was updated to include:
“Third Party Validation
· Conduct multiple independent third-party security code reviews.
· Conduct independent reviews of end-to-end quality processes from development through deployment.
In addition to this preliminary Post Incident Review, CrowdStrike is committed to publicly releasing the full Root Cause Analysis once the investigation is complete.”
The addition of the promise to release the full RCA will, hopefully, go some way to restoring confidence in the firm, but also in the industry.
The concept of software behaviour being driven by configuration files is commonplace (arguably, even AI LLM’s work in a similar way), so there will be learnings for a broader community from the RCA.
Either the industry sorts this out, or the regulators will.
The CrowdStrike Corporate Governance Committee is presumably also reviewing “the composition of the Board and its committees in light of the current challenges and needs of the Board” as its Charter states.
If you’d like to join the conversation please share via the clapping-hands button below.
Also at:
amazon.com | amazon.co.uk | bol.com | blog
#OnBeingAgile #TheDigitalExecutive
