BENTONVILLE, Ark. — Walmart wants to be “the world’s most trusted retailer,” Greg Schaffer, a legal executive at the retail giant, said to a handful of journalists seated inside a largely empty hall at the company’s corporate office.
The reporters, Cybersecurity Dive included, sat with our breakfasts — catering that could have fed 50 — to listen to a formal, choreographed fireside chat between Schaffer, the company’s chief counsel for cybersecurity and VP of digital trust compliance, and Jerry Geisler, SVP and CISO, about what trust means at Walmart.
It was a talk that would have found a home at any technology conference and the first of many held during Walmart’s showcase of its security operations in mid-January. The conversations with more than two dozen members of its security staff and a tour of its facilities illustrated the scope of Walmart’s cyber operations and why it cares so much about security, even if its customers won’t notice.
“I’m biased — cybersecurity is always top of mind for me, but I know not everybody has that same perspective,” Geisler said in conversation with Schaffer.
“If it is top of mind for a customer, then I want them to be able to look at what we’re doing and have a high degree of confidence that we are meeting the commitments that we have made to them in terms of how we are going to protect their information,” he said.
If security is not a priority for a customer, Geisler said, Walmart still wants customers to trust it will do what’s right.
Many businesses don’t make security a priority until it’s too late. The costs of cybercrime damage are expected to reach $8 trillion this year, up from $6 trillion in 2022, and the World Economic Forum is warning of the potential for global instability following a catastrophic cyber event.
Yet, continued investment in business cybersecurity is not guaranteed as the market navigates a downturn.
In an era where breaches are the norm and consumers grow apathetic to privacy, an emphasis on security and trust goes underappreciated. Fines imposed by the Federal Trade Commission or the European Union’s data privacy efforts do little to change enterprise treatment of data. Repeat offenders say they are investing in cyber, but additional spending does little to show security cultures can change.
For Walmart, its seriousness about security is depicted through its scale. Its cyber hubs have a global footprint, allowing Walmart to run security operations 24/7/365 with the help of shift work and time zones (a security operations center in Bangalore, India complements the schedules of U.S.-based security staff, for example).
Each year, those SOCs process an average of six trillion data points each year — data Walmart internalizes and shares with the broader security community. The company also operates a fully accredited forensics lab to aid data recovery, complete with a clean room, specialized X-ray technology and hot-air soldering. And a tour of one of its data centers, where rule-enforcing staff flanked curious guests, illustrated operational redundancy.
There’s little room for failure, just failover.
Walmart does not share information on how much it spends on cybersecurity, nor does it say what percent of its 20,000 Walmart Global Tech employees — responsible for operating the retailer’s foundational technology — work in infosec. A tour of Walmart’s facilities only hints at the scope of its operations, but an up close look close indicates few companies could independently run at such scale.
Walmart’s cybersecurity is not just a best-in-show example. It may be the exception.
That’s not to say Walmart’s approach to security is unattainable. Rather, what sets its operation apart is how the retailer has fine-tuned its security focus. In the face of a steady stream of threats, knowing exactly what to prioritize and what can wait is a technique businesses can emulate.
Behind the screens
From an outsider’s perspective, Walmart Global Tech facilities offer all the bells and whistles of a world-class security operation without the shiny objects of Silicon Valley perks. On-site, there were no scooters, though a trampoline complete with safety nets stood vacant in the corner of one room.
Badge access points and layers of locked doors offered a clue of where physical security met the digital, despite remote or hybrid work options.
The retailer is facing the same obstacles as other companies when it comes to talent: the demand far exceeds the supply of cyber workers, a growing gap that now encompasses 3.4 million openings.
Walmart has a leg up on many organizations in terms of resources. It brought in $572.8 billion in revenue in the fiscal year 2022, and it has a $24.2 billion operating cash flow. But the tenure of its security organization adds a heft of institutional knowledge.
The information security department has well over two decades of history with roots that predate the highest-profile attacks that marked sea changes in industry, whether that’s the 2014 hack on Sony or the 2015 power grid attacks in Ukraine.
“Our experience has been that because the company started investing in this space over two decades ago that we’ve had the advantage of growing and evolving and maturing programs as the company has grown, evolved and matured and moved into businesses,” Geisler said.
“That has put us in, I think, the enviable position of having a seat at the table for a long time, to be the trusted partner of our business, and to help guide against missteps,” he said.
Walmart’s security operations have earned it industry clout, and with that comes the ability to attract experienced talent. Pedigrees marking time spent at Google and JPMorgan Chase, alongside other Fortune 100 companies, were sprinkled among its roster of speakers.
Reputation aside, Walmart’s Live Better U program, which pays 100% of college tuition and books for employees, is aimed at creating a tech talent pipeline, supporting programs in areas including cybersecurity and information technology.
