John Visneski: Protecting Data at Pokemon
"[Parents are] trusting in us to provide a safe place for their children."
Ben:Welcome to the Masters of Data podcast, the podcast that brings the human to data, and I’m your host, Ben Newton. Ever hear of Pokemon, of Pikachu? If not you I can guarantee your kids have. My four year old son has a Pikachu doll and that is a challenge for John Visneski, Direction of Information Security and Data Protection officer at Pokemon. He not only has to protect the brand of Pokemon, many of his customers indirectly or directly are children. That carries an extra burden and responsibility that John doesn’t take lightly. I caught up with John at Sumo Logic User Conference and we talked about his background and about the challenges of trust and privacy when your product is used by the most innocent, our children. Without any further ado, let’s dig in.
All right, welcome everybody to the Masters of Data podcast. We’re actually recording live here on the floor of the Sumo Logic User Conference and I’m really excited to have John Visneski with me. Thank you for coming on. He’s over at Pokemon.
John:Yes, it’s a pleasure to be here, absolutely.
Ben:I have to tell you, when I heard I was going to talk to somebody over at Pokemon I thought this was going to be an exciting conversation, so I think this will be good.
John:Well sure, I mean quite frankly I only here because there’s an espresso machine right to it, so I figured while I’m sitting here drinking espresso it’d be all right to talk to you.
Ben:I’m asking you questions, you just [inaudible 00:01:24].
John:Yes, that’s what’s good. I like it.
Ben:I like it, we’re on the same wavelength. I’m only my fourth cup.
John:If I have a heart attack half-way through the podcast please just resuscitate me, edit out the gurgles and all that sort of stuff and we’ll just keep pressing on.
Ben:All right we got a deal. Well the thing I always start with John is talking about where people came from, kind of humanize the people behind the data. How did you get into security? What’s the story?
John:Yes, so before I was at Pokemon I spent 10 years in the United States Air Force as a cyberspace operations officer. Started off, like a lot of security professionals you don’t necessarily start in the security field, whether it’s systems admins or div ops engineers, or test engineers, or some of the best hackers in the world who weren’t tech people at all until they realized they had that idea for problem solving. I started out as a combat communications officer setting up networks in Iraq and Afghanistan, and then I moved to work for the intelligence community for some time. Really the cyber security aspect of it was towards the latter half of working for the intel community and then moving to the Pentagon to work for the Chief Information Officer of the Air Force.
In that regard we were, at the time General Bender was at the forefront of trying to make sure that we had this understanding of how was the Air Force going to embrace cyber security and how are we going to foster innovation within, not just the Air Force but the Department of Defense at large. Because I don’t know if you’ve heard, they’re kind of byzantine and slow and it’s a large bureaucracy. I did that with him for about a year and then my final job was being the cyber security advisor for the Chief of Staff of the Air Force. In that regard it was everything from making sure his iPhone worked to keeping the staff informed about what was going on in cyber security.
Ben:I’m sure that was pretty interesting, [crosstalk 00:03:04].
John:Yes busy, busy for sure. I think one of the biggest advantages of having the opportunity to work in an environment like that is the Department of Defense is the world’s largest bureaucracy and being able to see that sort of bureaucracy up close has really … I like to feel like it’s enabled me to move a little bit faster on the outside, because it was sort of my resistance training for some time. Around that time Pokemon Go explodes. I think it was a pretty big surprise for all involved, including the brand. You never really plan for 800 million downloads, so the scalability problems that come with that are pretty massive.
What the company did with that sort of a new data challenge, new technological challenge was really get serious about investing in technology, investing in the talent that they need to bring on board in order to continue to ride that wave, continue to make products fast, secure products and things like that. So, they didn’t have an internal security team and I got the call to come out and stand it from the ground up. For the last year that’s what I’ve been up to is everything from building out my team, to getting our arms around what our security architecture looked like, to vendor management, everything that goes into building out a solid information security program. I don’t know if you heard, but about halfway in there was this thing called GDPR.
Ben:Just a little thing.
