While the lessons learned from the notorious cyber incident will not mitigate the massive damage inflicted worldwide, they bear repeating here

In the wake of the CrowdStrike outage of July 2024, parts of the world may have realized that implementing multiple cybersecurity tools and software suites can create an illusion of cybersecurity that is waiting to be shattered.

It is only too easy for organizations to add just one more cybersecurity tool to their defense arsenal to reduce cyber risks by another few percentage points. However, this approach does not consider the dangers of third-party risk that could add up to overwhelm the benefits involved.

Various industry voices have already said their piece about the learning points of the CrowdStrike incident. Here are some notable takeaways:

  • Having too many cybersecurity and related solutions could add complexity to the IT infrastructure that could actually hinder cyber resilience/agility at the worst possible time.
  • Even when all cybersecurity tools are purring along without consequence, many commentaries online have warned of the supply-chain risks just waiting to pounce. Even cybersecurity vendors can be compromised — intentionally or otherwise — as we have witnessed in a painful event reported by thousands of reporters for weeks on end.
  • Numerous observers have also warned that cybersecurity tools, patches, and practices are exactly the things that could exert the maximum amount of unexpected damage (at the kernel-level) to an organization. Who could have predicted that promptly applying a patch to a critical piece of software from a globally-established vendor could have exacted tens of billions of dollars in damage globally?
  • Nevertheless, organizations should be wary of putting all their cyber eggs into one basket as well — for proverbial reasons. Instead, they should strike a balance between reducing third-party risk and increasing observability with every “unified” vendor that justifies its place in the simplified cybersecurity chain.

As mounting lawsuits and congressional investigations go underway, can the world expect new cybersecurity guidelines and regulations similar to the aftermath of the SolarWinds, Colonial Pipeline or the Sisense incident?