After having worked in the hospitality industry for over a decade, as if by chance , Arnab Barman received an opportunity to transition to domain of cyber security. Arnab is currently the Head of Infosec and Business Continuity at Thomson Reuters Legal Managed Services. Such a drastic decision can be a shocker for anyone, and I was no exception, he recalls.
“I could have never imagined that I would be working in the field of information security. My initial touch point was operations and then business continuity,” recounts Arnab.
This is how it all started. In his current organization way back in 2008, he got exposure to an aspect of cyber security. The company was implementing business continuity. He got attached to the project and learnt on the job. Internal audits exposed him to several aspects. That is when he approached the management and asked them; that even though he was not from an IT background, he would like to give it a shot. And the management was extremely supportive and directed him to learn along the way.
“I really liked that exposure and over a period I found infosec very interesting,” he says.
Obviously, my next question was about how he tackled this extremely unlikely of transitions from one field to the other: two areas of knowledge, which may look like two diametrically opposite spheres to most people.
“I was already aware of operational audit requirements from my previous experience. I also had exposure to the operational aspects and business services . Realized it’s more about processes . Most importantly, I was handling people there and at the end of the day, infosec is to a large extent about people management. You may not have the entire knowledge, but there would be someone who knows and thus I slowly learned collaborating and working with the business. Also , every audit was a learning experience; learnt through each one of them ” he explains.
Adapting to the Constantly Changing Field of Cyber Security
Adapting to a technically demanding field like cyber security can be a tough ask for a non-technical person. But not so for Arnab who continuously makes efforts to be at the top of his game. This he does by always keeping himself updated and evolving. Every now and then he goes for a new certification to enhance his already extensive skills. Barman feels that this is one of the key requirements for CISOs, especially if they want to be ahead in their field.
“I did few certifications in the cyber security field, including CISA, CISM, CRISC, ISO 31000, ISO 27001; ISO 22301, CBCI; DPO etc. I also keep upgrading myself about relevant aspects such as risk management, data privacy and others,” he says. He finds conferences a great venue for collaboration and learning and seeks guidance from industry leaders.”
Infosec Is About People Management
According to Arnab, people management is a crucial aspect of cyber security. At the end of the day you are only handling people, he says.
“You may have the best of the technical abilities but unless you really imbibe the accountability aspect it becomes extremely difficult to drive information security. That is where my previous experience of people management from the hospitality industry came in very handy and continues to be my forte.”
He also used his people management , negotiation and collaboration skills to drive the infosec culture and has seen his current organization evolve from 2008 to its present state. Every time there is an audit, there is a new learning ; a new aspect of infosec gets revealed, be it governance, setting up of measurement parameters; control normalization, etc. “Every year ; year on year we were able to demonstrate continual improvement”, he mentions.
“We faced approximately 32 audits last year. This has indeed been a very interesting journey,” adds Arnab.
He has also set up his points of contact across the various verticals in the organization and banks on them. He also has a very lean team. “Overtime, I have trained my points of contacts to be operationally efficient in identifying risks as well as contribute towards business impact analysis and other operational elements. There is a group down there which acts as our eyes and ears for information security; all of them from business and support functions,” he adds.
Wrapping up the conversation, Arnab says that management support, people component and culture are the few important aspects for embedding infosec. If you have the processes in place and a culture of accountability then it is not that difficult to drive infosec, he concludes.