How CrowdStrike customers wihtin critical sectors ignore the obvious and follow the herd instinct of an industry …
I’m just wondering why (at least in Germany) the faulty1 CrowdStrike update caused a whole series of critical infrastructures to fail. How do I have to picture the purchasing process of Crowdstrike customers?
Purchaser to IT-manager:
‘But it says here in paragraph 8.6 of the terms and conditions2: “The offerings and Crowdstrike tools are not fault-tolerant and are not designed or intended for use in a hazardous environment that requires fail-safe performance or operation. Neither the offers nor the Crowdstrike tools are intended for use in aircraft navigation, nuclear facilities, communication systems, weapon systems, direct or indirect life-support systems, air traffic control or other applications or installations where failure could result in death, serious bodily injury or property damage.”
IT-manager to purchaser:
’Oh come on – it’s in there everywhere. I’ll take the risk.’
Perhaps this event will finally sharpen the sense of the responsible risk management functions for the criticality of explicit or incidentally declared risk acceptance.
- Short and concise explanation of the technical background for the flawed nature of the CrowdStrike agent from my former colleague Pieter Danhieux: Link to LinkedIn ↩︎
- https://www.crowdstrike.com/terms-conditions/ ↩︎
