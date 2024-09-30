In cyber security we have a perception that we need to hold ourselves to a higher level of scrutiny than others. We are expected to be the gold standard – a whole level of perfectionism that is unattainable. So, what happens when a cyber security company falls foul to a simple mistake?

CrowdStrike can be considered a case study of this. I remember reading the technical readout and it was as ‘simple’ as adding one extra field to a template and that’s what crashed it all. However, I expect this was not a simple case of a test case failing, it was probably a series of events that resulted in a significant global issue. Sometimes this is called the Swiss cheese model where a set of faults, or tests fail, and all the holes in the cheese line up allowing an event to occur.

But we must accept that it did happen, and this is because we can never truly eliminate risk in technology – the sooner we change our perception of this, the sooner we can be prepared to handle future incidents effectively, or importantly understand the risks involved however improbable they may be.

Acknowledge the systemic nature of risks The CrowdStrike outage really highlighted the question – have we become too reliant on technology companies that are all critically dependent on each other in one big system? The reason why we use all these centralised cloud and SaaS providers is that the benefits often outweigh the risks. But if one of these large providers experiences an incident, it could have widespread impact across many organisations that rely on their services. This can create a "too big to fail" dynamic, like the financial sector, where the failure of a major player could have cascading effects. I’ve found that, in general, people are good at understanding risk that is personal to them. We all know that crossing a busy road at rush hour is risky, but we mitigate that risk by using designated crossing areas. But, as humans, we are bad at understanding the big systemic problems that we are facing in the same way, and that we’re potentially overloading all this risk onto a handful of organisations. Is it time to start diversifying our technology stacks and not putting all the eggs in one basket?