John:Just a little thing and we’re a global brand, we have customers all over the place. I’m also the company’s Data Protection Officer, and so it was my job to work with our legal team, God bless them, to wrap our arms around how this applies to us as a brand. Then moving forward, how do we look at things like GDPR and data privacy as a way of life as opposed to a project or a line in the sand. It’s been an interesting ride in that regard.
Ben:It sounds like you feel like your experience in the military and the Air Force actually helped prepare you to do some of these things, right? I mean it’s a good background for you in a large organization and how to apply it?
John:Yes absolutely, I mean I think it all boils down to an operational mindset, right? Whether your business’s job is to sell Pikachu or whether it’s your organizations mission to put a hellfire missile in a cave somewhere across the world, the principles of how you make those decisions and why you make those decisions and how quickly can you make those decisions are pretty similar, right? At the end of the day, a lot of the technology is the same, a lot of the threats you see are the same, and so on and so forth. There’s this concept in the military, and in business in some respects too, of the OODA-loop, right? This guy in the Air Force named John Boyd, he came up with this concept of observe, orient, decide, and act. That’s a loop and you feed that loop, right? At the time his thesis was around dog fights and such, and so the idea was that if your OODA-loop was faster than the adversaries OODA-loop you were bound to win.
When you’re making decisions, whether it’s about policy, process, people, technology, all of those decisions should be made with how is this going to compress my OODA-loop so I can fly, fight, and win? That’s foundational now in a lot of military doctrine. It works in business too and security specifically, right? Whether it’s responding to an incident or responding to threat actors or responding to the business needs X, Y, or Z and they need it by this particular date that seems impossible, every decision we make as a security team and every decision I make as the head of the security team are how is this going to compress our OODA-loop to the point where should we have an incident, or should we need to respond to a business need, how are we going to be able to observe the situation, orient ourselves, make an efficient, effective decision, act on it and then all right, did it work? Great, if not because we’re automating and because we’re making operational decisions, we can feed back into that. Largely that sort of mindset came from my time in the military.
Ben:That makes sense. I spent a lot of time in D.C. and that was one thing I really noticed was a lot of my colleagues that spent time in the military, it really gives you a good mindset for thinking about organization, about how to be effective at all different levels of organizations. That makes a lot of sense. What was the most surprising thing for you when you switched out of the Air Force over to the Pokemon Go? Was there anything in particular? Crap, this is not what I expected or this was just beyond what I expected to see?
John:Yes, I mean I think one of the biggest things was Pokemon was a brand that makes people happy, right? No one hates Pikachu I mean that’s weird.
Ben:My kids love it.
John:Right, I’m the most popular uncle on the planet and the most popular adult within the entire Seattle area I’m pretty sure. One of the things that surprised me the most was just the variety of threats that a company like ours can have even though we are sort of a worldwide happiness type brand. Whether its people trying to cheat at our games or threats when it comes to criminal organizations in Eastern Europe that monetize personal data. All those sorts of things, what kind of surprised me the most was that we had a lot of things that we needed to be concentrating on all at once that you wouldn’t necessarily associate with a company like ours. That was definitely one of them.
I think the other thing that surprised me was just how similar it is to try to align yourself and align your security program with whatever the business objective or the mission objective is. I mean it really is sort of the same thing. Because at the end of the day, I think a lot of security professionals have spent their entire careers trying to prove return on investment and that ends up being a losing battle. I think the goal for people in my position should be the board or the CFO or the CEO or what have you comes to you because you’re a problem solver first and a security professional second.
Ben:Yes, that makes a lot of sense.
Ben:What’s top of mind for you now? You’ve been over a year in the job, you got your arms around it. What’s top of mind for you now after having brought this team together?
John:Yes, I mean I think what we’re going to see more and more for ourselves and for companies that are like us is this convergence of security and privacy. I think it’s a good thing that I’m dual hatted as charge of cyber security and the data protection officer, because at the end of the day, both with security and with data privacy you need to be baking that in on the front end as opposed to trying to bolt it on later. Both from a technical standpoint, from a legal standpoint, from a policy standpoint, the earlier in the process you can get involved and make sure that decisions that are getting made are made with privacy in mind and with security in mind, is going to save you an awful lot of time and technical debt on the back end and keep you out of trouble.
