Last week was tough in the IT world with the Crowdstrike outage taking millions of computers down worldwide, but it was also a fascinating case study of crisis communications. While the fall-out was huge from this major outage, CrowdStrike put together a swift, authentic, and comprehensive communications response with just a few comms missteps.

There are many criticisms —the speed of root cause analysis, questions about why they didn’t have better test and release processes, and how they can avoid this ever happening again—sticky issues. But as CEO George Kurtz repeated, their # 1 priority first was to restore all customers. Overall the structure, timing, and templates of their work were well crafted.

I’ve documented all of the comms I could find so this is a long eBook of a blog. I’m missing customer emails and private support-site materials, but captured the rest. Read the summary, scan the assets, and bookmark this baby if you ever need a starting template. Significant issues can happen to the best of companies.

Summary:

• Awareness, Investigation & Technical Remediation - Crowdstrike acted fast, finding and remediating the source issue in 79 minutes. Unfortunately, the ramifications were intense for days and may cost them for months or years.

• Messaging - CrowdStrike appeared to have tight, specific, empathetic, and apologetic messaging that they delivered consistently across channels. The very first Tweet by CEO George Kurtz lacked an apology, but this improved as communications went on.

• CrowdStrike Blogs and Remediation and Guidance Hub - This was the centerpiece of CrowdStrike’s messaging - a dedicated hub built over the first day in pieces and constantly updated. It included a letter from their CEO (great template), deep technical and support details, warnings about bad actors taking advantage of the situation, and additional resources.

• Comms on X - CEO George Kurtz was the main spokesperson, posting quickly at first and then every five hours, with the CrowdStrike corporate account reposting his messages. The messages sounded human and personal, laced with concern and apologies, and each pointed to helpful materials. On the third day, the corporate account posted an additional message of its own and pinned it to the top of its feed.

• Comms on LinkedIn - While the LinkedIn post didn’t appear to have as much distribution as X, the CrowdStrike CEO posted here regularly as well, and reposted a detailed apology letter from Crowdstrike’s Chief Security Officer.

• Broadcast Media - It appears that CrowdStrike gave two interviews very early the first morning, one with the Today Show and one with CNBC’s Squawk on the Street with Jim Cramer. News outlets reused the Today Show clips versus getting additional interviews. Presumably, the team was trying to get the widest distribution first thing in the morning while conserving Kurtz’s time for other outreach to top customers, employees, and more. This was an incredibly quick turnaround from middle-of-the-night issue to first thing in the morning.

• Homepage Banner Ad - The only reflection of the issue on the homepage was a red banner at the top pointing to the Remediation and Guidance Hub. Otherwise, the homepage was business as usual.

• YouTube - Day 3 post-incident, CrowdStrike posted a video on YouTube to assist with self-remediation for remote users.

• Press Releases - Interestingly, I did not see any press releases posted by Crowdstrike on their site or PRNewswire. Are press releases dead?

• Investor Relations Web Site - The investor relations website had one brief link to the Remediation and Guidance Hub on the Channels of Disclosure page.

• Policy Communications - As I write this blog, George Kurtz is being asked to testify in front of the House Committee on Homeland Security. Presumably there is a lot of updated messaging, Q&A guides and more being prepared.

Many additional communications materials were probably executed as part of this rapid response - executive assignment of phone calls to top customers and partners, emails and all-hands to employees, emails to customers, call scripts for support, and much more. What I’ve collected is just a sample of external materials.

But as you review the materials below, you’ll see examples of a very quickly executed, consistent, and effective communications strategy. The CrowdStrike team made some really significant technical / release / process mistakes with massive ramifications, but their crisis response showed effectiveness across key aspects of communications:

→ Speed
→ Empathy
→ Gravity
→ Accountability
→ Clarity
→ Consistent updates
→ Actionable, helpful, detailed resources and materials
→ Assurance of full investigations and plans for process improvement

Detailed analysis and screenshots below.

Awareness, Investigation & Technical Remediation

According to TechTarget’s event timeline, Crowdstrike released the flawed configuration update at 12:09 ET / 9:09 PT on July 19th and had identified and remediated the issue by reverting the update by 1:27 ET / 11:27 PT - just 79 minutes later. Unfortunately, many of the systems that were affected worldwide needed to be rebooted, sometimes in complicated ways, before all systems were restored, dragging the outage on for hours and sometimes days. It appears as if the whole team and executives were effectively gathered overnight to begin swift and comprehensive response tactics. We can only assume that in parallel to the technical investigation and customer response, they worked on the messaging and resources to communicate effectively across all channels.

Messaging

Generally, in a rapid response, there’s a centralized messaging document or initial communications stand-in as the messaging document to propagate across channels. You could see the central messaging themes below flow through the materials, especially in Crowdstrike CEO George Kurtz’s public interviews:

• We’re deeply sorry to everyone affected by this; we understand the gravity of the situation

• This wasn’t a security incident or cyberattack (this required repeated mention in all cases to continue to establish their authority in security and allay concerns)

• The incident has been identified and isolated, and a fix has been deployed. “We know what the issue is. We have resolved the issue. We identified it very quickly. Now we’re recovering systems that are out there.”

