CrowdStrike's crisis management strategy holds lessons for all companies
- The global IT outage caused by cybersecurity firm CrowdStrike was a PR nightmare.
- CEO George Kurtz was criticized online for not apologizing immediately for the disruption caused.
This month, CrowdStrike, sent the world into chaos.
The cybersecurity firm released a software update for Microsoft. But a defect in that update caused computer systems — and the businesses and services that run on them — to go into meltdown around the world.
Flights, hospitals, banks, emergency services, news outlets, and retailers were all impacted.
Aside from the global disruption, the incident was also one of the biggest PR nightmares a company could imagine. Not only was trust in CrowdStrike's services likely eroded, but the crisis proved just how fragile the world's reliance on tech really is.
But how well did CrowdStrike handle the situation?
Social media users wanted an early apology
As the blue screen of death multiplied around the world on Friday, CrowdStrike CEO George Kurtz made a series of public statements on X, LinkedIn, and the company website.
Addressing the cause, he made clear that the outage was "not a security incident or cyberattack" but was related to a "single content update for Windows hosts."
Kurtz assured customers they were still protected and said the issue had been "identified, isolated and a fix has been deployed."
It wasn't until several hours later that Kurtz issued an apology in a post on X and in media interviews — something that social media users were quick to point out and criticize him for.
Motti Peer, co-CEO of technology PR firm ReBlonde, which specializes in crisis management, told Business Insider that CrowdStrike's leadership team's response highlighted the good and bad ways to react to an event of this scale.
Kurtz's first response on Friday was critiqued online for being too impersonal and lacking candor, while his colleague — CrowdStrike CSO Shawn Henry — was praised for being forthright and empathetic to the impact in a LinkedIn post, he said. But this didn't come until three days after the outage hit.
"The difference between the two statements is vast and shows how subtle differences in approaching crisis responses can drastically alter how effective they are," Peer told BI.
"Although Kurtz's follow-up response sincerely apologized for the event, its initial absence makes it look delayed in any context and can make any future crisis communication seem disingenuous," said Peet.
Sean Griffin, CEO and cofounder of Disaster Tech, agreed that expressing empathy and showing respect were basic crisis communication principles that all leaders should deploy.
He believed Kurtz deserves credit for quickly engaging the media on Friday, apologizing, and promising solutions — even if social media users say the apology didn't come fast enough.
However, the CrowdStrike CEO could have provided more solutions for what those affected could do on their end as the situation was unfolding, Griffin said.
The steps to take in a crisis
Good crisis management can be boiled down to a few simple yet crucial steps, the two experts told BI.
Peer said the first step is to investigate what happened and understand the scale of the crisis. The next step is to apologize and take responsibility for the misstep.
"From there, companies should take every possible step to resolve the crisis quickly and effectively with consistent updates," he added.
"The company's leadership team must explain to their customers and community what proactive measures will be taken to prevent this crisis from repeating," he said.
Griffin said it is crucial to recognize the importance of having a resilient risk management framework and ensuring you have an experienced team to carry it out.
"Crises are part of human life, and it's not an 'if' yet 'when,'" Griffin said. "There is no way to avoid it, but there is an opportunity to prepare for it."
Look for a silver lining
The impact of the CrowdStrike outage has been estimated to cause losses of $5.4 billion for Fortune 500 companies, excluding Mircosoft, according to an analysis by Parametrix, a cloud insurance provider.
Attracting new business after a billion-dollar global mess-up may seem unthinkable, but a major crisis doesn't have to be the end of a company, Peer said.
"While CrowdStrike's positioning took a major hit in both public sentiment and financial standing, it managed to mostly avoid the more outwardly negative response that some of its clients received for mishandling the outage," the ReBlonde co-CEO said.
"Delta, for example, shouldered a good amount of public frustration due to the outage affecting countless flights and millions of travelers," Peer added.
Griffin agreed that there could be a silver lining to the situation.
"For the companies that prepare and survive crises, the data shows that you generate revenue by gaining market share from competitors or seizing the unfortunate media attention as an opportunity to shine through adversity," he said.
But as disruption from the CrowdStrike outage slowly lessens, many are still concerned by the in-built potential of technology-reliant systems crashing, bringing down all operations with them.
How can that crisis be avoided?
"Companies of any size should be operating with clear and robust contingency plans in case of such events," Peer said.
Griffin said his company, which provides crisis management software, is now reviewing its plans and policies to prevent the kind of tech failure CrowdStrike experienced. He recommended that others do the same.
"The bottom line is that crisis management is not a check the box; it is an evolution and requires continuous training, exercising, and learning to improve, especially as the nature of threats and types of incidents evolve."