The following is Part 3 of a three-part series revealing key highlights from Walmart Global Tech’s Media Day, compiled from a series of on-site tours, fireside chats, panels, roundtables and one-on-one interviews. Click here for the Foreword and Part 1 and here for Part 2.
The Walmart Museum in downtown Bentonville features a room full of memorable items and fun facts on display — everything from co-founder Sam Walton’s Presidential Medal of Freedom to a series of products returned for ridiculous reasons (including a kitchen mixer that was apparently possessed).
But one of the most meaningful exhibits is Walton’s 10 Rules of Building a Business. And so we at SC Media decided that at Walmart Global Tech Media Day, we would ask four leading WGT executives how closely their approach to cybersecurity aligns with “Mr. Sam’s” 10 retail commandments.
Jerry Geisler, senior vice president and global CISO
Geisler began by sharing with SC Media why this was right time for Walmart to offer the world an inside look at the company’s efforts in IT and cybersecurity innovation, and how infosec has changed over his 30-plus-year career.
We then asked him about Sam Walton Rule #9: Control your expenses better than the competition. Does that philosophy actually apply to cybersecurity innovation, which can often require a heavy financial investment? According to Geisler, it can, as long as you take a business-aligned approach.
“Where we have found a need to go and do something beyond what we had planned to do that year, we do exactly that. We build a business case,” he said. “And we have almost always, I would say, found that we have the support from the organization to do what we need to do.”
We also inquired about Rule #10: Swim upstream. Go the other way. We asked Geisler what WGT’s biggest differentiator is compared to other private-sector cyber organizations.
“It comes down to our culture,” said Geisler. “… One that empowers people to have a degree of autonomy where they feel like they can go and think about the hard problems and bring forward ideas and innovations. And we’re very supportive of our engineers and associates doing exactly that. And, candidly, some of what I think are our strongest capabilities, have come from exactly that — from our engineers on the teams, solving challenges.”
Geisler also addressed how Walmart is accounting an ever-increasing attack surface as the company experiments with innovative new concepts like the Metaverse, delivery drones and automated trucks.
“The things that create value for our business very often create risk in our space. And that’s OK,” he said. “We want the company to be able to pursue things that create value, but we want to move forward in a way that’s fully informed.”
Rob Duhart Jr., vice president, deputy CISO and CISO eCommerce
Citing Sam Walton Rule #6: Celebrate your successes, we asked Duhart what recent achievements in the field of e-commerce security he would like to celebrate. In response, he reported significant victories against malicious online bots (8 billion of which are blocked per month on average).
“We had a phenomenal delivery of some technology that we’ve been working on for some time,” said Duhart. “We have a stack that exists to protect our customers … and we made some additions to the stack over the year that you never really know how well it’s going to go until holiday comes and you have many, many, many transactions going through the site. We did phenomenally well.”
Next, we followed up with Sam Walton Rule #8: Exceed your customers’ expectations. We asked how Walmart plans to accomplish this goal in terms of winning over the digital trust of its customers. The bottom line: the proof is in the pudding.
“Day in, day out, hopefully by having systems that are available, that do what they’re supposed to do when they need it. … I think we can earn that trust,” he said.
Finally, we addressed Rule #10: Swim upstream. Go the other way. Duhart shared how WGT applies this philosophy by acquiring and developing talent through its Live Better U program, which gives associate-level workers a pathway to earn degrees in topics such as cyber so they can forge new career paths.
Duhart also offered some insights into how much Walmart relies on its own proprietary, customized cybersecurity toolsets vs. off-the-shelf solutions.
“There are not many customers that have the types of needs that we do. And it’s isn’t really realistic for us to go out into a marketplace and find exactly what we need. So very often we either take existing and modify or we start from scratch,” he explained.
Jason O'Dell, vice president of security operations
O'Dell offered some insight into the fictionalized ransomware incident scenario that was presented to the media during a tour of WGT’s security operations center, noting that it was meant to demonstrate “how different teams within a [SOC] would work together” to “provide inputs and outputs to each other.”
O'Dell acknowledged how this constant communication among SOC teams — and business stakeholders, as well — when a threat emerges aligns nicely with Sam Walton’s Rule #4: Communicate everything you possibly can to your partners, and Rule #7: Listen to everyone in your company.
He also explained the benefits of incorporating what was once a more isolated red team into Walmart’s SOC operations so that its members could perform more collaborative purple teaming.
“There was more transparency and communication and they’re driving each other to become better, which is very important to us,” said O'Dell. "In addition, it gave the red team the opportunity to work more closely with out cyber intelligence team.”
O'Dell also shared his perspectives on Sam Walton’s Rule #6: Celebrate your successes, and Rule #10: Swim upstream. Go the other way. One cyber intelligence worth celebrating, he said, was Walmart’s major contributions to several open-source projects: ViperMonkey, which is an emulation engine that can analyze malicious VBA macros contained in Microsoft Office files, and Atomic Red Team, which allows users to test their environments against a library of simulated attack methods.
Melissa Yandell, senior director of identity and access management
Yandell addressed how IAM ties in with both Sam Walton’s Rule #5: Appreciate everything your associates do for the business, and Rule #8: Exceed your customers’ expectations. After all, IAM should provide a painless user authentication and verification experience for associates and customers.
To that end, Yandell said the IAM team pilots different concepts by going to the stores to work directly with the associates.
“And we will … walk through a day in their life and understand how they are using the applications, or how they are using that sign-on experience and get feedback and then come back and evaluate how we further improve that experience,” she said.
Yandell also addressed Rule #10: Swim upstream. Go the other way. She noted how Walmart is always looking for new and better ways to do business — and on the IAM front, that includes experimenting with passwordless and zero-trust principles.