The Dumbest Thing In Security This Week: Really, CrowdStrike Again?
Opinion: CrowdStrike needs to suck up uncovered customer losses if it wants to save its faltering image.
Paul Shread July 26, 2024
Share on LinkedInShare on Twitter
CrowdStrike (CRWD) is in the midst of an unenviable crisis after a faulty update crashed 8.5 million Windows machines around the globe, but some of the company’s moves since then have compounded the problem and are threatening to wreck its stellar image as a leading-edge cybersecurity company.
The biggest mistake in the company’s response to the crisis may have been offering Uber Eats and DoorDash vouchers to affected partners. I get the point – the company was saying “I see you” to IT teams laboring long hours and weekends to recover from “blue screen of death” outages.
But given the massive uncovered losses faced by organizations victimized by the outage, it’s not surprising that the gesture was met with widespread derision in the media and on social media. It underscores the inadequacy of CrowdStrike’s financial response to this mess, and the urgency for the company to do better.
How CrowdStrike Can Make It Right
CrowdStrike customer operations have now largely returned to normal, but customer attitudes toward the company may take a lot longer to restore.
Here’s the fundamental problem, as I see it. CrowdStrike’s terms and conditions mean that customers are likely stuck with the losses from a failure that belongs entirely to CrowdStrike. Software developers have largely been free of legal liability for bugs in the U.S. – something the Biden Administration has proposed changing – but in this case, CrowdStrike may have a compelling business reason to make customers as whole as it possibly can.
Existing CrowdStrike installations likely won’t change much; the difficulties of a “rip and replace” approach mean there will be too much inertia for many companies to switch.
But you can bet that future CrowdStrike deals will see much greater scrutiny if the company leaves its customers on the hook for the cost of a global outage that could reach $12-13.5 billion in uncovered losses – especially with rivals like Fortinet revealing their measures to prevent a similar occurrence.
Wall Street – which trades on future expectations, not past results – seems to be saying as much. Traders have crushed CRWD shares since the July 19 debacle, erasing nearly $18 billion in stock market cap, which means a lot of lost wealth for CEO George Kurtz and other shareholders.
But more important is the uncertainty that stock drop signals for investor confidence in the company’s future – The Street is basically betting that the company’s growth will slow as a result of the outage, and they’re probably right. At a minimum, future customers – and maybe even current ones – will be taking a hard look at renegotiating those terms of service now that they know the risks, if not looking for more favorable terms elsewhere, which competitors eager to cut into CrowdStrike’s market share may be all too happy to provide.
CrowdStrike needs to end any doubt now, own its mistakes and offer to make customers as whole as it reasonably can. It’s the only way to preserve its growth path and position as a cutting-edge industry leader. A company whose business model is to reduce customer risk should not be saddling them with the cost of a mistake it made that led to possibly the biggest cyber incident ever, rivaling if not exceeding the WannaCry and NotPetya ransomware attacks of 2017. The optics couldn’t be clearer.
The entire cybersecurity industry may well suffer from this outage – imagine what future discussions will be like when CISOs ask CEOs for cybersecurity products that deeply integrate with their environment.
And none of this means that Microsoft gets a free pass here – there have got to be safer ways to integrate EDR/AV tools into the Windows operating system, and the company suggested yesterday that those will be explored.
But the company at the center of this storm needs to do something big. Fast.
CrowdStrike’s Options
CrowdStrike needs to make a grand, magnanimous gesture that changes the narrative. At this point, it’s not even a giveaway, it’s business and shareholder reality.
The company has $3.7 billion in cash – and growing – so it has a cushion to do something, anything, to make this more of a feel-good story, or at least burnish their image as a reliable partner. They might not have to authorize additional shares to cover the full amount, but maybe set up a fund with a promise to help. Do something creative.
Anything less will give rivals a chance to keep using the company’s own marketing materials against it:
CrowdStrike ad: EDR bugs could bring your business down
