Learning Library

← Back to Library

Social Bias Drives Security Software Choices

9mUnknown Channelsecuritydeep-diveintermediateWatch on YouTube ↗

Key Points

  • The recent CrowdStrike outage highlighted how software procurement decisions are often driven by social perception and peer pressure rather than purely technical due‑diligence.
  • CIOs and CTOs typically choose industry‑leading solutions like CrowdStrike because they are seen as “the safe, reputable choice” that impresses CEOs and aligns with what peers are using.
  • This socially driven convergence on popular vendors can occur even when the underlying risk profile isn’t fully assessed, meaning that the “right” solution may still leave organizations vulnerable.
  • Traditional audit and risk‑management processes frequently fail to capture or mitigate these hidden social‑bias risks, leading to gaps that become apparent only after incidents occur.

Sections

Full Transcript

# Social Bias Drives Security Software Choices **Source:** [https://www.youtube.com/watch?v=uQez89MMuE4](https://www.youtube.com/watch?v=uQez89MMuE4) **Duration:** 00:09:12 ## Summary - The recent CrowdStrike outage highlighted how software procurement decisions are often driven by social perception and peer pressure rather than purely technical due‑diligence. - CIOs and CTOs typically choose industry‑leading solutions like CrowdStrike because they are seen as “the safe, reputable choice” that impresses CEOs and aligns with what peers are using. - This socially driven convergence on popular vendors can occur even when the underlying risk profile isn’t fully assessed, meaning that the “right” solution may still leave organizations vulnerable. - Traditional audit and risk‑management processes frequently fail to capture or mitigate these hidden social‑bias risks, leading to gaps that become apparent only after incidents occur. ## Sections - [00:00:00](https://www.youtube.com/watch?v=uQez89MMuE4&t=0s) **Social Dynamics of Security Choices** - The speaker argues that selecting a security vendor like CrowdStrike is driven more by social perception and risk‑management considerations than pure technical due diligence, framing the recent outage as a consequence of these social pressures. ## Full Transcript
0:00so it's been a couple of weeks since the 0:02crowd strike issue the airlines are 0:04flying again I want to talk about what 0:07happened and why but not necessarily 0:09from a technical perspective I actually 0:11want to talk about what happened in why 0:13from a risk management perspective so 0:15it's going to be sort of a step back and 0:17we are going to go back in time all the 0:20way to 2009 so stay tuned the first 0:23thing I want to call out is that when we 0:25make software choices like this when 0:27companies purchase crowd strike we are 0:30making social choices not just rational 0:33actor software choices and that really 0:36matters when you're talking about 0:37something like security because getting 0:39security right if you were the cioo or 0:41CTO of a major airline or a hospital or 0:45a major utility or whatever it was that 0:48is a choice that could get you 0:51fired and you always are aware of it 0:53when you're making that decision and as 0:55much as people uh have come into my 0:57comments saying hey this is really 1:00something where the CTO or the CIO did 1:03not do enough due diligence I actually 1:05want to push back this is not really a 1:08function of due diligence because before 1:12the outage that happened this was the 1:15premier solution crowd strike was the 1:18solution that a responsible CTO or CIO 1:21would choose in order to make sure that 1:25they were doing the right thing and be 1:27perceived as doing the right thing in 1:29their job it it is social because if 1:32you're going to your CEO and you're 1:34presenting this is our security solution 1:36you want to be presenting something 1:38where the CEO can talk to his buddies at 1:40the golf course and they're like oh yeah 1:42crowd strike it's good like that's fine 1:44and if you think I'm making that up that 1:46is actually how a lot of it works that 1:48is actually how a lot of those decisions 1:51get made and so yes you can come up with 1:54three PowerPoint bullets from crowd 1:57strike that make it really easy to pick 1:59crowd strike absolutely you can put a 2:01rational case together if you're a CIO 2:03or a CTO super easy in fact there's lots 2:07of cases to be made just by reading the 2:09crowd strike website the crowd strike 2:11sales rep is happy to help you like 2:13there's it's a very easy set of cases to 2:15make if you were to pick anything else 2:18in the industry before the 2:20outage the CEO would ask you lots of 2:23questions they would want to be sure why 2:25are we not going with crowd strike I 2:27Googled and crowd strike is the industry 2:28leader I checked linkston and crowd 2:31strike is something that all of my 2:32friends are using as CEOs why not crowd 2:35strike and so it's a socially driven 2:38choice and that means that we converge 2:41onto particular solutions that are 2:44socially approved whether or not the 2:46actual risk profile is managed and 2:48that's going to be a theme as we see so 2:50the first piece is that software choices 2:51are social choices and that works that 2:53in the seite in ways that drive 2:56convergence regardless of risk the 2:59second point point is that risk is not 3:02effectively managed by existing audit 3:06mechanisms so that's a fairly technical 3:08phrase so let me break it up 3:11fundamentally an audit process is run 3:15off of a particular imagined risk 3:17profile it's a linear process and 3:20Auditors like to work against