The 2024 CrowdStrike Incident blue-screened Microsoft computers worldwide, causing significant disruptions to high-profile industries such as transportation, healthcare, and financial services.
Now that the world has largely recovered, the most forward-minded chief information security officers (CISOs) are focusing on using the incident as an opportunity for continuous improvement. How can they prevent similar incidents from having such a disastrous impact on their organization in the future?
While most CISOs have long recognized the importance of board communication for buy-in and decision-making purposes, incidents like the recent CrowdStrike Falcon debacle, and its prolonged fallout, have further illustrated how the CISO-board relationship has a significant impact on the efficiency of any cybersecurity framework’s incident response and disaster recovery programs.
This article presents strategies CISOs can employ to strengthen their relationship with their board of directors. The article also identifies several lessons from CrowdStrike CISOs can use to improve their board’s understanding of the incident, turning awareness into action.
Protect your first and third-party attack surface with UpGuard>
How to foster communication with your organization’s board of directors
Fostering communication with your organization’s board of directors is a continuous process. You need to learn how each board member communicates and use this information to craft compelling narratives that connect around the room. Establishing clear communication with the board isn’t always easy, but doing so when your organization is operating smoothly is one of the most effective ways to improve the speed of decisions, calibrate your incident response and disaster recovery processes, and galvanize your organization during unforeseen cyber incidents.
If you’re looking to start improving your relationship and effectively communicating with your organization’s board of directors today, start by following these steps:
1. Ensure your board fully understands cyber risks
One of your primary responsibilities as a CISO is to educate your board on the impact potential internal and external cyber risks can have on the business.
Each board member will likely have a very different understanding of your organization's threat landscape. Some may still think of cybersecurity mainly in terms of threat actors and malicious hackers. Others may have a basic understanding of vendor risk management (VRM) but don’t understand how external effects can be just as devastating as internal threats or how weaknesses in a fourth party’s attack surface can cause significant complications.
CrowdStrike, MoveIt, and other significant cyber incidents present an excellent opportunity to revisit how vendor risks can significantly impact your supply chain, business continuity, and overall operations. Capitalize on this momentum by reiterating your organization's primary risks, discussing the importance of your mitigation strategies, and introducing improvement opportunities you’ve already identified.
2. Emphasize the need for a proactive approach
The organizations that responded the best during CrowdStrike were prepared. Taking a proactive approach to risk management allows your organization to defend itself against potential cyber threats before they arise. You know this. However, your board must also be on the same page to greenlight the resources necessary to switch from passive to active risk management.
If you’re having trouble getting the board to resonate with the need for proactive risk management, try discussing it regarding added business value. While some proactive strategies may require significant initial investment, they will pay off tenfold in the future when a widespread cyber incident does not halt your organization’s operations.
You can also demonstrate how proactive risk management is becoming an essential component of many cybersecurity frameworks and regulations, such as NIST, ISO, and others. However, you shouldn’t rely on this as your primary communication strategy. Installing cybersecurity measures only because regulations demand them is still a reactive process.
3. Illustrate the board's importance
As you know, crafting a culture of cyber resilience and ongoing risk management starts at the top. One great way to improve your relationship with your board and the effectiveness of your communications is to take the “we’re all on the same team approach.”
Discuss how holistic cybersecurity and comprehensive vendor risk management require effort from every board member, C-suite executive, and department manager. Outline the projects or initiatives you're working on and the direct impact the board will have on them. Why are they necessary? And how can the board help you achieve success?
What strategies to communicate with your board after CrowdStrike
Another strategy to improve communications with your board is to deliver takeaways you’ve learned from CrowdStrike. Presenting these lessons will show you’re committed to continuously improving your organization’s cyber health and developing strategies to decrease the impact of incidents in the future.
Using CrowdStrike as a case study is also a great way to use relevant, real-world examples as a catalyst to improve engagement and understanding.
If you’re keen to communicate about CrowdStrike with your board of directors, consider these takeaways:
Overview of the incident, its impact, and fallout
Start by providing an overview of the incident and its impact. Most board members will be aware of the event generally but may need help understanding how it happened or the steps CrowdStrike and Microsoft took to remediate the incident.
For example, board members may not know that CrowdStike advised organizations to manually remove the defective Falcon update at the start of the outage. They may also need help understanding the difficulty of this task, especially if your organization has hundreds or thousands of computers within its network.
Furthermore, your board may not be aware that some organizations likely disabled CrowdStrike altogether. Explaining how this could have left your vendors (and subsequently you) vulnerable to cyber-attacks and data security threats presents another opportunity to expand your board’s understanding of the widespread impact cyber incidents can carry.
The importance of incident response
While it’s essential to calibrate your security program to defend against the broadest array of risks, avoiding every cyber incident is impossible. Your organization needs a dedicated incident response plan to identify, mitigate, and remediate unforeseen incidents as efficiently as possible.
Organizations with a dedicated incident response plan responded to CrowdStrike quickly, isolating the issue, remediating it, and reducing downtime.
While some may misconceive incident response as the sole responsibility of an organization’s IT team, CrowdStrike-type incidents affect all layers of an organization, including various departments and stakeholders. Educating your board on the importance of developing a multi-disciplinary approach to incident response is essential. Justify the need to involve additional layers of the business and stakeholders to pursue remediation efficiently.
The need for backup and recovery strategies
The organizations hit the hardest by CrowdStrike may have lost a fifth of their quarterly capacity in some IT and security teams. CISOs at these organizations will have the dilemma of resetting targets or paying for additional resources to replace the loss.
If this scenario resembles the one at your organization, you need to address this lack of resilience and communicate your findings and recommendations to the board. At the very least, you should develop some form of backup or recovery strategy that can better support your organization during a cyber crisis.
In general, there are three courses of action you can take depending on the level of resources you can allocate towards a solution:
Low resource expenditure
Start by reducing the immediacy of updates into critical production workloads and environments by categorizing and classifying software components into one of two stacks:
- Lower disruption risk: Components that are unlikely to interfere critically with other higher network layer components (OS kernel operation, TCP/IP, and other driver components)
- Higher disruption risk: Could the software component cause critical interference with your network, communications, or other operations? Does this increase security or productivity risk?
Software components with lower disruption risk can be deployed after minimal due diligence, while higher-risk components should be thoroughly vetted and evaluated before installation.
You’ll also need to consider special circumstances when you cannot afford to delay the rollout of a higher-risk component, such as software updates known to protect against a zero-day vulnerability.
Medium resource expenditure
Map all security software components that could disrupt critical production workloads with the same scrutiny reserved for OS and general application updates. Perform at least minimal surface testing to identify significant impacts or the possibility of disruption to critical environments.
High resource expenditure
Address concentration risk elements head-on by enacting policy changes and diversifying your architecture into distinct layers based on various technology and production stacks. For example, start by making it possible for software agents to fail without a total disablement of service capacity.
You can achieve this by having two separate protective security stacks implemented on different portions of your workload capacity. Of course, this adds some complexity and operational risk that your risk management program will need to address, but in high-maturity instances (infrastructure-as-code, configuration-as-code, modern change management discipline, and automation), this additional risk is smaller and an attractive option.
If you present this solution to your board, be sure to communicate the disadvantages. You’ll likely need resources to manage the increased costs (additional vendor management, licensing, internal or managed service capability) and the expansion of your attack surface.
