When a faulty update to CrowdStrike’s Falcon endpoint detection and response product rendered Windows systems worldwide inoperable, it created a headline-grabbing IT outage. Airlines, hospitals, emergency services, and businesses were all affected—unable to access critical systems without complex, manual recovery efforts.

CrowdStrike’s response included a statement from CEO George Kurtz, claiming this was “not a cybersecurity incident”and that customers “remained protected.” Both claims deserve scrutiny. This isn’t about semantics—it’s about accurately framing the risk and response required.

Software Supply Chain Risk Is a Security Risk

Software supply chain vulnerabilities have emerged as a major threat vector. The 2020 SolarWinds attack, where a security tool itself became the breach vector, demonstrated how disruptions to widely used software can jeopardize business continuity, compromise data integrity, and create cascading failures.

CrowdStrike’s Falcon outage is a textbook example of a supply chain failure—where the very tool meant to enhance security instead caused widespread loss of availability. As these types of incidents become more frequent and impactful, organizations must develop response strategies for software supply chain failures, just as they do for cyberattacks.

Availability Is Security—And Its Absence Is an Incident

The U.S. National Institute for Standards and Technology (NIST) defines a security incident as:

“An occurrence that results in actual or potential jeopardy to the confidentiality, integrity, or availability of an information system »or the information the system processes, stores, or transmits.”

By that standard, the CrowdStrike outage was unquestionably a security incident—even if it wasn’t caused by an external attack.

Why Messaging Matters in Incident Response

Kurtz’s statement that this wasn’t a cybersecurity incident likely aimed to distinguish it from an intentional attack, such as the nation-state compromise in the SolarWinds breach. However, downplaying the severity of an event like this can lead decision-makers to misjudge its impact, delaying critical response actions.

Likewise, his assertion that CrowdStrike customers “remained protected” is simply inaccurate. A security tool that renders systems completely unusable is, by definition, not protecting anything.

How a company communicates during an incident influences trust, regulatory scrutiny, and long-term reputation. Misleading statements—or efforts to minimize impact—can erode confidence and complicate crisis management.

Incident Response Isn’t Just About This Incident—It’s About Every Incident

Organizations with mature, well-rehearsed incident response (IR) programs recover faster, with less disruption, and at lower cost. Every incident is an opportunity to strengthen resilience. Companies that invest in response readiness:

• Reduce incident frequency and impact over time
• Improve cross-functional coordination, ensuring clear roles and responsibilities
• Refine vulnerability and patch management to prevent repeat failures

Lessons from the CrowdStrike Outage

For organizations impacted by the CrowdStrike failure, this event should prompt a formal IR review to identify vulnerabilities in patching, update rollouts, and incident handling.

Key takeaways include:

• Staged deployment of security updates on lower-priority systems before broad rollout
• Clear communication protocols to ensure accurate, timely messaging during an outage
• Cross-functional response strategies that go beyond IT, incorporating legal, communications, and executive leadership

Communications Integrity: The Measure of a Company’s Response

No incident is so bad that it cannot be made worse by misleading, evasive, or self-serving communication. A company’s handling of crisis communications reflects its leadership, values, and long-term credibility.

CrowdStrike’s Chief Security Officer, Shawn Henry, later issued a more transparent and apologetic statement—but the initial missteps in messaging had already shaped public perception.

Effective incident communication should:

• Acknowledge responsibility without deflection
• Provide clear, accurate information as events unfold
• Outline next steps transparently to restore trust

Take Control of Your Incident Readiness

Security incidents aren’t just IT problems—they’re business risks. Organizations must be prepared to respond effectively, whether the cause is a cyberattack, software failure, or supply chain disruption.

EPSD Can Help

EPSD helps organizations build and strengthen incident response programs that improve security, minimize downtime, and ensure clear, effective communication during crises. Contact us today to refine your readiness strategy.