Pokémon Company takes data protection to the top level
The Pokémon Company International, a subsidiary of The Pokémon Company in Japan, has hundreds of millions of users of its games app which operates on Amazon Web Services. Many of these are children and young adults which means that it is capturing a lot of sensitive data, alongside dates of birth, email address and geolocation.
As a special category of personally identifiable information under the EU General Data Protection Regulation (GDPR) and the US Children’s Online Protection Privacy Act (COPPA), this creates pressure to demonstrate a strong compliance stance, as well as resilient security. With the business continuing to scale, the company recognised a need to log and track access to all the data flowing across its environment.
John Visneski, director of information security and DPO, Pokémon Co International, explained to DataIQ the challenges it faces and how Sumo Logic, a cloud-native, machine data analytics platform, is providing pre-built security and compliance dashboards which have centralised security and business insights.
DataIQ (DIQ): What is Pokémon’s brand promise to users around privacy and data security?
John Visneski (JV): The Pokémon Company International is a subsidiary of The Pokémon Company in Japan. Our team manages the property outside of Asia and is responsible for brand management, licensing, marketing, the Pokémon Trading Card Game, the animated TV series, home entertainment and the official Pokémon website.
As part of the nature of our business and gaming applications, we collect and hold a lot of personally identifiable information (PII) from our customers, including dates of birth, email addresses, and other data collected from the popular Pokémon Go app. A majority of our customer base includes children, which of course falls into the sensitive data category.
We have additional responsibilities around sensitive data under GDPR, so we have to regularly maintain the necessary compliance standards. Our approach to security is that this has to be a business enabler and our main goal is to provide a safe place for our customers to enjoy our brand.
When a parent goes to buy or download a Pokémon product, they can sleep well knowing their child’s data is protected. Our approach to user privacy and data security is therefore an essential part of our overall brand.
DIQ: When did the company start its preparations for GDPR and how wide-ranging was the programme?
JV: In the broader IT industry, security often gets a bad rap for being restrictive. I am trying to fight this perception internally and externally. GDPR was a huge enabler for me to do this. For example, I wanted all customers’ data to be safe, not just children’s data or regional data. It’s important that our customers trust us and trust that we will do the right things for them. That approach is essential in turning privacy and security into business enablement and we’ve set a high bar for ourselves.
Given what we do as a business, there was a strong foundation for GDPR compliance and I wanted to build on that to continue to provide a safe place for our customers. All customers deserve the right to data protection and this isn’t just for customers that happen to be in Europe.
Data privacy has become the new way of life, and we are already seeing other countries around the world, including the US, Australia, Singapore and Brazil, following Europe’s lead on data privacy and protection. So adopting GDPR for our entire customer base has put us in a better position, rather than segmenting our user base and trying to implement different security and compliance regimes for each location.
Businesses that will be successful are those giving customers the right to their personal data. The future will need the security space and the privacy space to merge even more. My team understands this and we are working with companies like Sumo Logic to make sure these roles are integrated.
As data stewards, we also need to ensure that we are building trust in the organisation between teams. Once we have established that culture, it makes it easy to go to the legal teams and the C-suite and speak to them because there is a trust and an understanding that security wants to enable the business.
We have a strategic partnership with Sumo Logic that allows us to share problems and develop best practises. They directly help our business to function at scale.
DIQ: What is the attack vector which Pokémon faces?
JV: There’s a broad range of threats to us as a business and some are specific to us as a popular gaming company.
From an IT perspective, there are people trying to get into our network and steal user data. We have to protect against illegal entry or data theft. This is broadly similar to other companies that face the same kinds of challenges.
We also face more specific issues as a gaming company. These range from irritations like cheating within the game and GPS spoofing so people can appear to be in places that they are not, through to more negative actions like creating false accounts, trying to level up Pokémon Go accounts to sell them, as well as the use of bots that can automate common gameplay steps to create an unfair advantage.
We have to treat these as security risks as well and both identify and remediate this malicious activity before it affects other customers.
DIQ: How did the company evaluate potential solutions?
JV: We are very strict on who we work with, especially when it comes to data sharing. The key for me is visibility into our data. I can’t protect what I can’t see or understand, so having vendor partners that make it as easy as possible to make sense of all of this data that is constantly being created is crucial.
Working with the likes of Sumo Logic and AWS is ideal, as they help me to understand what the company’s security posture is like at all times, regardless of the millions of new events that have to be analysed and logged every second.
