Security is a top priority for organizations of all types, with research firm IDC projecting 10% spending growth to $91 billion dollars in 2018. For leadership, security is important considering the cost, regulation, and reputation at stake when breaches occur. According to a joint study by IBM Security and the Pokemon Institute conducted earlier this year, the cost of a data breach is $3.86 million, a 6.4% increase from the prior year.
The gaming industry is particularly focused on security, where American consumers alone spent nearly $36 billion dollars in 2017. Gaming generates data from a variety of users through a variety of transactions. It is is a global industry in which sheer scale creates exposure to a high degree of public scrutiny. In gaming, security is a necessary component of the customer experience. According to some thought leaders, security should be viewed as a product itself in a category like gaming.
One such thought leader is John Visneski. John agreed to share with us his unique viewpoint as Director of Information Security and Data Protection Officer at Bellevue-based Pokemon Company International.
Cloud Academy: What do you do as Director of Information Security and Data Protection Officer?
John Visneski: I’m responsible for all things security, including our corporate-facing on-premises IT infrastructure, as well as our customer-facing platform, which is hosted almost entirely on Amazon Web Services (AWS). Specifically, my team and I are responsible for fraud prevention, General Data Protection Regulation (GDPR) compliance, governance, and risk.
CA: How did you get started in security and become a leader at Pokemon?
JV: I started my career as a Combat Communications Officer in the Air Force, setting up networks in combat zones such as Afghanistan and Iraq. This prepared me for later work back stateside where I landed at the Pentagon working on data links for F-22 and F-35 fighter jets. In working on military hardware, I really had to think hard about how to deliver data between parties while maintaining confidentiality, integrity, and availability.
After my initial position within the Pentagon, I then served as the strategic advisor to the Chief Information Officer of the Air Force, as well as the cybersecurity advisor to the Chief of Staff of the Air Force. These positions gave me a firsthand look at how to foster security culture within a large organization. This included defining security architecture, vendor management, governance, and risk, all qualities Pokémon was looking for when they hired me.
CA: Can you tell us about Pokemon’s security journey?
JV: You’ll recall two years ago when Pokemon GO was launched and immediately went viral. After its launch, the popularity of the application and associated security risks ended up transforming the company from three or four IT staff into a team of more than 100. Now the organization engages in the essential best practices for developing technology, including DevOps and program management.
My role in coming on board was to hire out the team, build up the security architecture, engage with vendors, and ensure the organization was compliant with industry regulations. With a broad user base in Europe, GDPR became an important part of my job and has been a project that I have been working on over the past year.
CA: Can you tell us how handling cloud security at Pokemon might be different from other companies and industries?
JV: I think what separates us from a lot of organizations is that we start everything from an operational mindset. I always share with my team that, no matter what we are trying to develop, they must focus on effectiveness, efficiency, and security. You’ll notice that in that list, security comes third and that’s because we view ourselves as problem solvers first. Our goal at the end of the day is to integrate security into the equation — not force ourselves into the conversation after the fact.
This philosophy hinges on the belief that in order to keep pace with DevOps, developers, and appropriate speed for business, a security team cannot be risk-averse. In organizations where cloud adoption is quick, security teams embrace risk aversion because of how quickly the cloud can move, especially with the emergence of containers and serverless technologies. When that happens, the rest of the business tends to avoid the security team in fears that of business slowdown, which places the entire organization at risk.
CA: Does that mean your security team should behave more like a DevOps team?
JV: Absolutely. Like DevOps, our goal is to drive towards that integrated CI/CD pipeline. Our role as an integrative agent in the organization moves beyond saying no to teams that we collaborate with and focuses more on finding out which solutions we can implement that aren’t just beneficial to security, but also integrate DevOps, IT, and business intelligence.
While we might be seen as rule-makers set out to maximize return on investment, the real challenge at hand is figuring out how we can scale our security initiatives in a way that keeps pace with DevOps and positions us as business enablers. The better we do our jobs, the more the rest of the organization can innovate.
CA: With your security requirements and how your team functions in mind, how do you go about staffing your organization?
JV: Security is definitely one of the top in-demand skill sets and also a challenge in hunting for talent. Too many organizations are searching for that purple unicorn with 10 years of security experience and the appropriate certifications, when what they really should be doing is finding talented individuals who know how the process works, and who have an operational mindset and the aptitude to stay ahead of the curve with high levels of ambiguity, especially with the industry changing every 12 to 18 months.
When it comes to training for these skills, I like how Cloud Academy has designed its platform to demonstrate just how broad the security engineer skill set is, whether they’re platform expert with Amazon Web Services, Microsoft Azure, or Google Cloud or have expertise in other domains such as Ruby, C, C++, C#, or Python. With a wide range of skills required, I think it might be better to search for candidates who are flexible and not locked in ideologically to one particular technology because of ongoing industry changes.
