CrowdStrike’s CEO has known failure—but never like this
Summary
- ‘A piece of software shouldn’t be able to take everything out,’ says George Kurtz
The wake-up call came at 3 a.m.
CrowdStrike Chief Executive George Kurtz answered the call from his cybersecurity company’s president, Michael Sentonas. “We’ve got a problem," Sentonas said.
It was Friday, July 19, a day Kurtz is unlikely to forget. An errant product update from CrowdStrike had crashed devices, with many affected machines unable to restart.
As they worked on a fix throughout the morning, the scale of the issue became clearer. Microsoft said about 8.5 million devices running its Windows operating system had been knocked out. Airlines canceled thousands of flights. Hospitals postponed procedures, and workers woke up to computers displaying the blue screen of death. Around the world, employees were lugging their buggy computers to IT help desks to get them up and running again.
Online there was speculation: Was it a Microsoft outage? Were hackers responsible? At 5:45 a.m., Kurtz told the world via X that CrowdStrike was responsible for the problem.
“People didn’t know what was happening," Kurtz said in an interview. “So we wanted to get the information out."
Navigating complex computer problems and delivering bad news is the kind of thing Kurtz, 53, was hired to do 30 years ago as a new generation of technologists exposed the promises and perils of the internet. As a young member of a crack consulting squad in the 1990s, Kurtz and his team at PricewaterhouseCoopers would get hired by corporations to masquerade as hackers and conduct “penetration tests" to find the gaps in their computer security.
Over the years and at a variety of companies, Kurtz was on teams that traveled around the country and identified clients’ vulnerabilities. At Microsoft, they got their hands on Bill Gates’s password: “nicejobms." And at Nabisco, they once accidentally shut down an entire cookie factory in Atlanta, when a bug in the software they were using caused computers there to fail.
As Kurtz and his team kept learning, it allowed them in 1999 to write the book on cybersecurity: “Hacking Exposed."
Back then, delivering unwelcome news to the techies whose networks they had broken into was just part of the job. And Kurtz was a rarity: He was talented at speaking with clients, said Pete Sfoglia, Kurtz’s former manager.
“It’s kind of like criticizing somebody’s kid," Sfoglia said. “He just had this way of getting his views across without getting intrusive."
On July 19, Kurtz was delivering the worst news of his career. His computer was still working, though. Kurtz uses a Mac.
His initial social-media message about the outage was criticized for not including an apology. “I said, ‘Get me on the “Today" show, and I will explain what happened here,’ " he recalls.
At 7:30 a.m., the normally impeccably groomed CEO appeared, bleary eyed, on “Today," at one point losing his voice and reaching for water as he tried to explain what happened. This time, he wasn’t explaining a clever hack but a mistake that will cost his customers billions in lost business and IT costs and that has wiped out more than 25% of his company’s value. Kurtz also has been called to testify before the House Homeland Security Committee about the incident. That’s not expected to happen before September, according to a Committee aide.
“We’re deeply sorry for the impact we’ve caused to customers, to travelers, to anyone affected by this," he said on the show.
The next day, Kurtz called Satya Nadella, CEO of Microsoft, which competes with CrowdStrike in the security business. The CrowdStrike outage only affected Windows machines.
The two agreed to work together to make computer systems more resilient, Kurtz said. Microsoft has pledged to improve Windows to prevent future outages, and CrowdStrike says it plans to do more testing and gradually roll out product updates. “A piece of software shouldn’t be able to take everything out so you can’t reboot it," he said.
As he dialed up one of the most powerful software executives, Kurtz had come a long way from his beginnings as an accountant from Parsippany, N.J. Kurtz’s father died from a stroke when he was 7, and he was raised by his mother. At one point, he saved up for six months to buy a Hayes 300 baud modem, when his slower Atari modem wasn’t cutting it.
At PwC, it didn’t take long for Kurtz, with his love of computing, to gravitate to the penetration testing group, his former manager Sfoglia said. He can only remember one time seeing the even-tempered Kurtz angry—when he complained about PwC rounding up the pennies in line items on his expense report. “How the hell am I going to balance my checkbook if they’re rounding up?" he remembers Kurtz saying.
“He doesn’t get worked up about too many things, but he was really upset," Sfoglia said.
After PwC and a stint at Ernst & Young, Kurtz decided to strike out on his own, co-founding a company called Foundstone, which did the kind of security audits that Kurtz and his crew had pioneered at PwC. It was a shoestring operation, with the founders sharing a house in Seattle, but nearly six years later, they sold their company to the antivirus giant McAfee for nearly $90 million.
Kurtz spent the next seven years at McAfee, eventually becoming a top executive. When McAfee pushed out a bad software update that broke certain Windows systems worldwide, it was Kurtz’s job to meet with hundreds of customers to help them understand the problem and recover.
“Partnerships are really formed when you have adversity and you come through on the other side," Kurtz said.
Kurtz and his top cyber-threat researcher, Dmitri Alperovitch, left McAfee in 2011 after Intel bought it for $7.68 billion. Their plan: Build a next-generation alternative to McAfee’s antivirus software, which they considered cumbersome and often ineffective.
They founded CrowdStrike in 2011.
Kurtz helped build CrowdStrike with his marketing skills and attention to detail. In June, the stock surged to a high, increasing the company’s market value to $95 billion, following quarterly earnings that far surpassed Wall Street expectations. The Austin-based company was added to the S&P 500 just five years after going public, the fastest a cybersecurity company has ever listed on the index. More than a dozen federal agencies and 82% of state governments have purchased CrowdStrike’s products.
“Their customers love their product because it works, and it works really well," said Alfred Huger, an entrepreneur who has known Kurtz for decades. “George knows what it is to build really good security products."
Then one defective update from CrowdStrike reminded the world of just how interconnected and vulnerable critical infrastructure can be.
For more than a week, Kurtz has been focused on rebuilding his company’s reputation by getting customers up and running. Kurtz said 97% of Windows sensors were working as of Thursday; the company didn’t disclose the number of computers still affected.
“It’s been customer after customer after customer," he said, “telling people what happened, why it happened, and how it’s not going to happen again."
Dustin Volz contributed to this article.