I think part of what the next year is going to look like for my team is to continue to integrate those two aspects of the business, continue to integrate those two aspects of the business as much as possible. I think the second thing that we’re going to concentrate on is leveraging security as an integrative agent within our organization. Anecdotally, and I’m exaggerating a little bit, but 95% of the people that come to my desk are really looking for me to say no to some idea that someone else had, right? I don’t want to do that so let’s go find John because John’s going to say, “No, we can’t do that for security reasons.”
Ben:That’s usually what security people do. I mean-
John:That’s the rule of thumb right?
Ben:It’s a cliché because it’s totally true in most cases, right?
John:What we’re trying to do at Pokemon, and particularly with the security team, is okay if that’s the situation where people are coming to us and trying to get out of doing something or trying to leverage that sort of power of no. How can we turn that on its head and make ourselves central to how we integrate data in the company, how we, not just security data, but operational data and business intelligence? Like any company we have this large, massive data lake and it’s not just about having the data, it’s about how are you using it effectively. In most cases, even if it’s an operational problem, a security problem, or a business problem, there’s a sort of butterfly effect that goes through the entire lake where you might have an outage that is operational, but there might be a security indicator or a business indicator that is relevant to that particular conversation. The security team is very well positioned to tile those things together because everyone’s always looking for us to mediate and be influencers primarily.
That’s what the team is concentrating on is with some of the products that we’re using, Sumo Logic being one of them, some of the products that we’re using, how are we going to leverage the tool sets that we have, the architecture that we have, how are we going to leverage those products to tie the business together and make sure that we’re all in alignment. At the end of the day that’s valuable both for me personally because I don’t have to prove my return on investment as much because we’re a business enabler, but more importantly it improves our security posture. At the end of the day that means that the security culture is just going to continue to raise within our company, not just in the technology organization but across it because you’re going to have security advocates in each one of these business orgs because they are coming to the same meetings you are about solving very similar data problems.
Ben:Even when you describe it that way the thing that comes to mind, it feels like what’s happening in the security part of the business is something that happened in other parts of the business around engineering and in the IT before. There was this sense that these were the groups, even in IT, they were the groups that told you no, you can’t use that piece of hardware, you can’t use that piece of software and they had to go do that transition where they had to drive value instead of … It seems like security is going through the same transition, right?
John:Yes absolutely, I think it’s very akin to early days of cloud adoption, right? The way most organizations justified cloud in the early days was hey, this is going to save us money because we don’t have to have as big of an IT staff and we don’t have to have as big of a hardware staff and so on and so forth. The transition you start to see is that once the company gets a taste of the cloud and understands how it can be a force multiplier for their business, how it can create new business opportunity, new products, new value, all those sorts of things, it ends up just speeding up cloud adoption and it starts to not be a linear function, it’s definitely an exponential function. Same thing goes for security. As companies are starting to do more in the cloud, security teams are going to be responsible not just for keeping up with projects and technology adoption and all those sorts of things, but really working hand in hand at the forefront of them in order to stay ahead of threats, stay ahead of visibility into the environment and the like.
Ben:Yes, I do remember that’s one of the things we used to say at Sumo Logic as one of our first hires was a security person, I think it’s taken me a few years after … I’ve been around Sumo Logic for about six years now and I think it took me a couple years to really grasp how important that one. Because that was not a normal thing for software companies at that point, that you really bake in security. It seems like that’s the point we’re at right now as an industry is you don’t have a choice.
John:Right, right, the business is going to drag you along. Another interesting anecdote, our dev ops engineers are brilliant and we’re big AWS customers and when we first got started with a lot of these projects, server list functions, AWS Lambda, it was one of those things where you used to joke where AWS they keep telling us that Lambda’s going to solve everything and you can leverage it for this and leverage it for that, but once they really started digging into it it’s oh yeah, that’s great, that gives us the ability to move twice as fast, three times as fast, four times as fast. That increasing speed turns into increasing scale, and that increasing scale turns into visibility problems if you’re not paying attention to it, right? Especially with serverless infrastructure you can all of a sudden have 50 functions, then 100 functions, and then you go from zero calls to four million calls in a month, and that’s really hard to keep up with unless you are in lock step with your dev ops team.
