CrowdStrike CEO George Kurtz’s immediate and unreserved apology for a doomed software update that took global IT systems and networks offline Friday marked an uncommon episode in the cybersecurity industry.
Cybersecurity executives aren’t in the habit of saying sorry or admitting to mistakes.
Hours after CrowdStrike’s software update crashed huge swaths of the global economy Friday, Kurtz was on “Today,” apologizing for the mistake as its cascading effects were still unraveling.
“I want to start by saying we’re deeply sorry for the impact that we’ve caused to customers, to travelers, to anyone affected by this, including our company,” Kurtz said on NBC’s morning news program.
With CrowdStrike’s reputation on the line, other top executives at the cybersecurity vendor followed suit with candid apologies and accepted responsibility for the damage.
“On Friday, we failed you, and for that I’m deeply sorry,” CrowdStrike CSO Shawn Henry said Monday in a LinkedIn post.
“The confidence we built in drips over the years was lost in buckets within hours, and it was a gut punch,” Henry said. “We let down the very people we committed to protect, and to say we’re devastated is a huge understatement.”
While CrowdStrike’s response isn’t unprecedented, the damages its ill-fated software update caused are beyond comparison.
“Nothing of this scale or magnitude has happened in recent memory, if ever,” Kelsey Eidbo, a crisis communications professional and VP at Infinite Global, said via email.
“Cybersecurity firms are typically not the story because they intentionally operate behind the scenes,” Eidbo said. “The crisis at Crowdstrike this week was a wake up call and will certainly go down as a cautionary tale for cyber firms, IT vendors, and all of us who rely on them to keep the world spinning.”
A rarity in cybersecurity
Mea culpas are sparse in the cybersecurity industry. CrowdStrike accepted an usual level of accountability of its own volition — and without condition.
“Kurtz's quick apology for a defective software update is rare in cybersecurity — I can’t think of any other case — but reflects a growing trend of corporate accountability,” Mauricio Sanchez, senior director of enterprise security and networking research at Dell’Oro Group, said in an email.
CrowdStrike’s rapid and energetic response was also an act of damage control and self-preservation.
From a crisis management perspective, it was critical for CrowdStrike to get ahead of any rumors and “confirm as soon as possible that this was an outage rather than a breach,” Eidbo said.
“Companies that acknowledge and take responsibility early, publicly and proactively, position themselves as the authority and foremost expert on the issue facing their own company, and, in the case of a vendor, lessen at least some of the burden, from a reputational standpoint, on their customers,” Eidbo said.
As executives managed one of the worst days for CrowdStrike since it was founded in 2011, executives sought to control the narrative about what happened and engender confidence in its response.
“The fact that CrowdStrike embraced an open, contrite, and all-hands on deck approach certainly helped,” Katell Thielemann, VP analyst at Gartner, said via email.
“We have seen examples when companies have decided to go the other way by not acknowledging security defects, by deflecting blame, or by trying to hide facts and delay communications,” Thielemann said. “That’s when brand damage occurs.”
Rebuilding trust in the thick of recovery
At their core, cybersecurity vendors play an incredibly difficult role in the software ecosystem: spot and alert customers to malicious activity, mitigate risk and stop attacks. Their job is to keep systems safe and secure.
Security vendors that approach major incidents with transparency, accuracy and responsiveness have a better relationship with their customers, and a swifter, less reputationally damaging recovery, according to Allie Mellen, principal analyst at Forrester.
“Trust is paramount in the relationship between a security vendor and its customers and partners. This is true for all vendors, but security especially, where reliability and competence are fundamental,” Mellen said via email.
“CrowdStrike has built a lot of trust with its customers over the years, and how it approaches this incident will define its relationship with customers moving forward,” Mellen said.
The brisk and remorseful response of CrowdStrike’s leadership also caught the attention of federal authorities who were working closely with the company and partners across government and industry to recover and restore operations.
“While it wasn’t malicious, it was a serious mistake, one for which Kurtz took full responsibility, apologized, and committed to resolving collaboratively,” Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said Saturday in a LinkedIn post.
