Security is a top priority for organizations of all types, with research firm IDC projecting 10% spending growth to $91 billion dollars in 2018. For leadership, security is important considering the cost, regulation, and reputation at stake when breaches occur. According to a joint study by IBM Security and the Pokemon Institute conducted earlier this year, the cost of a data breach is $3.86 million, a 6.4% increase from the prior year.
The gaming industry is particularly focused on security, where American consumers alone spent nearly $36 billion dollars in 2017. Gaming generates data from a variety of users through a variety of transactions. It is is a global industry in which sheer scale creates exposure to a high degree of public scrutiny. In gaming, security is a necessary component of the customer experience. According to some thought leaders, security should be viewed as a product itself in a category like gaming.
One such thought leader is John Visneski. John agreed to share with us his unique viewpoint as Director of Information Security and Data Protection Officer at Bellevue-based Pokemon Company International.
John Visneski: I’m responsible for all things security, including our corporate-facing on-premises IT infrastructure, as well as our customer-facing platform, which is hosted almost entirely on Amazon Web Services (AWS). Specifically, my team and I are responsible for fraud prevention, General Data Protection Regulation (GDPR) compliance, governance, and risk.
JV: I started my career as a Combat Communications Officer in the Air Force, setting up networks in combat zones such as Afghanistan and Iraq. This prepared me for later work back stateside where I landed at the Pentagon working on data links for F-22 and F-35 fighter jets. In working on military hardware, I really had to think hard about how to deliver data between parties while maintaining confidentiality, integrity, and availability.
After my initial position within the Pentagon, I then served as the strategic advisor to the Chief Information Officer of the Air Force, as well as the cybersecurity advisor to the Chief of Staff of the Air Force. These positions gave me a firsthand look at how to foster security culture within a large organization. This included defining security architecture, vendor management, governance, and risk, all qualities Pokémon was looking for when they hired me.
JV: You’ll recall two years ago when Pokemon GO was launched and immediately went viral. After its launch, the popularity of the application and associated security risks ended up transforming the company from three or four IT staff into a team of more than 100. Now the organization engages in the essential best practices for developing technology, including DevOps and program management.
My role in coming on board was to hire out the team, build up the security architecture, engage with vendors, and ensure the organization was compliant with industry regulations. With a broad user base in Europe, GDPR became an important part of my job and has been a project that I have been working on over the past year.
JV: I think what separates us from a lot of organizations is that we start everything from an operational mindset. I always share with my team that, no matter what we are trying to develop, they must focus on effectiveness, efficiency, and security. You’ll notice that in that list, security comes third and that’s because we view ourselves as problem solvers first. Our goal at the end of the day is to integrate security into the equation — not force ourselves into the conversation after the fact.
This philosophy hinges on the belief that in order to keep pace with DevOps, developers, and appropriate speed for business, a security team cannot be risk-averse. In organizations where cloud adoption is quick, security teams embrace risk aversion because of how quickly the cloud can move, especially with the emergence of containers and serverless technologies. When that happens, the rest of the business tends to avoid the security team in fears that of business slowdown, which places the entire organization at risk.
JV: Absolutely. Like DevOps, our goal is to drive towards that integrated CI/CD pipeline. Our role as an integrative agent in the organization moves beyond saying no to teams that we collaborate with and focuses more on finding out which solutions we can implement that aren’t just beneficial to security, but also integrate DevOps, IT, and business intelligence.
While we might be seen as rule-makers set out to maximize return on investment, the real challenge at hand is figuring out how we can scale our security initiatives in a way that keeps pace with DevOps and positions us as business enablers. The better we do our jobs, the more the rest of the organization can innovate.
JV: Security is definitely one of the top in-demand skill sets and also a challenge in hunting for talent. Too many organizations are searching for that purple unicorn with 10 years of security experience and the appropriate certifications, when what they really should be doing is finding talented individuals who know how the process works, and who have an operational mindset and the aptitude to stay ahead of the curve with high levels of ambiguity, especially with the industry changing every 12 to 18 months.
When it comes to training for these skills, I like how Cloud Academy has designed its platform to demonstrate just how broad the security engineer skill set is, whether they’re platform expert with Amazon Web Services, Microsoft Azure, or Google Cloud or have expertise in other domains such as Ruby, C, C++, C#, or Python. With a wide range of skills required, I think it might be better to search for candidates who are flexible and not locked in ideologically to one particular technology because of ongoing industry changes.
That’s not to say you don’t need to find candidates who don’t have the necessary base skills. There is tremendous crossover in technology roles where you’ll find that similar skill sets are required. For example, one of my best security engineers was previously a test automation expert who kept up with security trends in his free time, including getting his Offensive Security Certified Professional (OSCP) certification. All it really took was giving him a fair shot.
JV: There are numerous transferable skills from a DevOps role, including the ability to identify gaps, understand pain points, and relate technology back to the business. Furthermore, DevOps professionals are always looking for ways to automate their processes so they can focus on human functions. They know what all parts of the DevOps process is supposed to look like, including analytics pipeline, pain points, security controls, and securing cloud workloads.
With security, there’s not much additional training needed to make the leap. Oftentimes, a pitch consists of offering the opportunity to broaden skill sets and expand into a high-demand career that really impacts the business. I think that’s a pretty cool value proposition at the end of the day.
JV: Obviously, a basic understanding of how cloud systems work is necessary, but beyond that, leaders need to invest time to ensure that a new hire learns the system. At Pokemon, we let them get hands-on, including taking courses on Cloud Academy or elsewhere where they can get the practical experience in a steady manner. Much of this is contrary to some company philosophies where the goal is to onboard as quickly as possible or hope that a new hire to expect to get it all at once, but I believe that allowing a new hire to get acquainted with the architecture, understand the roadmap, collaborate with the team, and set aside time for training is much more meaningful. You might even discover that onboarding happens a lot faster than expected.
I also find soft skills to be important, including the ability to adapt and be flexible in a changing environment. I think investing in a new team member from an education standpoint and letting them take the time to really get acquainted with your architecture before you expect too much of them is also important. You can’t expect someone to be an expert immediately and it’s up to management to do the due diligence of investing the time to make sure that they’re thinking the right way, at the right time, with the right piece of technology.
JV: I think the most successful security teams are set up to be as flat as possible. Teams are judged by their ability to stay ahead of threat actors and adversaries. With my team, I use the OODA (Observe, Orient, Decide, Act) Loop, a concept I learned in the military and apply to my teams in an effort to prevent us from becoming a silo.
Successful security teams and professionals embrace this concept and then realize they can’t silo their security engineers away from the rest of the organization, otherwise, there will be bottlenecks. They must be able to see two, three, or four steps into the future and understand the consequences of those actions.
To me, the biggest difference between a junior and senior security engineer is their ability to understand the OODA and the consequences of every business decision they make. When they apply these concepts to their work, they understand the potential consequences their choices have on architecture, policy, operations, and eventually the entire organization from a business and financial perspective.
When they adopt this way of thinking, that’s when you know they’ve achieved that sort of senior status because they no longer just think technically, but also for the business. I think that’s sort of the transition that you see over time if you make that investment to ensure that they have that sort of shared consciousness with the rest of the team.
JV: I think there will be several changes over the next few years that really change the industry:
It's Flash Sale time! Get 50% off your first year with Cloud Academy: all access to AWS, Azure, and Cloud…
In this blog post, we're going to answer some questions you might have about the new AWS Certified Data Engineer…
This is my 3rd and final post of this series ‘Navigating the Vocabulary of Gen AI’. If you would like…