Ben:Yes, that makes a lot of sense. I guess part of what it means too is that the skillsets required within the security community must be changing as well, right? I mean you’re not just the people coming afterwards to press a button and run some sort of function that gives a list of vulnerabilities, you’re actually … I guess the same thing that happened to the IT community. They had to become more like developers.
John:Yes absolutely. I think that ties into the perceived, I say perceived talent gap in the cyber security community because I think people in my position when it comes to security talent and the skillsets that your security team needs, they’re searching for this purple unicorn that lays golden eggs where they have 15 years of deep security operations experience and hopefully they’re also an architect and hopefully they also understand GRC and all those sorts of things. At the end of the day for my money, I would rather take a terrific test engineer who’s been doing automation, understands where the gaps and seams are, is trying to find bugs and trying to find them effectively, and understands the dev ops pipeline, and all those sorts of things, but has the attitude and aptitude to be able to keep up with how quickly the security spaces changes. Maybe at night they troll through hacker forums and they have an understanding of it. They never really thought they could get in the security field because they don’t have any of that specific experience, but really they’re just waiting for someone to take a shot on them.
What I’m describing is my best security engineer. This is his first security job and he has his OSCP now. He is on the front lines of all of the cloud projects we have, and the reason he’s able to do that is because he understands how the sausage is made and he has that operational mindset going in as opposed to he grew up as a security professional and that sort of old school mindset. It’s a lot easier for me to teach security fundamentals than it is for me to teach the soft skills of attitude and aptitude and influencing rooms and all those sorts of things. I think that’s the future is finding people that understand how all these systems work and how they work together and how to enable the business, and then giving them the security flavor and the certifications or what have you in order to be successful on the security team.
Ben:That makes absolute sense. That example with the purple unicorn that lays golden eggs, that seemed very specific. Is that a Pokemon character?
John:No I think I stole it from someone who’s around here that was explaining to me, that’s the resume they’re looking for is a purple unicorn.
Ben:I like that. One thing we were talking about before is well I mean when companies look at their own customer profiles and who they’re serving, you guys are definitely in a different position than say we’re here at Sumo Logic where you’re … You were talking about you’re dealing with kids. You’re dealing with parents that their kids are using these games. How does that change your approach to the work that you’re doing?
John:Yes, well at the Pokemon company one of our core values, our core pillars is child safety. I had a conversation with all of our directors and our executives at one point and I said, “In my mind I broaden that right? Not just child safety but customer safety, customer safety and trust.” Whether a parent is buying a Pikachu plush doll at a department store or downloading Pokemon Go or buying their kid a Nintendo Switch to play one of the games that’s coming out very soon, what they’re really doing is trusting in us that we are going to provide a safe space for their children to enjoy the brand. That applies for children, it applies for people who are 35 years of age, and so on and so forth. Because we understand it’s that our customers and parents trust us to be good stewards of their data and good stewards of their privacy, our outlook is if we bake in privacy as a product early on in all of our development processes and all of our business processes, at the end of the day that’s going to be appreciated by the consumer to the point where privacy does become a product.
Especially in this day and age when you have organizations being called in front of the House and the Senate to try to explain to these old geezers what data is and how it’s being used. People more and more are going to want that with every product that they have, particularly products that are going to involve children. I think treating privacy as a core value in our business is also no longer a value proposition and a return on investment, it’s actually a business enabler because upholding that trust and upholding that sense of privacy in everything that we do is going to be really valuable to our customers moving forward.
Ben:Yes that makes a lot of sense because I have a seven year old and a four year old and I remember getting some games for my seven year old and it really made a lot of sense. There’s one particular game franchise where as long as it’s got that brand on it I’m good. They’ve earned my trust. We got some other ones and they’re selling them stuff that I’m not comfortable with, they’re sending her to sites I’m not comfortable with, and I get rid of them. That brand trust is more important now than it’s ever been, especially when you have these kids. It’s very hard to control everything they do so that makes sense.
