For the CISO of any large or complex organization, being able to equitably implement security controls across your highly distributed enterprise – ensuring that no division is underserved or overlooked – is no easy challenge.
And it doesn’t get bigger or more complex than Walmart, the world’s largest company. The mammoth, $572.8 billion retailer operates roughly 10,500 stores, plus various ecommerce websites under 46 banners in 24 countries. Beyond retail, the company bleeds into additional industry sectors, including manufacturing, health and finance. And its own in-house technology division, Walmart Global Tech, could be its own Fortune 500 company.
Now imagine what it’s like being tasked with securing this behemoth and all its diverse IT, OT and IoT-based environments through a mix of people, process and technology.
Fortunately, we don’t have to fully rely on our imaginations. Rob Duhart Jr., vice president, deputy CISO and eCommerce CISO at Walmart, spoke with SC Media about how Walmart systemically allocates its security resources across its vast empire. While not going too heavily into details, Duhart hinted at some cyber strategies and initiatives that the company may elaborate on further in the coming weeks.
Thanks for joining us today, Rob. Would you like to briefly introduce yourself and your role?
Rob Duhart: I serve as the deputy CISO of Walmart, and have a blast doing so. My job is to support Jerry Geisler, who’s our CISO; support the organization and how we run it; and think about the future. What does infosec look like 2025 and beyond? And then also to execute securing our ecommerce capability and platforms and all that that entails. So, lots of interesting things. Really love my day to day.
If there’s a prevailing cyber philosophy that exists across your entire enterprise, what is it?
First, trust is essential at Walmart. Our customers trust us to deliver. They come to our stores, they come to our sites to buy and receive goods, services. And those services are constantly evolving. So we need to be able to have trust at the center of that relationship with our customers.
I think being intentional [about cybersecurity] is a huge part [of that.] Within our various business units, regardless of whether it's health or financial services, [it’s about] being intentional about cybersecurity across the enterprise, and doing so in partnership with our technology and business partners. We're the driving force here in infosec. But quite frankly, we need all of our 2.2 million associates to understand why security matters and why everyone needs to be involved in safe cybersecurity practices.
This concept of maintaining cyber equity across your entire organization seems like a natural extension of the mission of Liberas, Inc., a company you founded several years ago (and still advise). According to the organization’s website, Liberas was to provide “businesses and societies globally with equitable access to critical infrastructure cybersecurity technology.”
It’s a great point. Our [four] guiding principles here at Walmart [are] to be a trust champion, to be a business enabler, to focus on security excellence and to have a proactive approach. Without a doubt, we believe that we are stronger together. And so finding ways to partner with people and organizations to deliver that trust to our customer is huge. So I would agree with you – these principles are fantastic. They preceded me. I don't want to pretend as if I built them, but they're very much the essence of everything that we do.
What are the most important attributes to have in a cybersecurity strategy to ensure that is can be deployed across a multi-faced organization like yours? Scalability? Repeatability? Efficiency?
Scale does sometimes create unique challenges that adds complexity, especially for a global team that has a diverse portfolio. But we really focus on two things: One is business enablement, which is to understand where the businesses going, and help ensure that they're choosing and making the secure choice – if possible, the first time. And how do we make sure that we're delivering that trusted experience to our customers?
And the other piece is, understanding your purpose. Simon Sinek has a famous book, and it talks about the “why” and how the “why” matters so much. And one thing that seems to work really well for us is making sure people understand our shared and our communal “why” across the globe: "Save money. Live better." And then delivering these trusted experiences to customers all over the globe. That “why” is really powerful, and it really helps us as we work to enable the business.
You mentioned understanding where the business is going and making sure that your cybersecurity projects align with that. What’s your strategic approach to accomplishing this task?
We absolutely are taking a business-aligned security approach. Many organizations [use a] BISO. We actually prefer to call it a Business Information Security Partner (BISP), which really highlights that enablement portion of what we're talking about. It's not even that we're “officers,” per se. No, we're here to help the business accelerate their ability to securely deliver – and our partners work to do that. We're focusing this year on our health and wellness business and our e-commerce business, and hope to scale that moving forward.
I think a second program that's worth mentioning is our investment in training and behavior awareness. We do this at all levels of our organization. In the U.S. alone, we train over 1.2 million associates on best practices each year. To put that in context, if they all lived in the same city, that would be the 10th largest U.S. city. So we're really proud of the various ways that we provide this type of background to our associates, in addition to our specific focus on partnering with the business.
