Last month, a faulty update distributed by cybersecurity company CrowdStrike crashed millions of Microsoft Windows computers worldwide, leading to massive disruptions for businesses such as airlines, hospitals and banking systems.
Delta Airlines, for example, has alleged $550 million in losses, including $380 million in lost revenue and $170 million in added expenses.
The CrowdStrike outage and ensuing chaos raises the question: what can companies do to mitigate their risk from these largescale events?
At a high level, organizations typically have one of two responses to events like the Crowdstrike outage.
Some are reactive, handing down mandates with far-reaching financial and operational impacts. Others, however, respond proactively, leveraging IT financial management (ITFM) to mitigate risk moving forward.
Download your free eBook on 4 Steps to a Healthier ITFM Practice Beyond Spreadsheets
When companies are reacting to the impact of largescale failures like the Crowdstrike outage, what often results are organization-wide mandates. The issue is that these mandates force companies to hand over a blank check to ensure that a similar event never happens again—no matter what.
Unfortunately, attempting to mitigate risk simply by throwing money at the problem carries important implications in two areas:
The key takeaway: there’s risk in handing out blank checks if nobody’s actually watching how many of them get cashed.
On the proactive side, when an event like the Crowdstrike outage occurs, different questions start to come up, such as:
From there, they start to answer these questions with cost modeling.
Imagine, for example, you’re able to line out $1B through the entire delivery model. Maybe some dollars are split and spent on more than one area, but you know what you’re spending on each individual delivery point inside IT.
Transparency into what you’re spending on each vendor then allows you to see the level of exposure you have according to the different types of support you have in place.
You see this in organizations that use multiple cloud vendors at the same time to manage risk, as well as to manage contractual obligations to make sure vendors are driving costs down.
Similarly, you can use cost modeling to track CrowdStrike and related spend on Microsoft cloud products throughout IT to understand the level of risk you have with just that one single point of failure.
Looking closer at the cost model, another way companies can gauge their risk around events like the CrowdStrike outage is to look at IT overhead.
This number represents what it takes to run IT, and can provide a window into whether IT organizations have the resources necessary to provide sufficient vendor oversight.
A general rule of thumb is that an organization should spend 10% of its IT budget on overhead to ensure it’s being managed appropriately. If an organization sits at just 5%, it may indicate that they’re underinvested in managing IT, and driving risk as a result of it. This underinvestment, for example, can impact IT’s ability to respond effectively to disruption, which may explain why some organizations took much longer to recover from the Crowdstrike event than others.
Ultimately, while organizations use managed services because vendors are experts, they can’t be completely autonomous. Rather, there’s an expectation that IT is managing outsourced services appropriately.
While the CrowdStrike outage was unique in its breadth and impact, it’s not the first or last time events like this will happen. Faced with tech disruptions, companies have a stark choice: React with sweeping mandates and unchecked spending, or implement proactive cost modeling to improve transparency, manage exposure and ensure accountability.
Learn more about how to advance your ITFM goals with our free ITFM/TBM Program Maturity Guide