Photo Credit: Paul M. Hutchinson FRAS via Compfight cc
The Information Security team is ‘just’ like the European Space Agency team that is tasked with looking after the Rosetta spacecraft. The Rosetta has been sent to get up close and personal with a comet for the first time, eventually, after sitting on its coat tails for the long journey through the solar system it will drop a lander on the comet’s surface to provide the clearest feedback ever on the make-up of a comet.
The European Space Agency team designed and launched Rosetta, they got her functioning correctly, tested her out and then put her to sleep safely for three years. Allowing the hibernation to happen was something that the team had to test thoroughly, as when Rosetta wakes up she has a very important role to play and needs to spring into life quickly and, most importantly, fully functioning.
This is just like the information security and governance protocols and tools that an InfoSec team has to create, build and test, and then, as with Rosetta, the team needs to put them to bed and be assured they will work correctly when necessary. Like the team looking after Rosetta they need to nudge the systems and processes every so often to check that nothing has fallen off, needs changing or needs updating. But, inevitably, the moment of truth will come when Rosetta, like the information security teams business continuity plans, will have to come out of hibernation and be ready for action.
The company that designed Rosetta were clear that the hibernation mode was the only way to get the probe into deep space without issues developing to the systems that were required of it when it awoke. In a similar way the InfoSec team need to get the incident management and business continuity processes and procedures into ‘business as usual’ where they can ‘sleep’ waiting for an incident that requires their input.
One of the lead designers of the Rosetta is Alois Eibner. His confidence in the satellites ability to fulfil its purpose comes from his belief in the testing and assurance of the system is so complete he says, “… everything had worked up until that point, so I didn’t see anything to be worried about.’ The Chief Information Officer needs the same level of assurance, from their information security team, as given by Alois Eibner. The CIO also needs to know on what grounds such assurances can be given. What’s been tested, how, why and what were the results.
So to the world press and public, when Rosetta woke up with the minimum of fuss and issues at 10:00 GMT on the 20th of January, it may have appeared that the team had been busy doing nothing for 3 years. Nothing could be further from the truth. As with a successful InfoSec team they had been running simulations using software models and a full size replica of the probe to ensure that they had a clear understanding and an agreed process for every eventuality. The InfoSec team needs to do the same, considering every eventuality, scanning the horizon and place innovative process and procedure at the heart of business as usual to ensure that systems and solutions are protected.
The European Space Agency team are prepared for some damage, after all the journey has been a long one, however they have a back up or a process to ensure that every function can continue, effectively a business continuity plan and even elements of a disaster recovery plan.
So that’s how the Info Sec team are ‘just’ like a team charged with delivering one of the most important spacecraft missions in decades. A word of caution though, an InfoSec team asking for a Mission Control maybe pushing the analogy a little too far!
