Perfectly Fragile
Until we incentivize building resilient systems, we're going to have a bad time

This was written in response to the CrowdStrike Outage.
I have tremendous respect for the CrowdStrike team, and I hope the issue they're grappling with will be resolved quickly.
That said, this is just the latest example of systemic fragility weakening the entire industry. At the heart of this fragility are homogenized, centralized services. These are services that demand "god-mode" capabilities to function, replacing localized risks with a central control plane that - if it fails - may collapse an entire ecosystem at once.
Yet "monoculture" solutions continue to dominate. They are straightforward to build and scale, which makes them profitable to fund and easy to sell. The ecosystem collapse risk is offset with promises of "best practices" and obligatory compliance reporting.
But these offsets are an illusion. The larger and more ubiquitous a centralized solution becomes, the more likely it will fail catastrophically - and not because of any special negligence. Rather, at a systems level, homogenization is at odds with resilience.
This is as true of potato and banana crops as it is of operating systems and security solutions.
Software has bugs, and the more value that software protects, the more risk there is from a single error. And this risk amplification creates powerful incentives for malicious actors to deliberately introduce new errors as well (Solarwinds, for instance).
So what do we do?
First, I want to reaffirm that companies like CrowdStrike do great work and make a valuable product. My point isn't "<insert security vendor> bad!"
I do believe, however, that individuals and teams need a better way to understand and incorporate capabilities - a way that inspires an open and heterogeneous solutions ecosystem, that balances tactical efficiency with strategic resilience.