Risk-averse thinking deepened the CrowdStrike fiasco
It was one of the largest IT outages in history. CrowdStrike single-handedly delivered the chaos we were told to fear a generation ago with the Y2K bug.
CrowdStrike is a third-party security software company. Its security code runs at Microsoft Windows’ kernel level. This is the core part of the operating system which has a high level of access to system memory and the computer’s hardware.
Most of the time when software goes wrong, the damage is limited, the system may act strangely, but a computer doesn’t fail at a fundamental level. That’s not the case when software messes with the kernel .
The fault only affected Windows computers, which put Microsoft at the centre of the storm, yet that company was quick to distance itself. It blamed the European Commission. At The Register Richard Speed pulls that argument apart.
While Microsoft is not directly to blame for CrowdStrike’s botched update, it shoulders some responsibility. It created the conditions where a stuff-up of this nature was always going to happen.
Microsoft has a grip on enterprise computing. Far too many large organisations that should know better rely on Microsoft software to run key systems.
Linux may do much of the heavy lifting running enterprise servers around the world, but Microsoft dominates a number of specific markets. We saw this last week: many of the world’s largest airlines suffered a similar fate. They were all Microsoft customers.
Monoculture
You can’t go as far as saying there is a single enterprise IT monoculture: Linux plays too big a role. But there are pockets of enterprise IT monoculture. In those pockets, enterprises put too many eggs in the Microsoft basket. When the basket breaks, it’s the enterprises that crack.
Ironically, the main reason for this is risk-averse thinking.
A familiar corporate mindset that can be traced back to the dawn of the computer age was, at least in part, responsible for the extraordinary international fallout.
Those who can remember big business computing in the 1970s, it wasn’t called enterprise computing in those days, will have come across the term nobody gets fired for buying IBM. 1
The phrase is simple enough, but its meaning is multilayered. Let’s look at two levels.
Default option
On the most straightforward level, IBM was the default option. So much so that at times it could be hard to find an alternative.
During the 1960s and 70s the company dominated key computer markets. It was especially strong in mainframes. At its peak IBM represented about 75 per cent of the market. More so in some countries. This strength meant its influence spilled over beyond the computer realm.
Buying IBM was a safe move from a career point of view, because, up to a point, it was what everyone else did. They’d all sink or swim at the same time.
You don’t need to be best or cheapest
IBM wasn’t necessarily more reliable or better than its rivals. It certainly was not cheaper. Yet if an individual manager or a management team decided to get a mainframe from, say, Burroughs, and things did go wrong, that decision could be career-ending.
There are many documented examples of the second, nastier, aspect of nobody gets fired for buying IBM. IBM executives had a habit of leaning on board members and company chairman, calling in favours, and asking them to remove decision makers thought to be in favour of buying from alternative computer makers.
In the US the pressure might be over a bourbon at a country club. In the UK it would be at a gentlemen’s club. There were similar institutions in other countries. Old boys networks would often smooth the path of major business transactions. IBM was especially good at this.
Either way, not choosing IBM could put an executive’s job in jeopardy. In extreme cases this may be despite an alternative being a better fit for the business.
The point here is not to reveal how awful IBM was in those days but to set the scene for today.
Barbarians at the gate
Microsoft was the barbarian at IBM’s gate from the 1980s on. Eventually it knocked down that gate and took over as the key industry monopoly.
Within a few years of Kublai Khan’s conquest of China, the new rulers picked up many of the customs and practices of the Song dynasty his family replaced. After all, the defeated emperor’s clan knew a thing or two about exercising power.
In a similar fashion Microsoft learnt from IBM how to maintain a firm grip on enterprise computing markets.
You don’t hear about it so much today, but like IBM before it, Microsoft is the default choice, the easiest choice, the nobody-gets-sacked choice for enterprise computer customers. Buying enterprise systems from Microsoft is risk-averse thinking.
A safe choice?
Likewise, many major corporations lined up in a row to buy cybersecurity from what looked like an equally safe, no-one-gets-fired choice. That was until someone at CrowdStrike sent a major update through a faulty quality control validator which failed to pick up the problem before deploying it to millions of Windows systems.
It’s unlikely that any IT professionals, CEOs or board members were given the push after buying systems from Microsoft and CrowdStrike.
After all, sacking someone for buying the same thing as everyone else does seem harsh. But it is time for companies to take a fresh look at the way technology purchasing decisions are made and to stop buying something because everyone else does.
- I’m old, but not that old. The term was still used in the 1980s when I started writing about technology. ↩︎