The other area that is critical for me is data privacy and protection. Every single vendor that handles personal data goes through an initial information security questionnaire. This gives us a chance to think through how they approach these issues, to see if they think about problems in the same way we do, and understand better what the integration process would look like. That helps us qualify a lot of potential vendors straight away.
One important issue for me is that we are not a huge team. While we have millions of customers active and using our products every day, we can’t be everywhere and so we have to work smarter. Approaches like analytics and automation are critical to our success, which is why Sumo Logic is such an important partner for us and has been an incredible force multiplier for my small but mighty team.
DIQ: What led to the choice of Sumo Logic?
JV: Transparency was critical. The company’s machine data analytics platform was well-suited for Pokémon’s needs and the team that we met had exactly the same approach to data privacy and security that we did.
Once we established an initial good fit, we looked at implementation. The Sumo Logic team worked with us to help enable our success over time and now we collaborate on problems that can help both companies improve our security operations. This approach has paid off over time for us internally, and across the business at Pokémon.
When we introduced Sumo Logic to the business, other departments saw what we were doing with data and wanted a part of it for themselves. This helps from a security and a budget perspective. With everyone using it, it shows that there is value in the data and the service that Sumo Logic provides.
Also, in order to be successful, we have to break down silos across development, security and the business. Because of its API-driven nature, Sumo Logic has become the engine that unifies that triad and enables my team to be successful across the business.
One of the best parts of any vendor partnership is the ability to collaborate, and we work very closely with Sumo Logic’s CSO, George Gerchow, and his team to strategise how to approach future problems, share our respective security philosophies and be completely transparent about how we operate. The goal is to bring together as many forces as we can to respond to incidents and to bring security into the cloud in a meaningful way.
DIQ: As well as introducing new technology, have new privacy and security processes been implemented?
JV: Sumo Logic has long been a flag bearer in the GDPR space. Well before I brought them on as a vendor partner, I was listening to the Sumo Logic security team speak about the ins and outs of GDPR and their own issues and hurdles. One of the things I liked was the fact that they were very clear on how they wanted to apply best practices across the board.
That approach was the same one we wanted to take. Companies that will be the most successful will have the best business relationships by aligning strategies and best practises to ensure both companies are successful. It goes beyond the platform Sumo Logic offers, and is all about a transparent mutually beneficial two-way business relationship.
DIQ: What is Pokémon now able to get visibility of and to action around privacy and security which were challenges previously?
JV: We leverage Sumo Logic’s security analytics platform as the backbone of our modern tool stack and to help us unify security, operations and development data across our global network. That data empowers us to harden our security posture and make sure we are staying up to date on the latest compliance and privacy regulations like GDPR in the EU and COPPA in the US.
In the background, we’ve also been working on building a world-class modern day security operations centre (SOC) and are collaborating closely with Sumo Logic on this as it is also building out its own SOC.
Together, we’ve been working between our two teams to completely redefine how we do security operations, starting with creating a new model for how a modern SOC should be structured and how it should function that relies heavily on military rigour and tactics
This unique level of information sharing allows us to be transparent in our processes, collaborate on techniques and best practices, and look at how we can automate our operations to scale the business without losing the human context that’s critical for understanding why and how a particular incident occurred.
DIQ: Will users see anything different in their experience - or is the goal for these measures to be invisible and friction-free?
JV: We have put a lot of thought into how we make use of automation. We can’t hire 100 security professionals to be everywhere all at once. We have a team of seven and we have to make them look like an army. Automation helps us achieve that.
Humans need to be involved to do what they do best - provide context. However, tasks that can be easily automated away, should be, because this allows for your security talent to focus on more innovative and strategic projects and it also helps you identify, investigate and resolve security incidents more efficiently. Humans should be involved around what humans do best.
At the end of the day, security is about problem solving. Automation brings us a lot of efficiency and makes us more secure. Instead of having people waking up at 3am to investigate a potential incident, figure out who they need to call and what they need to do, automation can help speed up that process. Now, you have to get the process right, but when you do it becomes a lot more repeatable and actionable at scale.
DIQ: Has the new implementation allowed the brand to enhance or extend its data protection promise?
JV: We have a very strong data privacy and security function in place today. However, we also want to work with the rest of the business to determine how they can use data to better inform their programs.
There are teams across Pokémon that want as much data as possible, such as finance and operations or marketing, in order to help streamline and improve their core functions. Sumo Logic has become an integrative agent that helps us break down silos across core business, development, operations and security functions and makes data generally accessible for use and analysis within those broader teams in addition to security.