Let’s go back to one of the first things I asked about, which is the challenges of implementing various cyber initiatives across such a highly distributed, highly diverse global organization. You operate in multiple countries that are subject to different security and privacy regulations, and have workspaces featuring a mix of IT, OT and IoT environments. How do you balance all of that?
You just hit on one of the biggest selling points of our Business Information Security Partner program, where you can dig deep and focus where you need to focus in the areas unique to the business – but you have a broad security exposure and connection so that you can take care of what is more standard. How do you do both? And I think most organizations around the globe are trying to find that balance. We're proud of, of our ability to do that with BISP.
Increased use of data and technology in retail really makes trust essential. And because we have such a diverse and skilled workforce in different areas, the discussion I had with you about security awareness serves as a really good example. Because there are several ways that we do this. Whether you're a store associate or you're a warehouse associate, what it means to have a security centric mindset may look a little different.
We have a very diverse employee base, and so our ability to reach them has to also be diverse. So we do the basic things like phishing, simulation and training. But we also reach out to our associates using all kinds of resources that are internal to try to reach everyone from the executive, to someone working a register, to someone working inside of a distribution center. Being able to have that expanse and that breadth is so huge, because we truly are stronger together, and that is an essential component of this campaign. I would argue leveraging this associate population makes us safer and is a huge asset in our journey of delivering trust across the enterprise.
Security awareness training goes toward the “people” portion of the people, process and technology framework. What has been your focus on the process and technology fronts?
When you think of the CIA triad – confidentiality, integrity and availability – we leverage a host of technical and process-related capabilities to drive and mature that. We’re really proud of what we've done – both what existed before I arrived and a lot of what we focus on today. I don't want to highlight any one particular area. We're pretty evenly investing across the portfolio, but you said something that really stood out to me that I think aligns highly with what we believe, which is that understanding and shaping and framing the behavior and the culture of people is one of the best tools that we have.
There are technical tools [and strategies] that matter, no doubt – zero-trust being one, identity is another. But we really believe that our people are our greatest asset, and that our energy in delivering that trust to the customer through those people is the best way for us to protect. I've heard it said – not by me but by others – that the best technology won’t stop someone from clicking a phish. And so enabling people to understand what threats look like – being able to spot a phish and identifying what the behavior should be – is huge for us, and we're seeing positive trends year over a year. Not only are associates spotting these types of malicious threats, but they're reporting them as well, which helps us further protect our systems from malicious actors… And [we’re] automating that loop as much as possible so that the time between identification and blocking is faster.
I know you didn't want to necessarily focus on any one particular cyber process or tech initiative over another because they're all important in their own way. But can you give me one recent example?
Not recent – this is something that's been ongoing – but something I can talk about is… we're really focused on building a security-centric organization. And part of the way we do that is by leveraging red team simulations to test our own defenses. We have a lot of success and skill sets in that space. We're really excited about the progress that we've had. Without getting into specifics, we're really proud of our ability to leverage our red team to ensure that our defenses are where they need to be and we can deliver that trust consistently across the digital and physical ecosystem.
Since you're taking such a strong workforce focus today, I’ll ask a cyber workforce-related question. In order to equitably provide security resources across such an expansive business, you need adequate human resources to support that goal. We know it's a challenge throughout the entire cyber industry to find talent in the cyber space. What are you doing to make sure that you have the necessary internal talent to keep your cyber machine running?
We are currently hiring for a host of roles in infosec, and we feel really fortunate to be in a position to continue to focus on our growth and building and growing the world-class team that we have. There are several digital transformations happening at Walmart today. And we all know that each has a major role to play in enabling that transformation. And we're excited that security continues to be an integral partner to the tech teams and the business teams
If you were to go to the website right now, you can see that we are hiring. We're excited to be doing so. And we're really glad to be hopefully building one of the most successful diverse, talented teams in infosec.
E-commerce security comes with its own unique sets of challenges. How big of a focus for you are issues like account takeover, fraud and site bots?
You hit one of my favorite topics – bots and ATO. We do have a significant investment in that space and I think some of the best teams in the world there… That happens to be one of the teams that I'm responsible for…
We spend a lot of time trying to make sure the right people get their hands on the right things regularly. And that's a big part of what it means to secure our e-commerce space… What's the point of having 10,000 stores if someone can’t go to your website and see what's available?