that 3:21linear process they have a way of doing 3:24things if they are used to auditing your 3:27Tech solution 3:30as they were with crowd strike it is a 3:32much simpler audit process you the CTO 3:35or CIO go through less pain the auditor 3:38goes through less pain because everybody 3:41has done this 3:43before and so the auditor comes in and 3:45says ah yes I've seen crowd strike this 3:47is what we do with crowd strike if you 3:48do other 3:49Solutions it's not the same thing they 3:52open up the big book right they have to 3:53go through their process again the 3:54auditor is vaguely annoyed you the CTO 3:56or CIO probably have more work it is a 3:59non-trivial difference simply because 4:03crowd strike was more familiar to 4:05Auditors and again that isn't actually 4:07speaking about their risk it's just 4:10saying that the auditor had a set of 4:14processes they were familiar with 4:15running they had a set of checks that 4:18they were familiar with running they had 4:20a set of shorthand that they had 4:21developed around this company because 4:23they'd seen it installed so many times 4:25the software installed so many times 4:27across technical Footprints at major 4:29companies 4:30and so there's an incumbency advantage 4:32that goes with that there's a sense of 4:34we're here we're here to stay we're the 4:36responsible actor and you see it in a 4:38lot of regulated Industries where 4:41effectively the governmental audit 4:44process or the governmental regulatory 4:46process anoints a market leader 4:49regardless of whether that market leader 4:51has actually dealt with the real risks 4:54underneath the hood and we saw with 4:55crowd strike that wasn't actually true 4:57they hadn't actually addressed the risks 5:00that's the second takeaway is that 5:01fundamentally audits don't really do 5:04risk if the imagined risk model is 5:08static and if it's applied in a way that 5:10sort of uses a shorthand for a market 5:13leader and that's typically what happens 5:16the third thing I want to call out is 5:18that our imagined risk model is 5:22something that we have a really hard 5:23time handling as a species over a long 5:27period of time and I'm going to give you 5:29this is where we go back in time in the 5:31early 2000s Microsoft had a long running 5:33antitrust case with the European Union 5:36and they finally settled in 2009 and one 5:38of the things they agreed to is that 5:42security companies could have the same 5:45access to the Microsoft kernel as 5:47Microsoft did this bug came from the 5:52kernel access that the EU pushed 5:55Microsoft to Grant to security companies 5:57and the reason why this happened 5:59fundamentally 6:00is that the EU could not imagine a world 6:05where a security company would be not 6:08necessarily a bad actor but an 6:10incompetent actor there was an imagined 6:13risk model of the world that didn't 6:15match the real risk model and so 6:17externalities happened after the 6:19settlement that nobody 6:23anticipated the EU thought you know what 6:26if we give security companies access to 6:28the colonel we're going to make for a 6:29fair less monopolistic 6:32world and security companies have grown 6:35and thrived in that environment but it's 6:37also opened up risks that we all have to 6:39live with and it is one of the root 6:41causes that led to the outage now it's 6:44not as simple as saying well the EU 6:46shouldn't have regulated it because if 6:47you listen to the earlier conversation 6:50here the one of the the earlier points 6:51around sort of audits and how audits 6:53tend to annoint Market leaders 6:55governmental action that drives 6:57monopolistic tendencies in these kinds 7:00of security or regulated environments 7:01can also accelerate risk and so part of 7:05the problem here is that we have 7:08auditory action that increased 7:12concentration of risk on this vulnerable 7:14player in the system crowd strike and so 7:17there's this sort of monopolistic 7:19Gathering of of risk of customer trust 7:24around this one company driven by 7:27governmental action and audits at this 7:29the same time governmental action 7:31designed to decrease monopolistic 7:35Tendencies by giving other companies 7:38access to the Microsoft kernel was 7:40another root cause of this whole 7:43mess it is really really hard for people 7:47who are trying to understand and design 7:50laws 7:51regulations audit 7:54practices best practices around Market 7:57participation it's hard for them to 7:59anticipate 8:01longterm longtail externality so in 8:04other words if it's a longtail 8:06externality it is something that has a 8:08very small percentage chance of 8:09happening but if it happens it's going 8:10to be a big deal and it will not happen 8:13over a determinate period of time the 8:14ruling came down in 2009 and here we are 8:17in 2024 and all of a sudden there's been 8:20a massive outage and Delta has reported 8:22$500 million in uh costs associated with 8:26this bug and there's many other players 8:29right Del just reported 8:30it I I want to call that out because 8:34this is not about blaming a particular 8:37player it's about understanding how the 8:39players work together so that we can 8:42figure out how to drisk these systems 8:44better we need audit systems that 8:46actually match to real risk models we 8:49need regulatory systems that do a better 8:52job imagining worst case scenarios over 8:55the long 8:56term we also need social dynamics DCS in 8:59the SE Suite that reward people for 9:02critical thinking those three things 9:04would have made a big difference on the 9:06crowd strike bug what else do you think 9:08is a root cause here that I didn't talk 9:09about