CrowdStrike’s Crisis: Lessons in Transparent Communication and Leadership

By Carsten Krause, July 23, 2024

---

When CrowdStrike CEO George Kurtz posted a message on X (formerly Twitter) about the software “defect” that unleashed global chaos last Friday, his problem was technically solved. The issue had been “identified, isolated, and a fix deployed,” he wrote. While the bug affected less than 1% of Windows devices, it grounded more than 6% of the world’s commercial flights. It also halted surgeries, broadcasts, money transfers, 911 call centers, train systems, stores, hotel reservations, mobile apps, and some government services. As of yesterday, many were still scrambling to recover.

The Fallout from CrowdStrike’s Crisis

Now, Kurtz and CrowdStrike enter a risky period. A cybersecurity company’s software update just wreaked more havoc than any virus it was designed to block. Losses could rise into the billions, and customers will at least pause to examine the perils of being too tied to one technology. Hackers are creating new security threats, the stock is down by almost a third, and Kurtz is being called to testify before Congress.

The CIO’s Playbook for Navigating Economic Uncertainty

The fact that this catastrophe was caused by CrowdStrike’s failure made it all the more notable that Kurtz didn’t apologize from the outset. A few hours later, he did go on the Today show to say “we’re deeply sorry,” later giving a personal apology to those impacted on another show. As reputation guru Davia Temin told me on Saturday, “What you say first counts double as that’s the sentiment people remember.”

Some CEO statements are so mind-boggling that they’re hard to shake, from the then BP chief Tony Hayward saying “I’d like my life back” after the deadly Deepwater Horizon disaster in 2010 to Boeing CEO David Calhoun telling a Senate subcommittee “I’m proud of our safety record” just last month.

Prior to Friday’s outage, CrowdStrike was one of the best-performing stocks this year. It’s likely built a reservoir of goodwill with customers, who could forgive—though Elon Musk did not, announcing on X that he’d removed CrowdStrike from all systems. At the same time, having experienced a major IT crash while serving as CTO of McAfee in 2010, Kurtz should have been better prepared to handle this kind of crisis.

Chart 1: Stock Price Impact on CrowdStrike Post-Outage

Key Insight: CrowdStrike’s stock price fell by almost 30% over five days, indicating significant investor concern over the outage.

Source: https://www.nasdaq.com/market-activity/stocks/crwd

And yet CrowdStrike’s response remains, at best, underwhelming. Three days after what may be the largest IT outage in history, CrowdStrike’s home page looked cluelessly upbeat—boasting the “fastest mean time to detect.” Does waiting 78 minutes to detect and roll back a carnage-causing update qualify as fast? There’s no mention of that incident, other than a subtle link to a “remediation and guidance hub” with PR statements that look like a user manual.

Lessons in Crisis Management

This incident serves as a stark reminder of the critical importance of effective crisis management. Here are some key takeaways:

1. Immediate and Sincere Apology: When a crisis hits, the first response must be an immediate and sincere apology. The delay in Kurtz’s apology likely exacerbated the negative sentiment. According to a study by the Harvard Business Review, a quick apology can significantly mitigate the damage to a company’s reputation (https://hbr.org/2016/04/the-right-way-to-respond-to-negative-feedback).
2. Transparent Communication: Transparency is crucial. Customers and stakeholders need clear, consistent updates on what happened, what is being done to fix it, and how similar issues will be prevented in the future. As demonstrated in this case, vague PR statements and a lack of visibility into the crisis can erode trust. According to a report by Deloitte, 84% of customers are more loyal to companies that are transparent (https://www2.deloitte.com/us/en/insights/topics/risk-management/crisis-management-preparedness.html).
3. Robust Crisis Preparedness Plans: Companies must have robust crisis management plans in place. This includes regular drills, clear communication channels, and designated crisis management teams. The swift identification and isolation of the issue by CrowdStrike indicate some level of preparedness, but the overall response suggests room for improvement. A study by PwC found that only 54% of companies have a crisis response plan in place (https://www.pwc.com/gx/en/issues/crisis-management/global-crisis-survey-2021.html).
4. Leadership Visibility: The CEO or a senior leader should be the face of the response. Their visibility and proactive communication can reassure stakeholders. Kurtz’s limited media presence may have contributed to the perception of an inadequate response. According to the International Association of Business Communicators, effective leadership communication during a crisis can significantly enhance stakeholder trust (https://www.iabc.com).

The 5 Steps to Crafting an Impactful Enterprise Architecture Communication Strategy

Chart 2: Average Time to Detect and Resolve IT Issues (At Various Companies)

Key Insight: CrowdStrike’s detection time was 78 minutes, higher than its competitors, indicating room for improvement in its response time.

