Dorothy Crenshaw
July 24, 2024 | 12:31:40
In the high-stakes cybersecurity sector, even the most robust systems can experience sudden disruptions — often with serious, but temporary PR implications for the companies involved. But few expected that a routine update at Crowdstrike, a leader in endpoint security, could provoke the disaster that resulted last Friday. The Windows OS crash triggered by the faulty update disrupted airline reservation systems, financial institutions, and even hospital care. It was then up to Crowdstrike CEO George Kurtz to respond to the crisis.
Crowdstrike’s response came as a status post on X. The post identified the problem, making it clear that it was not the result of a cyberattack or security breach. It referred customers to a support portal for updates and assured them that Crowdstrike was mobilized to ensure “security and stability” for customers. In my view, it was a swift, effective, and relatively transparent first step in engaging with key customers.
Many criticized Kurtz harshly for the lack of apology after the incident. But in the moments after such an outage, customers aren’t looking for an apology. They’re looking for the fix. And while that’s happening, they need to know what’s behind the incident (and what’s not behind it) and, most of all, what to do. Those boxes were checked.
Fast acknowledgment is critical in crisis management, as it helps to mitigate speculation and rumors, giving key stakeholders a clear account of the situation. So is language. Words and phrases must be chosen with utmost thoughtfulness, even under pressure. Within hours of the outage, Kurtz took to multiple media platforms, acknowledging the incident and expressing regret for… “the inconvenience.”
Now, “inconvenience” is a terrible word. It’s what the recording says when you’re on hold with the pharmacy, or what the airlines say when the flight is delayed. It’s not what you say after your technology strands thousands of travelers and potentially places surgical patients at risk. To his credit, Kurtz seemed to realize this and quickly began using words like “disruption” and “impact.”
Overall, Kurtz handled his media interviews with calm (notwithstanding the distraction of his exquisitely gelled hairstyle.) He used accessible language rather than tech jargon. He took responsibility. In broadcast engagements he provided a reasonably detailed explanation of what went wrong while managing to highlight the complexities involved in managing large-scale cybersecurity systems.
The Crowdstrike apology was late, but it did come, and with a reasonable degree of accountability. My motto when it comes to the perfect public apology is this — explain, but don’t excuse. Accountability is essential to win public approval, but it can be very tricky in a crisis situation that exposes a business to legal liability.
To his credit, after the initial statement, Kurtz took a flurry of media interviews where he told a national TV audience that Crowdstrike was “deeply sorry for the impact that we’ve caused to customers, to travelers, to anyone affected by this, including our company.” His Chief Security Officer Shawn Henry went even further. “On Friday, we failed you, and for that I’m deeply sorry,” Henry said Monday in a LinkedIn post. Both seemed to have internalize another key maxim of the public apology, which is to focus on those harmed. It’s not about you.
That customer-focused approach was the strongest aspect of Crowdstrike’s response. Kurtz and Henry reassured customers that their security and operational continuity were top priorities, announcing that all necessary resources were mobilzed to resolve the issue as quickly as possible. This type of outreach doesn’t ensure forgiveness, but it does let the most important audience segment know that the top guy is on the case and will not relent until it’s fixed.
A key element in any crisis recovery, especially a situation that brings harm, is future prevention. Here, Crowdstrike has pledged to include additional validation checks and a stronger error handling mechanism to make sure errors from problematic content are “managed gracefully.” These and other steps will be intensely scrutinized, of course, but a proactive stance is the only way to regain customer trust and manage subsequent investigations.
Crowdstrike’s stock plummeted by 35% in value since the outage. And Kurtz is likely to be called to testify in front of Congress as it investigates the debacle and its ramifications. So, its potential rebound is just beginning, and there are many obstacles to a full recovery. But as Kurtz has seen, a serious crisis can be an opportunity to show how effective leadership can turn a terrible event into an opportunity for growth and trust-building. Watch this space.