How The Pokémon Company avoided drowning in a new data lake after the launch of Pokémon Go

The Pokémon Company's John Visneski talks to us about security, scalability and Hellfire missiles

Most people put their childhood fascinations behind them as they grow older, and take on jobs in more serious roles; passion for toys gives way to interests in finance, politics and business. Buzz and Woody end up in a cardboard box, to be taken out and handled again only in a fit of nostalgia.

Most people, but not all. John Visneski worked in the United States Air Force for a decade, including time spent as a cybersecurity advisor for General Dave Goldfein - the Air Force's Chief of Staff - in the Pentagon. Then, in mid-2016, he was recruited to join The Pokémon Company International as director of information security and DPO.

"[The Department of Defense and Pokémon] are at as far ends of the spectrum as it gets; but at the end of the day, whether you're talking about your mission or...your business, your job as a security professional is pretty much the same… As long as you're aligning yourself to it, it doesn't matter if you're putting a Hellfire missile downrange or you're protecting children in one of our applications; the principles are all the same, and you should be aligning yourself to whatever that end objective is."

As Visneski puts it, he was "trying to decide what I wanted to do when I grew up when I got a call from The Pokémon Company," joining at just about the same time that Pokémon Go launched.

The first official Pokémon game for smartphones proved that nostalgia for the brand is still alive and well. The most optimistic estimates of The Pokémon Company, which is in charge of marketing, and the game's developer, Niantic, had been around 100 million downloads. Fans had downloaded Go 500 million times by the end of 2016, and 800 million by mid-2018.

Scalability was one of the first challenges that Visneski faced. How do you handle security for a product that is five times more popular than you planned for, especially one that appeals to young children?

"When you start talking about scalability, one of the first reasons that Pokémon got involved was for COPPA compliance - the Child Online Privacy Protection Act. What that does, in a nutshell, is establish the points at which you are more careful about who you market to, how you protect data and who needs to get permission for a child to have an account in one of these spaces. That's where our initial play was, in the back-end and providing that capability for children under the age of 13," says Visneski.

"We didn't really expect it to go supernova," he adds, "and so what that meant was, initially, having to adapt and overcome with not a lot of resources… Our company really only had a handful of developers that were handling that back-end. We started with somewhere between seven and 14, and we've since expanded to about a hundred."

The work with COPPA meant that the company was positioned to align policy and technology when the GDPR came into effect last May. Because of the explosion in Go's popularity, Pokémon gained massive amounts of data: "Not just PII, but business intelligence data, network availability data, operational data, all these things. We're wrapping our arms around that data; number one to protect it but number two, to make sure that it's enabling the business."

To deal with the information influx, Pokémon began working with Sumo Logic late last year to centralise its data security and collaborate on setting up a security operations centre (SOC). Visneski says that the deal has been crucial for data visibility following the "scalability explosion" that followed the launch of Go.

"The...effect of that integrative approach [that we have with Sumo Logic] is that people want my team in the room. They're not inviting us to meetings solely because they care about security; they're inviting us because they know that we're problem solvers, and we're there to integrate. What they don't realise is that those skills that my team bring and can integrate are helping them to stay secure."

The future of security, Visneski believes, is in automation, which Pokémon is using in its SOC. He calls it "a pretty obvious game-changer when it comes to efficiency and effectiveness," and refers to the concept of the OODA (observe, orient, decide and act) loop - developed by fellow ex-military man and former USAF fighter pilot John Boyd:

"Be able to observe defence; orient yourself based on established practices and procedures; make a decision; and act on that decision. The faster you can do that, the better chance you have of staying ahead of your adversaries."