Lessons From the “Near Miss”
8–26–2024 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, August 26, 2024, and we’re continuing to see fallout from the CrowdStrike outage last month - at both CrowdStrike, and Microsoft.
Let’s dig in to these lessons from a “near miss” and see if we can’t learn something that benefits everyone, even if we weren’t impacted.
Lessons From the Near Miss
First of all, I can already see some pushback on this notion that this was a “near miss” - just ask the Delta COO, Mike Spanos, who is now out after only a year in the job.
Don’t feel too bad for Spanos, though. Reporting notes that Spanos “didn’t lead the response to the CrowdStrike disaster because he was new to the industry - and is getting a severance that includes 18 months of his salary, with the article noting he made “a whopping $8.6 million in 2023.”
To put a finer point on this story, “Delta said it would not replace Spanos’ role. Instead, two executives who reported to the COO will now report to [CEO Ed] Bastian.” Have to wonder how much value that COO was actually adding.
Meanwhile, the Wall Street Journal ran an article with the headline “CrowdStrike’s Big Mystery: How Bad, and for How Long?” - in anticipation of their Q2 earnings. Their conclusion is that “Even a decent earnings report may not put CrowdStrike back on safe ground,” noting the long-tail impact of the event isn’t even going to be represented in this earnings report, as the incident took place in the last two weeks of the quarter and typical reporting metrics for cloud software firms such as Annual Recurring Revenue are non-standard accounting terms. “Friday’s closing price has CrowdStrike trading just under 15 times forward sales—the highest among cybersecurity peers and the second-highest among the 65 cloud-software companies on the BVP Nasdaq Emerging Cloud Index, according to data from FactSet.”
That doesn’t seem to be much mystery, and likely this event is already priced in. The lessons to learn, of course, are on preventing future outages caused by the same or similar mistakes - something CrowdStrike and other Endpoint Detection and Response (EDR) companies are no doubt focused on.
We know they’re focused on it because the Financial Times is reporting that “Microsoft plans Windows security overhaul after CrowdStrike outage” - including hosting “a summit next month for government representatives and cybersecurity companies, including CrowdStrike, to ‘discuss concrete steps we will all take to improve security and resiliency for our joint customers.”
This, of course, is they key - these joint customers - all of us - buy products from Microsoft (or Google or Amazon) as well as CrowdStrike (or SentinelOne, or VMware, or Sophos, etc.). They’re incentivized in a number of ways to play nice together. This summit’s discussions will likely center around technical details of how these vendor platforms need to access the kernel level of the operating system, and the risks inherent in that design structure, are lightly mentioned in the article - but we don’t need to be technical experts to understand that there’s risk in all of this.
Instead, let these near miss situations become the stone that sharpens our strategic blades. What do I mean by that?
First of all, and most straightforward, is to make sure you’ve got plans in place to respond to a similar incident in your enterprise if you didn’t experience the outage back in June. This might include ensuring you’ve documented:
How you’d carry out business as usual without some or all of your technology stack available
Response procedures, especially if you’re distributed and it’s more complicated than just having the IT folks walk around the office fixing machines
Communication, internally and externally, as well as the channels you’d use to do that if your primary mode (likely email) was down.
But beyond that, it’s what you DON’T do that results in better strategic decisions. For example - DON’T move to rashly replace CrowdStrike. You’ve already made the strategic decision to choose this platform over a myriad of competitors and a market full of substitute goods (almost all of which are lower-priced). Don’t throw that thinking away, as your technical requirements haven’t changed, and there’s no way for you to guarantee that this type incident is any less likely on any other platform (though CrowdStrike would make the case, somewhat convincingly, that theirs is now the least likely platform on which this might occur / recur).
Additionally, it’s worth figuring out where your line in the sand is on systemic or catastrophic events. If all Windows computers around the world were down, for example, is that a scenario worth building entire plans about? Probably not - unless you’re Microsoft. Even in the healthcare or financial services space, there’s a limit to the return on investment for contingency plans.
Knowing where those lines are for yourself and your enterprise keeps you from going down the rabbit hole and throwing resources at things with diminishing returns.
So - from this near miss - be ready to answer executive questions, have a plan to address reasonably foreseeable incidents, leverage previous strategic decisions where the priorities remain in place, and learn to live with a certain amount of inherent risk.
I know it’s not always the most comforting answer, but it’s the most reasonable one for all of us.
Fundraising
From a fundraising perspective, very light week with only 2 fund announcements, but it just so happened that one is a blockbuster $18.5B from HarbourVest Partners for their 11th private equity secondaries fund. Specifically, Dover Street XI oversubscribed at $15.1 Billion, with additional allocations to Secondary Overflow Fund V closing at $3.4 Billion. Congrats to that team - the track record of tremendous returns is clearly driving interest and commitment from LPs, even in this difficult market.
Meanwhile, in VC land, some brutal analysis from the Financial Times, noting that:
“Start-up failures in US up 60% over past year” and
Only 9% of funds raised in 2021 have returned any capital to their investors - lagging the previous vintages from 2017, 2018, 2019, and 2020 at this same three year mark.
As always, hard to extrapolate exactly what this means, other than the fact that early stage remains a hard space, and returns - even at early stages - are significantly delayed.
I think reading that this means those returns won’t come is likely an over-reach, but rather than the hottest commodity in the investor world, whether you’re early stage, late stage, or public - is patience.
With that, a reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://qz.com/delta-coo-mike-spanos-leaving-company-crowdstrike-1851630253
https://www.wsj.com/tech/cybersecurity/crowdstrikes-big-mystery-how-bad-and-for-how-long-fb19e692
https://www.ft.com/content/0cd35741-8002-4cb7-9eb2-8e0933b6331a
https://www.ft.com/content/71f6551a-90c5-4ba5-b314-7f3b0c000551
https://www.ft.com/content/0cd35741-8002-4cb7-9eb2-8e0933b6331a