A first-hand look inside Walmart’s robust security operations

Technology


BENTONVILLE, Ark. — Walmart wants to be “the world’s most trusted retailer,” Greg Schaffer, a legal executive at the retail giant, said to a handful of journalists seated inside a largely empty hall at the company’s corporate office.

The reporters, Cybersecurity Dive included, sat with our breakfasts — catering that could have fed 50 — to listen to a formal, choreographed fireside chat between Schaffer, the company’s chief counsel for cybersecurity and VP of digital trust compliance, and Jerry Geisler, SVP and CISO, about what trust means at Walmart. 

It was a talk that would have found a home at any technology conference and the first of many held during Walmart’s showcase of its security operations in mid-January. The conversations with more than two dozen members of its security staff and a tour of its facilities illustrated the scope of Walmart’s cyber operations and why it cares so much about security, even if its customers won’t notice. 

“I’m biased — cybersecurity is always top of mind for me, but I know not everybody has that same perspective,” Geisler said in conversation with Schaffer. 

“If it is top of mind for a customer, then I want them to be able to look at what we’re doing and have a high degree of confidence that we are meeting the commitments that we have made to them in terms of how we are going to protect their information,” he said.

If security is not a priority for a customer, Geisler said, Walmart still wants customers to trust it will do what’s right. 

Many businesses don’t make security a priority until it’s too late. The costs of cybercrime damage are expected to reach $8 trillion this year, up from $6 trillion in 2022, and the World Economic Forum is warning of the potential for global instability following a catastrophic cyber event.

Yet, continued investment in business cybersecurity is not guaranteed as the market navigates a downturn. 

In an era where breaches are the norm and consumers grow apathetic to privacy, an emphasis on security and trust goes underappreciated. Fines imposed by the Federal Trade Commission or the European Union’s data privacy efforts do little to change enterprise treatment of data. Repeat offenders say they are investing in cyber, but additional spending does little to show security cultures can change. 

Walmart hardware recovery expert Wayne Murphy speaking during a tour of the company’s fully accredited forensics lab in Bentonville, Ark. on Jan. 18, 2023.

Naomi Eide/Cybersecurity Dive

 

For Walmart, its seriousness about security is depicted through its scale. Its cyber hubs have a global footprint, allowing Walmart to run security operations 24/7/365 with the help of shift work and time zones (a security operations center in Bangalore, India complements the schedules of U.S.-based security staff, for example). 

Each year, those SOCs process an average of six trillion data points each year — data Walmart internalizes and shares with the broader security community. The company also operates a fully accredited forensics lab to aid data recovery, complete with a clean room, specialized X-ray technology and hot-air soldering. And a tour of one of its data centers, where rule-enforcing staff flanked curious guests, illustrated operational redundancy. 

There’s little room for failure, just failover. 

Walmart does not share information on how much it spends on cybersecurity, nor does it say what percent of its 20,000 Walmart Global Tech employees — responsible for operating the retailer’s foundational technology — work in infosec. A tour of Walmart’s facilities only hints at the scope of its operations, but an up close look close indicates few companies could independently run at such scale. 

Walmart’s cybersecurity is not just a best-in-show example. It may be the exception. 

That’s not to say Walmart’s approach to security is unattainable. Rather, what sets its operation apart is how the retailer has fine-tuned its security focus. In the face of a steady stream of threats, knowing exactly what to prioritize and what can wait is a technique businesses can emulate.

A look inside part of Walmart Global Tech’s security operations center in Bentonville, Ark. on Jan. 18, 2023.

Naomi Eide/Cybersecurity Dive

 

Behind the screens

From an outsider’s perspective, Walmart Global Tech facilities offer all the bells and whistles of a world-class security operation without the shiny objects of Silicon Valley perks. On-site, there were no scooters, though a trampoline complete with safety nets stood vacant in the corner of one room.

Badge access points and layers of locked doors offered a clue of where physical security met the digital, despite remote or hybrid work options. 

The retailer is facing the same obstacles as other companies when it comes to talent: the demand far exceeds the supply of cyber workers, a growing gap that now encompasses 3.4 million openings

Walmart has a leg up on many organizations in terms of resources. It brought in $572.8 billion in revenue in the fiscal year 2022, and it has a $24.2 billion operating cash flow. But the tenure of its security organization adds a heft of institutional knowledge.

The information security department has well over two decades of history with roots that predate the highest-profile attacks that marked sea changes in industry, whether that’s the 2014 hack on Sony or the 2015 power grid attacks in Ukraine. 

“Our experience has been that because the company started investing in this space over two decades ago that we’ve had the advantage of growing and evolving and maturing programs as the company has grown, evolved and matured and moved into businesses,” Geisler said. 

“That has put us in, I think, the enviable position of having a seat at the table for a long time, to be the trusted partner of our business, and to help guide against missteps,” he said.

Walmart’s security operations have earned it industry clout, and with that comes the ability to attract experienced talent. Pedigrees marking time spent at Google and JPMorgan Chase, alongside other Fortune 100 companies, were sprinkled among its roster of speakers. 

Reputation aside, Walmart’s Live Better U program, which pays 100% of college tuition and books for employees, is aimed at creating a tech talent pipeline, supporting programs in areas including cybersecurity and information technology. 

Retention too, factors into its talent strategy. Inside Walmart’s corporate office, it wasn’t unusual to see years-long tenure with badges proudly declaring time spent in five-year intervals. One expert, Justin Simpson, began his career at Walmart fresh from college more than a decade ago and now serves as a director of data security, with quantum and crypto as part of his purview. 

Top of mind for his work is post-quantum cryptography and making sure Walmart has the right security processes in place in the event that a quantum computer is realized. 



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *