Pokémon is now one of the most popular children’s entertainment properties in the world; its popularity soared 20 years ago with an animated series, trading card game and video games on the Nintendo Gameboy. It was so big that Nintendo, Creatures Incorporated and Gamefreak – three companies behind its success, started the Pokémon Company, a marketing and licensing firm and private company based in Japan, with satellite offices spread throughout the world, in cities such as London, Barcelona, New York, Seattle and Seoul.
Fast forward to 2015, and the brand had another huge spike in popularity with the augmented reality game Pokémon Go which was made available on smartphones.
“It kind of went supernova, which was a surprise for everyone involved – it was only intended to be a marketing tool for one of the core games coming out for Nintendo at the time. We planned for about 50 million to 100 million downloads, not 800 million, which is what we had a year later,” explains John Visneski, director of information security and data protection officer at The Pokémon Company International.
This, understandably, caused some scaling issues. While Niantic developed the game and client, the Pokémon Company had to become a tech company overnight, in order to ensure that it could ensure compliance with child online privacy protection regulations.
The company had 10 employees at launch, and this has now increased to just under 600 – including those focused on developing apps in-house – with further growth anticipated in 2019. When Visneski was hired in May 2017, there was no information security department, and his job over the last year and a half has been to stand up Pokémon Company’s security team from the ground up.
“So that’s everything from getting our minds around our security architecture, to hiring a team, to vendor management and sourcing. My team is responsible for our corporate facing IT platforms as well as customer-facing platforms – and in the middle of that year and a half journey, GDPR happened,” Visneski explains.
Scaling, security and privacy
The Pokémon Company opted to use Amazon Web Services (AWS) to scale up and keep pace with demands.
“It really is elasticity; in terms of spinning up instances and spinning them back down at a rate that keeps pace with demand and availability. That is really a game changer for us – so AWS has been a really good partner in that respect,” says Visneski, who adds that the company’s journey with AWS was to do with scale, capability and enabling the business, while another partnership, with cloud-based machine learning analytics company Sumo Logic, was to augment that relationship and turn a huge amount of data into something that the organisation could use to drive decisions.
“That’s not just from a business or operational perspective, but from a security perspective. Sumo helped my security team to integrate a lot of the tools and alerts we had, and we realised we could also use it in operations and business intelligence – slowly the company is addicted to using Sumo just as much as we were to leveraging AWS,” he says.
Sumo was picked ahead of other vendors, partly because of its approach to partnering.
“In the past, a customer would go to a vendor and say: ‘Here’s my budget. I want you to come in 15 per cent under it and give me the world.’ I think that sort of relationship is over. Now, just as much as Pokémon want to be in partnership with a business that has a vested interest in seeing us be successful, I think vendors like Sumo want to be in business with customers that have a vested interest in [them] being successful.
“The way that relationship works is with transparency, being open and honest about what road maps look like, understanding what your challenges and short falls are, and when we were in the hunt for this particular part of the architecture, it was important for me to find an organisation and vendor that took that sort of relationship seriously,” Visneski says.
The partnership is also changing the way that the security team is viewed within the Pokémon Company.
“Security teams are going to be more integral parts of any business and see more as problem solvers and innovators than the past. The reason for that is usually they are thought of as slowing down the teams, and we want to turn that on its head by thinking of security professionals as problem solvers first and security practitioners second,” Visneski says.
“What I mean by that is that we’re typically asked to give the red light or green light decisions, meaning we’re in the conversation and because we’re the owners of Sumo in the organisation, it positions us really well to look across the user base and figure out interesting ways to correlate data across the business in order to make better decisions,” he adds.