Cloud-based security company CrowdStrike undermined consumer and client confidence when a simple software update caused what’s being called the biggest IT outage known to us yet.
Recalling What Happened
On July 19, 2024, banks, airports, emergencies services, and more were left looking at the good old colon/left parenthesis sad-face emoticon, which tops the dreaded “Blue Screen of Death.” With a roster of clients boasting Fortune 500 companies, including Amazon Web Services, AT&T, Delta, and just over 80% of U.S. state governments, the security incident was estimated to affect 8.5 million Windows devices worldwide. Patch management experts have named speed as CrowdStrike’s culprit, encompassing inadequate testing and broad versus phased deployment of their update.
While CrowdStrike leadership was quick to comment, the initial apology left many wanting more. Let’s look at a few core principles of effective public relations and compare these with CrowdStrike’s approach that resulted in communications chaos.
1. Manage for Tomorrow
An important concept of effective communications is to keep the future in mind. Think about what the client and public reactionship might be if your company were to face a crisis (which is an amplified risk when security is your service), and certainly avoid bad mouthing others; But as recently as the June earnings call just prior to CrowdStrike’s security snafu, CEO George Kurtz was touting CrowdStrike’s ability to “ship game-changing products at a rapid pace.” This message was aimed at one big competitor, and Kurtz expanded on it in several post-earnings interviews.
On Jim Cramer’s Mad Money, as well as in other media venues, Kurtz discussed previous Microsoft security matters, saying CrowdStrike was receiving requests for help due to “a widespread crisis of confidence among security and IT teams within the Microsoft security customer base.” Kurtz warned against monoculture, or using only one company’s products and services, saying CrowdStrike is here to “reduce monoculture risk from only using Microsoft products and cloud services.”
The irony is real in retrospect as we know that CrowdStrike’s speed was the core cause for the outage. Combined with earlier jabs at one of the very companies CrowdStrike critically impacted, they were setting setting themselves up for future failure.
First, don’t be negative – this tone with regard to another company is rarely well- received. Even more importantly, consider how your words might come back to you later and communicate with the future in mind.
2. Tell The Truth
While Kurtz’s initial statement to the public after the outage was truthful, it wasn’t the whole truth and it lacked essential crisis communications messaging, namely an authentic apology. It is worth noting, however, that CrowdStrike’s response was quick, with Kurtz identifying the problem, clarifying who needed to worry, and touching on the next steps. But given the severity and scope of the situation, where CrowdStrike caused more mayhem than the cyberattacks it works to prevent, leaving out a heartfelt “sorry” was indeed a big deal.
The company’s response also would have benefited from detail on how the situation was being solved and what specifically was being done to prevent it from happening again.
After a few interviews in the event’s immediate wake, Kurtz remained mostly silent.
Even after the outage, CrowdStrike’s home page contained messaging that still boasted benefits like “fastest mean time to detect.” The incident was a footnote one had to hunt for, and only then did it lead to jargon-filled PR statements on the company’s resolution center.
It’s notable that the CrowdStrike incident mirrored software company McAfee’s 2010 security update fumble, where Kurtz was then serving as McAfee’s CTO. Kurtz had a front seat to a not too dissimilar event, which would have provided so many helpful lessons to guide CrowdStrike’s communications.
3. Know Your Audience
CrowdStrike Chief Security Officer Shawn Henry demonstrated a better understanding of the company’s audience a few days later. In issuing a vulnerable and sincere apology that spoke to his professional journey, acknowledged the gravity of the event, and underlined the company’s commitment to fixing what led to the problem, Henry hit all the right notes.
The Aftermath
The U.S. House Homeland Security subcommittee said it will hold a congressional hearing on the outage this month. Though the call was for Kurtz to appear, it seems the ball was passed to Adam Meyers, senior vice president of counter adversary operations at CrowdStrike. We’ve touched on three communications concepts above, and it will be important for Meyers to master all three, as the hearing will be a clear indicator of the damage done to trust in the company.
CrowdStrike has experienced a significant financial loss, with shares declining by about 20% since the outage, which equates to $20 billion of the company’s market value.
Clients are likely considering Kurtz’ recommendation to avoid having a monoculture, which possibly now extends beyond the operating system alone to include having more than one security provider, something Kurtz himself discussed in the Cramer conversation.
Thoughtful, truthful, trustful communications are always important, but never more so than in a crisis, especially on a global scale impacting so many people. There are so many lessons, but make sure to be mindful about messaging before there’s an issue, be transparent when one occurs, and make a real connection to your clients as you work to resolve the matter.
Best,
Aaron Blank
President and CEO
Fearey