• (Description of the specifics of the problem)

• We’ve been working with our customers 24x7 to make sure we bring each and every customer back online.

• We’re here to make sure each and every customer is fully recovered, and we’re not going to relent until we get every customer back to where they were we’re going to continue to protect them and keep the bad guys out of their systems.

• We plan to investigate more to see how we can avoid it in the future.

• This wasn’t a security incident or cyberattack.

CrowdStrike Blogs and Remediation and Guidance Hub:

The CrowdStrike blog was the centerpiece of the communications strategy. A Remediation and Guidance Hub was quickly set up, first hosting the CEO’s letter, then a technical overview, and then more and more detailed Q&A and instructions for remediation. Updated and timestamped continually, it was the core link across all communications, centralizing guidance in one place. This was especially critical since bad actors started to capitalize on the outage to target Crowdstrike customers in Latin America and beyond through a fake recovery manual and broadly through phishing and social engineering attacks (These all had dedicated blogs)

In case it’s taken down someday and we need the template:

Screencapture Crowdstrike Falcon Content Update Remediation And Guidance Hub 2024 07 22 15 16 44

6.64MB ∙ PDF file

Download

Download

The letter from their CEO was a great template for establishing the messages and key empathy aspects I outlined in the summary above.

Following the release of the CEO letter, Crowdstrike published the following Technical Detail update with what I consider a pretty helpful set of categories:

Comms on X

Major communications from the company came from CEO George Kurz’ handle directly with the CrowdStrike corporate account reposting his messages.

The first post went out at 2:45 AM PT with succinct messaging. This first post was criticized by commenters for not including an apology, but since apologies could come with more legal ramifications, one would imagine they needed to weigh that as they got the most important information out the door first.

A viral re-write of his first tweet showing more empathy got more than 2.5 million views

The second post went out about 5 hours later with a link to the Remediation and Guidance Hub, which was being continually updated, expanded, and timestamped at the top. This Tweet included more of an apology. Criticisms continued to ask for more details on the root cause and what will be done to prevent a recurrence.

Another 5 hours later, Kurtz shared an update and the letter to customers and partners via a link again to the Remediation and Guidance Hub.

Another 5 hours later, Kurtz shared additional technical insights and documentation.

CrowdStrike corporate handle made a statement on the third day after the event and pinned it to the top of their feed. (I’m not sure if they had other messages pinned before)

Comms on LinkedIn

Kurtz published similar messages in parallel on LinkedIn

Day 3 post-incident, Kurtz started to point to the CrowdStrike corporate LinkedIn Post, adding gratitude — do you think this was well-received? Maybe not, according to some X responses to his posts with great vitriol by the affected. It was a difficult, difficult time for poor Crowdstrikers.

Day 3, Kurtz shared an apology letter from the Chief Security Officer sharing the gravity, apology and concern with an effort to be optimistic about CrowdStrike’s ability to learn and become stronger from the incident. (This apology reposted by the CEO led me to initially wonder if the CSO was going to be fired and take the hit for the incident whether the scapegoating made sense or not.)

Sean Henry’s own post received many more views, comments and reposts. (Note to CEOs - post unique content directly, do not share someone else’s post if you want maximum distribution.)

Broadcast Media

It took a lot of (necessary) courage for Kurtz to get as public as possible as quickly as possible. He focused on a few high-impact interviews:

• Today Show - Here’s his full interview Friday morning after his statement was published. Clips from this interview were published across many other media outlets.

• CNBC - Squawk on the Street Interview with Jim Cramer

Kurtz was effective at side-stepping really aggressive questions by Cramer to which he didn’t yet have the answers. He stuck to his core message “My mission is to make sure every customer is back up and running and we are providing the protection that they have come to rely on from CrowdStrike.”

Homepage Banner Ad

YouTube

Day 3 post-incident, CrowdStrike posted a video on YouTube to assist with Self-Remediation for remote users, but that was it. Presumably, there’s a lot more on the internal CrowdStrike support sites.

CrowdStrike Press Releases

Weird. Not much to show here. I guess blogs and social media have officially taken over from press releases. Are we past the era of press releases?

Investor Relations Web Site

Only edit on the investor pages (though a pretty extreme drop in stock prices) was the direct link to the Remediation and Guidance hub on the Channels of Disclosure page.

Are you even still here? If so, I hope you enjoyed this deep dive into one of the biggest crisis responses of the year.

Carilu Dietrich is a former CMO, most notably the head of marketing that took Atlassian public. She currently advises CEOs and CMOs of high-growth tech companies. Carilu helps leaders operationalize the chaos of scale, see around corners, and improve marketing and company performance.

-