CrowdStrike CEO George Kurtz’s quick and unvarnished apology for the ill-fated software update that took IT systems and networks around the world offline on Friday was a rare development in the cybersecurity industry.
Cybersecurity executives are not in the habit of apologizing or admitting mistakes.
Hours after CrowdStrike’s software update caused widespread disruption to the global economy on Friday, Kurtz appeared on “Today” to apologize for the mistake, with the ramifications still being determined.
“First, I want to say I’m very sorry for the impact this has had on our customers, on our travelers and on all of the people that have been affected by this, including our company,” Kurtz said on NBC’s morning news show.
With CrowdStrike’s reputation at stake, other executives at cybersecurity vendors have followed suit, freely apologizing and accepting responsibility for the damage.
“We fell short of your expectations on Friday and for that we deeply apologize,” CrowdStrike Chief Strategy Officer Sean Henry said in a LinkedIn post on Monday.
“The trust we’d built up over the years in this infusion was so quickly lost in a matter of hours, it was a real shock,” Henry said. “We’ve let down the people we promised to protect. To say we’re devastated is an understatement.”
While CrowdStrike’s response is not unprecedented, the damage caused by the company’s ill-fated software update is incomparable.
“An event of this magnitude and severity has never occurred recently, or even before,” Kelsey Ayedboh, a crisis communications expert and vice president at Infinite Global, said in an email.
“Cybersecurity companies operate behind the scenes by design, so they don’t usually get talked about,” Ayedbo said. “This week’s CrowdStrike crisis served as a wake-up call and will surely be remembered as a lesson for cyber companies, IT vendors, and all of us who rely on them to run the world.”
Unusual in Cybersecurity
Self-accountability is a rare sight in the cybersecurity industry. CrowdStrike willingly and without strings attached accepted a normal level of accountability.
“Kurtz’s quick apology for a faulty software update is rare in the cybersecurity world — I can’t think of any other examples — and reflects increased corporate accountability,” Mauricio Sanchez, senior director of enterprise security and network research at Dell’Oro Group, said in an email.
CrowdStrike’s swift and vigorous response was also an act of damage containment and self-protection.
From a crisis management perspective, it was important for CrowdStrike to get ahead of the rumors and “confirm as quickly as possible that this was an outage and not an intrusion,” Ayedbo said.
“Companies that admit and take responsibility early, publicly and proactively establish themselves as authorities and experts on the issues they face and, in the case of vendors, relieve at least some of the burden on their customers from a reputational standpoint,” Ayedbo said.
During one of CrowdStrike’s worst days since it was founded in 2011, management sought to control reporting about what happened and instill confidence in its response.
“CrowdStrike’s open, reflective and all-hands-on-deck approach has undoubtedly helped,” Katell Thielemann, vice president analyst at Gartner, said in an email.
“We’ve seen examples where companies have decided to go the other way by not acknowledging security flaws, shifting the blame, hiding the facts and delaying communication,” Thielemann said. “That’s when the damage to the brand happens.”
Rebuilding trust amid recovery
Cybersecurity vendors essentially play a very difficult role in the software ecosystem: finding malicious activity, alerting customers, mitigating risk, and preventing attacks. Their job is to keep systems safe and secure.
According to Allie Melen, principal analyst at Forrester, security vendors that approach major incidents with transparency, accuracy and responsiveness enjoy better customer relationships, faster recovery times and less reputational damage.
“Trust is paramount in relationships between security vendors and their customers and partners. This is true for all vendors, but especially security, where reliability and competence are fundamental,” Melen said in an email.
“CrowdStrike has built trusted relationships with its customers over many years, and how it responds to this incident will determine the future of its relationships with customers,” Mellen said.
CrowdStrike’s management’s swift and reflective response also caught the attention of federal authorities, who worked closely with the company and its government and industry partners to restore and recover operations.
“While there was no malicious intent, this was a serious mistake and Mr. Kurtz has taken full responsibility, apologized, and committed to working together to resolve it,” Cybersecurity and Infrastructure Security Agency Director Jen Easterly said in a LinkedIn post on Saturday.
