The year’s biggest IT disruption so far did not, in fact, come from a mustache-twirling ransomware supervillain, but a “botched update” from cybersecurity firm CrowdStrike. The resulting global Microsoft Windows outage disrupted businesses of all sorts, including critical services like airlines and hospitals, the New York Times reported.
Now that the dust has mostly settled (the troubles for some organizations, such as Delta, lingered), experts spoke with CFO Brew about the lessons finance leaders should take away from the outage. The outage, they explained, highlights the need for serious business continuity planning and underscored the growing importance of the CIO-CTO relationship.
Jennifer Elder, who’s an expert at contemplating all the disruptive events that a business may experience, told CFO Brew, “My first thought was, ‘I’m surprised this hasn’t happened already.’”
What’s the issue? In an incident summary, CrowdStrike wrote the issue originated with a bug in its “Rapid Response Content.” The flaw had gone undetected during validation, but when loaded by Crowdstrike’s Falcon sensor, it caused Windows systems to crash.
“We have all become so dependent on technology that it’s become almost like air or water,” Elder, who is CEO of The Sustainable CFO and coauthor of Faster Disaster Recovery, said. “We just assume it’s going to be there and [have] forgotten about redundant systems.”
The data backs up Elder’s comments.
One-fifth of organizations surveyed a year ago by the Business Continuity Institute (BCI) pegged an IT or telecom outage as the most impactful disruption to operations from the previous 12 months. This made the category the most common big disruptive event of that period, easily topping critical infrastructure failures (10.9%), extreme weather (10.2%), and even cyberattacks (6.1%).
In a recent report, BCI placed IT or technology outages among the top five business disruption risks in both the short (12 months) and long term (five to 10 years). “Technology has been the most disruptive element that organizations have suffered over the last seven years,” according to the report.
Expect the worst. Elder said the CrowdStrike outage served as an IT risk wake-up call for organizations, the same way the Covid-19 pandemic did with the delicate global supply chains. She advised that, when crafting business continuity plans, organizations should identify their most vital operational functions and what it would take to quickly restore them once a major incident like the recent outage occurs. One method is having redundant systems—not necessarily to serve all company functions, but at least the critical ones.
“When companies are doing business continuity planning, they often tend to do it based on a specific event,” such as companies located on the East Coast focusing on hurricanes or Midwestern ones zeroing in on tornadoes, Elder said.
News built for finance pros
CFO Brew helps finance pros navigate their roles with insights into risk management, compliance, and strategy through our newsletter, virtual events, and digital guides.
“You want to do it based on the effect to your organization, so then it really doesn’t matter what the event is,” she said. “If your power goes out due to a hurricane, or your internet goes out due to a bad update, it’s still the same impact: You don’t have access to your IT.”
Get ready to learn IT, buddy. For Alexander Bant, chief of research for CFOs at Gartner, the CrowdStrike outage highlighted the growing need for CFOs to rethink their relationship with tech leaders in their organization—namely, the chief information officer (CIO).
Bant separated organizations’ approach to CIO-CFO relationships into the “old world” and “new world.” The old way is characterized by the CIO running a “centralized, shared base of resources that supplied capacity to the rest of the organization.” The modern method has business leaders instead “focusing on the demand that the business needs.”
“What we see is, at the best organizations, the CIO and CFO are collaborating not only on efficiency of the supply but effectiveness of what is being provided to the business,” Bant said. “And so we really feel like the best organizations out there are investing in a CFO and CIO relationship that focuses more on value.”
The CIO needs to understand all facets of their department’s budget and be able to talk finance with the CFO, Bant said.
“The best partnerships are formed where the CFO is not coming with costs to be cut, but the CIO is being proactive about low-hanging fruit in terms of costs that can be removed from their organization,” he said. “And that really makes for more constructive budgeting conversations about growing the total business capabilities moving forward.”
The CFO, on the other hand, should work more closely with the CIO to educate other C-suite leaders and board members “about how they’re guarding against risks and their recovery plans when things do go wrong,” Bant explained.
“CFOs need to understand that these risks are embedded into their business; they [need to] understand what levers they can pull, from a financial standpoint, to mitigate them when things do pop up, and then they [need to] have done proactive education with the C-suite and the board on how they will recover, inevitably, when the next thing happens,” he said.