With the July 19 incident that impacted CrowdStrike Falcon customers globally, CrowdStrike has significantly damaged customer trust. CrowdStrike’s initial post-incident review (PIR) outlines a number of reasonable steps that it plans to take to regain that trust, including:

  1. Improved testing protocols.
  2. Staged deployments.
  3. External QA of both its code and its end-to-end processes.

It will, however, take more than better QA and content update controls to recover.

Competency, consistency, and dependability are the three most important levers of trust for global B2B buyers. They are also the three most important trust levers for IT and tech services B2B buyers.

Predicting What’s Next For CrowdStrike

CISOs are no stranger to being scapegoated after an incident, and there’s plenty of speculation about whether CrowdStrike will do the same to one of its top executives. CrowdStrike’s rapid growth and ascent shows it was doing something right.

Forrester suggests that the vendor avoid taking the blame-game approach and instead take a more effective path forward, like what Zoom did with increased transparency and accountability. Quickly publishing the initial PIR and full Root Cause Analysis (RCA) are steps in the right direction. Going forward, we anticipate the following for CrowdStrike:

  • Expect George Kurtz to spend “big tech CEO” amounts of time testifying. Government bodies of all sorts will want the CEO to explain exactly what happened, why it happened, and how CrowdStrike will avoid it in the future. This will serve as a distraction for the CEO, who has driven the company since its founding. This could also put the vendor’s relationship with CISA at risk. CrowdStrike’s miscues unfortunately put it into a position to be made a very public example of, and governments will use the opportunity to appear tough on the vendor and concerned about cybersecurity.
  • CrowdStrike will name a “quality assurance czar” that reports into its CEO. This will be a highly public move to demonstrate a newfound commitment to software quality and a boost in transparency for all updates, an area where CrowdStrike has been notoriously closed off. It will likely be an external hire to provide credibility. Additionally, CrowdStrike’s trust center will go beyond regulatory compliance certifications and statements to include attestations of QA practices and regular communication related to its QA improvements.
  • CrowdStrike’s innovation roadmap and M&A activity will decelerate. This setback will give competitors it left in its rearview mirror long ago — and those that have kept pace — time to catch up and get ahead. This is a trade-off that CrowdStrike has to accept, but it does have an example of what to do. It can look to the steps Zoom took when its product security flaws were discovered as an example of what a good response can look like. This will happen because CrowdStrike:
    • Must show its commitment to software quality.
    • Has to vet every aspect of its testing procedures to avoid another event like this.
    • May need to make major architectural changes to its products to increase its reliability.
  • Microsoft will threaten to repeal its WHQL certification and access to ELAM. Unless CrowdStrike rearchitects its sensor, Microsoft will frame this incident in terms of reliability and the risk to Microsoft and its customers. Microsoft’s blog here lays out alternative approaches and is a well-done, subtle rebuke of CrowdStrike’s design decisions. Serious action and negotiation will take place between CrowdStrike and Microsoft in the coming months that could have major implications for the former’s software moving forward.
  • CrowdStrike will rearchitect its approach in Falcon. This will happen for two reasons: in part to reassure customers that an outage won’t happen again and partly to comply with Microsoft’s demands. This is dangerous ground for CrowdStrike because:
    • It signals an accidental admission of poor design decisions. If the vendor can rearchitect Falcon in a way that doesn’t reduce its efficacy, it will be an admission of poor — or reckless — design decisions.
    • Changes could reduce efficacy. Rearchitecting Falcon in a way that reduces its efficacy forces any security leader who selected the platform due to its performance to rethink their choices, since it no longer functions in the same way as when it was purchased.

CISOs: Proceed With Caution And Seek Advantages

We’ve published a significant amount of prior art on immediate and middle-term steps of what CISOs and technology teams should do about the outage and what caused it. That advice ranges from avoiding concentration risk with cybersecurity tools through rethinking resilience and recovery based on how BitLocker is implemented. Here are a few predictions of what will happen next for CISOs:

  • Anticipate litigation — lots of it. There will, obviously, be litigation. Customers (such as Delta Air Lines), vendors, and insurers will sue to hold CrowdStrike accountable and get compensation. As the cases move on, security leaders should:
    • Avoid joining class-action suits too quickly. Use the guidance of internal and external counsel to decide whether it’s appropriate to participate in CrowdStrike litigation.
    • Work with your broker, insurtech provider, or carrier. New, crisper definitions of business interruption, security incident, security failure, and system failure will stem from litigation between insurance carriers and CrowdStrike. Understand coverage grants within cyber insurance and business-owner insurance policies during the renewal underwriting process.
  • Expect features that mollify “experts,” not practitioners. CrowdStrike said that it is introducing more granular control of updates. This is not necessarily the best feature to use in practice because ultimately it defeats the purpose of the tool: fast, accurate, real-time protection. This is a solution to the outage, but it is not the best solution and certainly not the one that balances security and reliability. Intense market pressure, however, will force CrowdStrike’s hand. This will:
    • Drive confusion and complexity for customers. It will also drain resources away from the product team keeping ahead of competitors.
    • Force security leaders to examine alternative solutions. If competitors catch up to — or surpass — CrowdStrike due to its inability to keep up with the market, CISOs will have to look for alternatives. Keep an eye on CrowdStrike and its competitors. Read The Forrester Wave™: Extended Detection And Response Platforms, Q2 2024, to see how the market is changing.
  • Prepare for the inevitable questions about purchase decisions. Security leaders often have to justify their purchase decisions, and now they’ll have to explain why they want to go with or continue with the vendor known for causing a global outage. You can:
    • Use CrowdStrike’s QA plan to rebut critics. You can say something like, “If anyone’s focused on QA right now, it’s CrowdStrike.”
    • Determine if CrowdStrike is worth the risk to you and your organization. Watch for the topics mentioned in this blog to identify if it’s worth the risk and political capital to keep or bring CrowdStrike into your environment versus pivoting to a competitor.
    • Take advantage of discounts while blood is in the water. Some competitors took days, or hours, after the incident to ambulance-chase. Others waited a week but still came out looking just as bad. CISOs can expect even more egregious vendor messages at Black Hat and beyond. While some vendors botched the response, others will take this as an opportunity to move aggressively on discounting. This is an opportunity for CISOs to:
      • Use the competition to get better prices from vendors looking to take customers away from CrowdStrike.
      • Ask for extraordinary discounts in the short and medium term if they are on CrowdStrike or migrating to it.
      • Sign longer-term agreements to lock in advantageous pricing while it’s available. These deals will evaporate in the future, and prices at renewal time will increase.

Forrester analysts are available to help you navigate this crisis and its longer-term repercussions. Forrester clients can request an inquiry or guidance session to discuss the CrowdStrike incident, the XDR market, and how you can move your security program forward.