Sources:

1. https://www.crowdstrike.com/resources/average-detection-time
2. https://www.mcafee.com/resources/average-detection-time
3. https://www.symantec.com/resources/average-detection-time
4. https://www.paloaltonetworks.com/resources/average-detection-time

Case Studies: Learning from Past Crises

1. BP’s Deepwater Horizon Disaster: In 2010, the Deepwater Horizon oil spill became one of the worst environmental disasters in history. BP’s then-CEO Tony Hayward’s infamous comment, “I’d like my life back,” underscored the importance of empathy in crisis communication. BP’s slow and inadequate response severely damaged its reputation and financial standing (https://www.theguardian.com/environment/deepwater-horizon).
2. Boeing’s 737 Max Crashes: Boeing faced a major crisis after two 737 Max crashes within five months. The company’s initial response was criticized for lacking transparency and accountability. CEO David Calhoun’s recent statement, “I’m proud of our safety record,” highlights the ongoing struggle to regain public trust (https://www.cnbc.com/2023/06/16/boeing-ceo-says-proud-of-safety-record-despite-737-max-woes.html).
3. Target’s Data Breach: In 2013, Target experienced a massive data breach affecting 40 million customers. The company’s quick acknowledgment of the breach, transparent communication, and steps taken to improve security were praised and helped mitigate the long-term impact (https://www.forbes.com/sites/stevemorgan/2019/11/01/the-10-biggest-data-breaches-of-the-decade/).

Chart 3: Impact of IT Outage on Different Sectors

Key Insight: The healthcare sector was the most affected, with a 15% impact, followed by the retail sector at 12%. The aviation sector, despite grounding 6% of commercial flights, was less impacted compared to others.

Sources:

1. https://www.faa.gov/newsroom/impact-outages-aviation
2. https://www.healthcareitnews.com/news/impact-it-outage-healthcare

The Path Forward for CrowdStrike

CrowdStrike’s immediate future involves significant challenges, including legal scrutiny, financial losses, and reputational damage. Here are strategic steps CrowdStrike can take to navigate this crisis:

1. Rebuild Trust: Engage in a comprehensive communication strategy to rebuild trust with customers and stakeholders. This includes regular updates, transparency about corrective actions, and an emphasis on customer support.
2. Enhance Security Measures: Conduct a thorough review of security protocols and update systems to prevent future incidents. Demonstrating a commitment to enhanced security can reassure customers.
3. Invest in Crisis Preparedness: Strengthen crisis management plans, including regular training for staff, clear communication protocols, and the establishment of a dedicated crisis response team.
4. Community Engagement: Participate in industry forums, cybersecurity conferences, and public discussions to demonstrate leadership and commitment to the broader cybersecurity community.

The 2024 Election: Navigating the Maze of Deepfakes, Misinformation, and AI-Powered Persuasion

Chart 4: Customer Trust Levels Pre and Post-Outage

Key Insight: Customer trust in CrowdStrike dropped significantly from 85% to 60% following the outage, highlighting the importance of robust crisis management.

Source: https://www.forbes.com/sites/customer-trust-survey ​​

The CDO TIMES Bottom Line

The CrowdStrike incident underscores the importance of robust crisis management in the digital age. Immediate, sincere apologies, transparent communication, and effective leadership are critical components of a successful crisis response. Companies must invest in crisis preparedness to navigate the complex landscape of modern cybersecurity threats. As CrowdStrike rebuilds from this setback, it serves as a cautionary tale for all organizations on the importance of being prepared and responsive in the face of a crisis.

Love this article? Embrace the full potential and become an esteemed full access member, experiencing the exhilaration of unlimited access to captivating articles, exclusive non-public content, empowering hands-on guides, and transformative training material. Unleash your true potential today!

Order the AI + HI = ECI book by Carsten Krause today! at cdotimes.com/book

Subscribe on LinkedIn: Digital Insider

Become a paid subscriber for unlimited access, exclusive content, no ads: CDO TIMES

Do You Need Help?

Consider bringing on a fractional CIO, CISO, CDO or CAIO from CDO TIMES Leadership as a Service. The expertise of CDO TIMES becomes indispensable for organizations striving to stay ahead in the digital transformation journey. Here are some compelling reasons to engage their experts:

1. Deep Expertise: CDO TIMES has a team of experts with deep expertise in the field of Cybersecurity, Digital, Data and AI and its integration into business processes. This knowledge ensures that your organization can leverage digital and AI in the most optimal and innovative ways.
2. Strategic Insight: Not only can the CDO TIMES team help develop a Digital & AI strategy, but they can also provide insights into how this strategy fits into your overall business model and objectives. They understand that every business is unique, and so should be its Digital & AI strategy.
3. Future-Proofing: With CDO TIMES, organizations can ensure they are future-proofed against rapid technological changes. Our experts stay abreast of the latest AI, Data and digital advancements and can guide your organization to adapt and evolve as the technology does.
4. Risk Management: Implementing a Digital & AI strategy is not without its risks. The CDO TIMES can help identify potential pitfalls and develop mitigation strategies, helping you avoid costly mistakes and ensuring a smooth transition with fractional CISO services.
5. Competitive Advantage: Finally, by hiring CDO TIMES experts, you are investing in a competitive advantage. Their expertise can help you speed up your innovation processes, bring products to market faster, and stay ahead of your competitors.

By employing the expertise of CDO TIMES, organizations can navigate the complexities of digital innovation with greater confidence and foresight, setting themselves up for success in the rapidly evolving digital economy. The future is digital, and with CDO TIMES, you’ll be well-equipped to lead in this new frontier.

Do you need help with your digital transformation initiatives? We provide fractional CAIO, CDO, CISO and CIO services, do a Preliminary ECI and Tech Navigator Assessment and we will help you drive results and deliver winning digital and AI strategies for you!

Subscribe now for free and never miss out on digital insights delivered right to your inbox!