John:Yes I mean if you Google toxic gaming right now it’ll come up with a million examples with game companies or organizations that, because availability and functionality is way more important to them than anything else, it’s really sort of a dangerous place for you to send your kid. Whether than danger is physical or emotional or whatever, if I was in your position I don’t want my seven year old going to play a particular game online and it’s just full of trolls who are cursing or being racist, all that sort of stuff. I think more and more organizations, particularly ones that cater to a younger audience, are getting serious about making sure they put controls in place and they put tools in place to help that process.
Ben:Definitely back to what you were talking about before, the only way you can do that is if the security team is involved along the whole process.
John:Well and because at the end of the day, even if that in most organizations has always resided with customer service or the legal team or someone else, like I said before, the security team is well postured to tie all of those things together in a cohesive vision and strategy moving forward.
Ben:Yes, it makes sense. I mean what’s next? What’s on the horizon next? What are you going to be concerned with in the next year, couple years? What’s the big thing?
John:Yes, so one of the things that we’ve been working on in the last year, as I mentioned the program was new so it was a matter of building out that architecture, figuring out what kind of monitoring we wanted in place. The brand has a lot of really exciting things coming out in the next couple of years that’s going to keep us quite busy. I’m confident that we have the monitoring and the controls in place to keep pace with that release cycle and development cycle and all those sorts of things.
A lot of it will be continuing to adjust that OODA-loop for ourselves, continuing to make additions and subtractions into our security architecture where necessary. I think at the end of the day most people who are in my position, particularly ones that are so invested in the cloud, need to start thinking of the architecture as two parts. Part one is what is my foundation? What are the couple of key tool sets that give me the capability at a basic level that I need, and the rest of the tools are almost modular in a sense that I want to make sure that I have a good foundation with some organizations that provide me tools and they have a vested interest in seeing me be successful, and the rest of the architecture should be modular enough that if something changes, because it always does. Every six months, nine months, 12 months, 18 months, if something changes I can hot swap out those pieces of my architecture in order to stay ahead of whatever the treats are. Or if it turns out that one of these tools ends up slowing down my business too much for one reason or another, I can take it off and I can look on either side of the stack to ensure that we’re putting tools in place that are going to be effective at helping us keep the pace with the business.
That’s a long way of saying that’s what’s on the horizon is now that we’ve gone through that almost tech startup like we need to build something and be ready, all right now how are we going to adjust on the fly and what does normal look like for us? I joke with the team all the time don’t get used to throwing 50 yard passes. When we got on board and there was nothing, everything is a 50 yard pass to the point where that becomes the new normal. We’re always building, we’re always innovating, we’re always building new process, always bringing on new tools.
Okay, so once all those tools are in place, what does a normal day start to look like? How culturally do you get to a point where this is what we do everyday? To use that football analogy, how do you build a running game now? How do you adjust to what’s going on and how do you keep your people motivated when they’re so experienced with that sort of building culture and now they’re moving into more of a sustainment and more of a slide adjustment as opposed to a giant POC involving millions of dollars. How do you end up being normal?
Ben:Is I guess the question? What’s normal?
John:Well yes right. I hope that next year I’m not talking on this podcast about how I built out a program. I hope I’m explaining how we navigate the cultural waters of keeping people motivated and invested in what they do on a day to day basis.
Ben:Yes, so it goes right back to where we started. I mean at the end of the day this is all about culture, this is about team, this is about building a great team with great people, which makes total sense.
Ben:Well John, this has been an awesome conversation. I really appreciate you taking the time to come here at the conference. I’m sure we’ll get you back. We’ll get you back to talk about where you ended up a year from now.
John:Just make sure that espresso machine’s here and I’m always happy to come.
Ben:Anything you want, anything.
John:Absolutely my friend.
Ben:All right, thanks.
Speaker 3:Masters of Data is brought to you by Sumo Logic. Sumo Logic is a cloud native, machine data analytics platform delivering real time continuous intelligence as a service to build, run, and secure modern applications. Sumo Logic, empowers the people who power modern business. For more information go to SumoLogic.com. For more on Masters of Data go to MastersofData.com and subscribe, and spread the word by rating us on iTunes or your favorite podcast app.