Albert Einstein famously defined insanity as doing the same thing over and over again and expecting different results. This notion seems strikingly relevant when looking at CrowdStrike and George Kurtz.
Back in 2010
Under the leadership of George Kurtz, then CTO of McAfee, a faulty update was pushed in April 2010 that caused McAfee to mistakenly identify the vital system file svchost.exe as a virus. This led to Windows crashes, the notorious Blue Screen of Death (BSOD), and large-scale disruptions and outages. Some say this incident was so impactful that it played a role in McAfee’s eventual sale to Intel in August 2010.
Now in 2024
Fast forward to today, and George Kurtz, now CEO of CrowdStrike, has caused yet another catastrophic outage. Recent updates have led to Windows systems crashing once again, causing global outages from the airline industry to hospitals, and reviving the dreaded BSOD.
Unprecedented Financial Fallout
This recurring issue highlights a critical lesson: the architecture of legacy security systems is flawed. The same individual, George Kurtz, was involved in both major outages over the years, which signifies a systemic problem caused by a flawed architecture. The damages from these kinds of outages are growing, just as the damages from cyber breaches are becoming more severe. This situation is a testament to the growing hidden costs of legacy security architectures, which you can read more about here.
Embracing Zero Trust
As cyber threats escalate, it’s imperative to adopt Zero Trust principles, as detailed in this blog. I issued this warning of “act now or pay later” to insurance companies on June 9, 2024, in my blog, and it has now become a reality where they have to start paying insurance claims. Cyber insurance companies and organizations must champion Zero Trust architecture now, or face increasingly dire consequences.
The current architecture is not just broken; it’s fundamentally flawed and needs a complete overhaul. In cybersecurity, it’s not only the architecture that’s flawed, but also the evaluation and trust mechanisms. Cybersecurity is often sold on the strength of marketing rather than verifiable and third-party validated historical performance data, as I discussed in this blog. There’s a glaring lack of transparency among cybersecurity vendors, which is particularly troubling given that businesses are expected to be transparent while those who are supposed to protect them remain hidden. This issue is explored in more detail in this blog.
Current architecture is broken, it’s flawed! It’s time for a change!
Fool Me Once, Shame on You; Fool Me Twice…
There’s an old saying: “Fool me once, shame on you; fool me twice, shame on me.” But what do we say when it’s not only the same thing, but the same person, and we expect a different result? It looks like we need a new saying for falling for the same flawed architecture repeatedly. Maybe, “Fool me thrice, time for new advice!“