It happened on a hot July morning. Millions of Microsoft users woke up and turned on their computers to see an unexplainable blue screen with a menacing frown. They were told their PC ran into a problem and needed to restart. Innocently, the computer said it was just collecting some error information and would then restart. Little did everyone know they were waiting to be brought into a never-ending loop of restart messages with no clear way out.
This is not the start of a Stephen King novel, rather it is a real-life retelling of what happened when global cybersecurity company CrowdStrike launched a faulty update into its cloud-based security software. The global IT event, as it came to be known, disrupted airlines, banks, medical facilities, and workers everywhere. CFOs got a firsthand look at exactly what could go wrong when one update from a third-party software vendor imperils an entire IT infrastructure. The lessons from this day reverberate now, leading CFOs to consider how they can make their organizations more cyber resilient.
Cyber resilience, or complete confidence that one’s IT infrastructure can sustain hardware and software glitches as well as human error, is difficult to measure. As more and more small, mid-sized, and large organizations use third-party cybersecurity software, risks are multiplied instead of minimized. CFOs must work collaboratively with CIOs on the selection of software vendors and business continuity plans for both minor and major failures of these vendors’ software.
Chris Evans, Principal Analyst at ArchitectingIT.com, offered some perspective on how CFOs can approach making business continuity plans for “mass failure” events:
- “In my experience (over 35 years in commercial IT), most businesses underestimate the dependency of IT systems and the impact of their failure. The cost/benefit model is typically skewed towards an assumption that systems will rarely (if ever) fail, and if they do, they will fail individually. A “mass failure” scenario is rarely considered because most outages are caused by hardware problems.”
Planning for the worst-case scenario (that is not focused on fixing hardware) is one strategy. Others have also weighed in on what smart CFOs can do to mitigate risks from third parties involved in their technology stack. For example, Martha Heller, CEO at executive search firm Heller Search, said:
- “Every organization needs to request in-depth information from XDR [extended detection and response] vendors regarding kernel access (CrowdStrike’s kernel access is key to its offerings and cited as the major culprit in the widespread outage). Even if you don’t use CrowdStrike, other endpoint security vendors likely have kernel access and companies should understand the extent of that access and potential exposure.”
In today’s complex organizations, CFOs own risk management. Crisis brought about by technology will certainly fall under the CFO’s accountability as they can negatively impact brand reputation, earnings, and customer trust. A recent Strategic Finance article underscored the importance of CFOs building strong relationships with CIOs for mitigating enterprise risk.
Like any resilience plan, cyber resilience will not happen overnight. But CFOs who apply the lessons learned from the CrowdStrike incident and who plan for other events like it to happen in the future will be in a better position to help their organizations recover quickly and efficiently.