On 19 July this year, a software update released by cloud security company CrowdStrike caused global chaos across multiple industries. The impact on both businesses and consumers is said to have shaken public trust in the security of our public and private digital infrastructure.
Nowhere were the affects felt more than within the elite circle of CIOs responsible for billion-dollar companies. Mike Anderson, global CIO for US cloud security company Netskope, is one of these technology leaders who came out of the CrowdStrike incident with an even greater resolve to put resilience at the forefront of his role as CIO. Anderson notes that, in fact, resilience has always been a cornerstone of any cybersecurity strategy. “If you go back 20 years or more, it’s always been about the availability of systems and processes,” he says.
No amount of resources can ensure a zero cybersecurity threat level. A more pertinent question, says Anderson, is if something happens, how do you recover from it and restabilise your business?
With the widespread transition to cloud-based services there has been some shifting responsibility towards SaaS providers. “In my experience, even the largest vendors out there have had outages,” says Anderson. And so resilience and continuity of service remains a a top priority for senior CIOs. “A resilience plan is the best defence against the inevitable,” adds Anderson.
CrowdStrike happens to be a Netskope partner and vendor. On the outage, Anderson notes, “we caught it very early in the process and were able to mitigate a lot of issues for us internally.”
As for the wider technology market, the incident has reinforced the idea of resilience within the broader cybersecurity conversation because no one had asked the question before: “What happens if the tools we buy to protect us have an issue. How do we respond to that?” says Anderson who has seen an uptick in customers looking for assurance on this point.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataBuilding digital resilience within the enterprise
One resilience solution for well resourced larger organisations is to devise a secondary infrastructure option in case the primary goes down. “For larger enterprises minutes, or hours in downtime, sometimes have huge revenue implications,” says Anderson noting that Delta Airlines estimates the CrowdStrike incident will result in a loss in the region of $440m.
Some two weeks after the CrowdStrike outage, a Microsoft outage in late July caused by a distributed denial of service attack, saw many of Anderson’s peers scrambling to maintain business continuity. “It was almost like a double-whammy for a lot of people,” says Anderson.
Though incidents like these appear to be increasing in frequency, a commensurate increase in corporate cybersecurity spend would not necessarily help. The CrowdStrike outage demonstrated a failure of quality assurance processes, which points to necessary improvements in governance.
Anderson says Netskope is customer zero for all its technology offerings. “If something breaks, I’d rather it breaks for us before it ever breaks for a customer,” he adds. A critical component of any resilience plan is rigorous testing before tools and updates go live. “We don’t just automatically take every Microsoft update as soon as it happens. We’ve always had testing labs that test those patches and updates to make sure they don’t break things. We should have that same rigor with any technology,” says Anderson.
Smaller companies, harder problem
This is more of a challenge within smaller companies, but Anderson has known a number of CISOs who have left industry for nonprofits focused on helping SMEs build cybersecurity programs.
Smaller companies often only have one or two people who are basically running their cyber program internally, something that Anderson likens to going to war with a Swiss army knife. The cost of having the right backup tools in place in case of an outage is something that only large enterprises can generally absorb.
So, what is the best option for smaller organisations? On this question, Anderson is frank. “I don’t have a good answer for you,” he says. Choosing the right partner and asking the right questions in an evaluation process is critical, to establish that the vendor has rigorous testing protocols.
How will AI impact resilience planning?
Widespread adoption of generative AI has opened yet another aperture for the threat actor. Resilience against this new threat involves unfailingly testing the output of any generative AI result, what Anderson describes ‘a human in the loop’ for the foreseeable future because the technology is not reliable enough yet.
“If you ask a Gen AI model the same question five times, you may get five different answers. That’s why we still have a human in the loop even if the ability to ingest structured and unstructured data, assemble that, and then come up with a point of view, at the speed which generative AI can do that is very impressive,” says Anderson. As always, the devil is in the detail and, for now, the level of automation an organisation chooses can be calibrated against risk tolerance parameters based on the potential impact.
The time between identifying a critical vulnerability and the action of implementing a fix is the period of greatest risk for an organisation. AI has the potential to shorten this period through automated threat detection and subsequent fixes. But there is some way to go before we “take the human out of the loop” and reach an acceptable level of trust in AI fixes.
So much of cybersecurity comes down to trust. But Anderson notes that trust is “earned by the by the teaspoon and lost by the bucket.” This is an industry wide barrier post-CrowdStrike outage as a greater focus on operational threat has emerged. “What happens if one of our critical technology capabilities or systems fails on us or has an outage? What’s that impact on our business?” says Anderson who holds up utility companies, in general, for their good track record on resilience processes. “I think that’s the mindset we should have as companies. How do we make sure that we continue to provide critical services to our to our employees, to our customers.”
Throughout the Covid-19 pandemic, IT organisations developed a hero status for the continuity and resilience they provided. While subsequent major disruption like the CrowdStrike outage may have eroded this goodwill, CIOs like Anderson will continue in their mission to keep enterprise digital infrastructure up and running under all circumstances, aspiring to every CIOs mantra of, “no news, is good news.”