Nowadays, businesses rely more than ever on complex IT infrastructures and the cyber security solutions and services that protect them. This reliance is coupled with an increasing demand for seamless operations, especially for critical services like those provided by healthcare providers, financial services, airlines etc. where infrastructure downtime can have a significant impact. The CrowdStrike failure and the resulting dispute between Delta Air Lines and CrowdStrike brought to the forefront the complex and often contentious issue of shared responsibility in IT security between vendors, their clients, and Managed Service Providers (MSPs).

The Delta-CrowdStrike Dispute: A Brief Overview

In July 2024, Delta Air Lines was one of 1,000s of organisations affected by a catastrophic IT outage. Globally the impact was over $5bn, with Delta Air Lines alone having to cancel 5,000 flight leaving thousands of passengers were stranded or suffering delays. Their resulting financial hit is estimated at $500 million. The incident was tied to an integration failure involving CrowdStrike and Microsoft, which, according to Delta, was not adequately tested before deployment into their mission-critical environment.

Delta’s response to this incident has been to threaten legal action against CrowdStrike, accusing the cyber security firm of negligence and breach of contract. The airline contends that CrowdStrike’s insufficient testing and subsequent failure to prevent the outage were the direct causes of their operational and financial losses.

CrowdStrike has, however, refuted these claims, maintaining that it fulfilled its contractual obligations and that the incident highlights the broader issue of unrealistic expectations placed on software vendors and, more specifically, cyber security vendors. As this case potentially heads towards the courtroom, it raises key questions about the responsibilities of vendors, their clients, and MSPs in maintaining secure and reliable IT environments.

The Role of MSPs: Supporting, Not Controlling

Many organisations engage managed services providers to support their business operations. There can be many reasons for this, but broadly the most common relate to one the following:

• Scalability and flexibility: Access to additional skills and resources can help organisations as they grow and change.
• Reliability and security: Providing ongoing visibility into infrastructure improves resilience.
• Cost control: MSPs can help organisations reduce and control costs

Whilst some organisations still opt to outsource the entire security responsibility of IT to MSPs, this is becoming rarer, as this model rarely delivers on the above goals. More typically MSPs work closely with their customers, each having responsibilities and areas of ownership. Acknowledging the boundaries of responsibilities is crucial, particularly in areas where the client may wish to retain control and ownership of vendor products.

The Delta-CrowdStrike incident is a stark reminder that no MSP can effectively manage an unsupported, outdated, or otherwise compromised environment. For instance, if a client chooses not to patch critical systems, continues to use end-of-life (EoL) or end-of-support (EoS) hardware, or fails to invest in the necessary IT upgrades, the risks of system failures and security breaches increase exponentially. In such cases, the MSP’s ability to ensure smooth operations and security is severely hampered by the apparent professional negligence of the end customer.

Client Responsibility: A Critical Component of IT Security

In any IT service relationship, there is a shared responsibility model where both the provider and the customer play vital roles in maintaining system integrity and security. Where an MSP is engaged to provide expertise and tools to manage and secure the environment, the customer must meet its obligations by ensuring that systems are up-to-date, adequately supported, and configured according to best practices.

This shared responsibility is particularly important when considering the rapidly evolving nature of cybersecurity threats. Vendors like CrowdStrike can only do so much to secure an environment if the underlying infrastructure is not properly maintained. The recent incident underscores this point: while Delta expected CrowdStrike to catch every potential issue during testing, the reality is that even the best cyber security solutions cannot compensate for inadequate customer-side IT management.

The Importance of a Trusted Partnership

At WhiteSpider, our relationship with our clients goes beyond a simple service contract. It is a trusted partnership, where we both understand the respective responsibilities and work collaboratively to identify and mitigate risks. This partnership requires open dialogue and a mutual understanding of where risks exist and who manages them.

When outages or security incidents occur, it is not just about pointing fingers but assessing whether both parties have met their responsibilities. Did WhiteSpider provide the necessary support and guidance? Did the client follow through on recommended actions, such as patching systems or upgrading outdated hardware? These questions must be answered to determine where accountability and ownership lie, but it’s important to state that this isn’t blame; it’s a partnership.

A Shared Responsibility in IT Security Model

The Delta-CrowdStrike incident may be the catalyst for developing a more formalised shared responsibility in IT security model. For example, our service contracts clarify each party’s roles and responsibilities, helping to ensure that all stakeholders are aligned in their efforts to maintain secure and reliable IT environments.

At WhiteSpider, we believe that minimising risk requires more than just deploying the latest cyber security tools. It requires a holistic approach that includes regular communication, mutual accountability, and a shared commitment to maintaining a robust IT infrastructure. By working together, MSPs, clients, and vendors can better protect against the complex and ever-evolving threats that characterise today’s digital landscape.

In conclusion, while MSPs play a critical role in supporting and securing customer infrastructure, the ultimate success of these efforts depends on the active participation of the client. By recognising and embracing their responsibilities, clients can ensure that their IT environments are not only secure but also resilient in the face of unexpected challenges. The Delta-CrowdStrike incident serves as a powerful reminder that in the world of IT security, collaboration and shared responsibility are not just important—they are essential.