Retention too, factors into its talent strategy. Inside Walmart’s corporate office, it wasn’t unusual to see years-long tenure with badges proudly declaring time spent in five-year intervals. One expert, Justin Simpson, began his career at Walmart fresh from college more than a decade ago and now serves as a director of data security, with quantum and crypto as part of his purview.
Top of mind for his work is post-quantum cryptography and making sure Walmart has the right security processes in place in the event that a quantum computer is realized.
Like Simpson, some experts and specialists at the company are dedicated to the future, no matter how far off it may seem. Others lead identity access management or cloud security. Bots are another specialty, aiding the company’s defense in depth approach to ensure customers can purchase the goods they want.
On average, in a single month, Walmart can block 8.5 million malicious bots.
Far from the generic, harried infosec workers of internet meme fame, each person has a highly specialized role. Every detail of computer engagement — whether corporate staff, store associates or customers — is thought out. Nothing is left to chance or neglect.
Outside the network
Walmart does not silo its security prowess. It works with external information sharing and analysis centers, sharing intel that relates to threats inside and outside its networks.
Walmart works in tight unison with its partners in the National Retail Federation, VP and Deputy CISO Rob Duhart said during a lunchtime roundtable discussion. “We win together.”
NRF and the Retail & Hospitality Information Sharing and Analysis Center strengthened their collaboration earlier this month to better combat malicious cyberattacks and protect customer data. RH-ISAC found the majority of CISOs, 70%, expect their budgets to increase this year.
Walmart does its “best to continue to partner with our regulatory bodies as well, to make sure that they’re learning from our experience,” Duhart said.
There’s a layered approach to how it views external networks. Where most organizations refer to it as third-party risk, Walmart’s external party risk encompasses the threats at the fourth, fifth, sixth level and beyond. To each, it offers empirical risk measurements too.
Working across its security operations and partnerships teams, “we’re able to prioritize how we attack certain risks in the environment,” Russ Buckley, senior director, risk and compliance, said during a roundtable. Beyond labeling something as generically risky, it can use an internal number to help the business quantify where to invest people or budgets.
“In doing so it allows our business leaders to have an empirical number — not just a guess, not just my favorite friend told me — but they can actually have something they can go and look at and say, ‘This is what we want to do, make that decision,'” Buckley said. “That decision, in turn, supports how we provide all of our services to all of our customers.”
The industry standard common vulnerability scoring system goes through Walmart’s empirical analysis too, which allows the company to determine what risk CVEs could create in its environment.
That’s where threat intelligence sharing comes into play. Walmart has mechanisms in place to determine what risk a threat really poses. Even if a CVE doesn’t affect its networks, it can externally share how it may impact others in the industry.
“We contributed a lot to making sure that other people understand the risk as well and maybe why we’re not seeing that risk,” Buckley said. “And we have some influence on other organizations that may change their security posture based on, ‘Hey, Walmart wasn’t affected, but other companies were, maybe we should look at that.’”
It speaks to Walmart’s robust cyber intelligence program. It consumes information from commercial sources, just as many large organizations do, but it also procures its own threat intelligence.
“We have researchers that are doing things like looking at adversary backend infrastructure, understanding how those threat actors are pivoting,” said Jason O’Dell, VP of security operations, during a roundtable. “Sometimes as a byproduct of that we also see other organizations being targeted by those particular threat actors and we very quickly share that back to the community.”
Household name brand companies see a different attack surface than the average organization, Chris Silva, VP analyst at Gartner, told Cybersecurity Dive in a conversation last year about Walmart’s use of automation in security. “They’re always a bigger target.”
Brands like Walmart may see threats never before seen in the wild and sharing that intel can give other organizations a chance to respond.
Influence from above
Walmart has its own security orbit, and the gravity of that extends to the regulatory realm, where the company wants to help set the tone for what customers can come to expect with privacy.
There’s been a steady march toward privacy legislation at the state level, led by California, though a federal mandate is not in place. Those requirements are “pushing us in a direction that we’re already going,” Schaffer said during the keynote. When those laws come through, “sometimes it’s accelerating a roadmap that we have in place and that’s a good thing.”
“Our goal, again, to be the most trusted retailer, frankly, because we have some businesses that go beyond retail,” he said. The goal is to become “the most trusted company.”
It’s a high bar, yet one that Walmart has the resources to clear. In cybersecurity, one wrong move can take a toll on a company’s reputation, but Walmart has the mass to absorb it. Defense is a proactive effort and nothing across its networks is left to chance.
“We don’t necessarily focus as much on the scale of Walmart, because we’re just used to operating in a big environment,” Geisler said in an interview with Cybersecurity Dive during the last conversation of the day. “It’s just our state of existence.”