That’s not to say you don’t need to find candidates who don’t have the necessary base skills. There is tremendous crossover in technology roles where you’ll find that similar skill sets are required. For example, one of my best security engineers was previously a test automation expert who kept up with security trends in his free time, including getting his Offensive Security Certified Professional (OSCP) certification. All it really took was giving him a fair shot.
CA: You mentioned that one of your previous employees transitioned into security. For someone working in DevOps, what is the pitch to transition over to security?
JV: There are numerous transferable skills from a DevOps role, including the ability to identify gaps, understand pain points, and relate technology back to the business. Furthermore, DevOps professionals are always looking for ways to automate their processes so they can focus on human functions. They know what all parts of the DevOps process is supposed to look like, including analytics pipeline, pain points, security controls, and securing cloud workloads.
With security, there’s not much additional training needed to make the leap. Oftentimes, a pitch consists of offering the opportunity to broaden skill sets and expand into a high-demand career that really impacts the business. I think that’s a pretty cool value proposition at the end of the day.
CA: How about integrating someone into a security team who doesn’t have any prior experience in the area?
JV: Obviously, a basic understanding of how cloud systems work is necessary, but beyond that, leaders need to invest time to ensure that a new hire learns the system. At Pokemon, we let them get hands-on, including taking courses on Cloud Academy or elsewhere where they can get the practical experience in a steady manner. Much of this is contrary to some company philosophies where the goal is to onboard as quickly as possible or hope that a new hire to expect to get it all at once, but I believe that allowing a new hire to get acquainted with the architecture, understand the roadmap, collaborate with the team, and set aside time for training is much more meaningful. You might even discover that onboarding happens a lot faster than expected.
I also find soft skills to be important, including the ability to adapt and be flexible in a changing environment. I think investing in a new team member from an education standpoint and letting them take the time to really get acquainted with your architecture before you expect too much of them is also important. You can’t expect someone to be an expert immediately and it’s up to management to do the due diligence of investing the time to make sure that they’re thinking the right way, at the right time, with the right piece of technology.
CA: What is the difference between a junior security engineer and a senior security engineer and how does one get promoted?
JV: I think the most successful security teams are set up to be as flat as possible. Teams are judged by their ability to stay ahead of threat actors and adversaries. With my team, I use the OODA (Observe, Orient, Decide, Act) Loop, a concept I learned in the military and apply to my teams in an effort to prevent us from becoming a silo.
Successful security teams and professionals embrace this concept and then realize they can’t silo their security engineers away from the rest of the organization, otherwise, there will be bottlenecks. They must be able to see two, three, or four steps into the future and understand the consequences of those actions.
To me, the biggest difference between a junior and senior security engineer is their ability to understand the OODA and the consequences of every business decision they make. When they apply these concepts to their work, they understand the potential consequences their choices have on architecture, policy, operations, and eventually the entire organization from a business and financial perspective.
When they adopt this way of thinking, that’s when you know they’ve achieved that sort of senior status because they no longer just think technically, but also for the business. I think that’s sort of the transition that you see over time if you make that investment to ensure that they have that sort of shared consciousness with the rest of the team.
CA: Where do you think the security industry is headed in the next five to 10 years?
JV: I think there will be several changes over the next few years that really change the industry:
- Industry transition: Right now, we have two camps of security teams. On one side, you have fairly progressive security teams that have embraced the cloud, executed DevOps in a meaningful way, and effectively innovate to stay ahead of threats instead of responding to them. On the other side is the old guard, where you have security leaders who believe that they’re going to be more secure on-premises and going into the cloud would be too risky. The challenge for cloud security vendors when it comes to these two camps is how to innovate in a meaningful way to stay with the progressive teams while catering to legacy organizations. You have many vendors that you meet at conferences such as RSA and Black Hat who have are in this situation with on-premises offerings that haven’t embraced the cloud but have a cloud solution on their roadmap. As this transition occurs, old-guard security leaders are going to be challenged in finding worthy security solutions since much of the market will transition into the cloud. I expect business, not threats, to drive where cloud security goes with technology leading the way.
- Unified Security Management: Another area of growth in the security industry will be the ability to manage the security and cloud assets from one single pane of glass. With emerging technologies in areas including blockchain, security, AI, and other areas, you’re going to see more security teams implement monitoring solutions that make the lives of their analysts easier and faster. Speed is also an important aspect of the security industry that will be addressed with unified security management, especially with the emergence of machine learning. Leaders will leverage machine learning in the face of talent shortage so they can have a bigger impact on the businesses they serve.