Securing the world’s largest private employer, with more than 2 million people worldwide and an ever-expanding IT environment, is a daunting challenge, but that’s exactly what Jerry Geisler is tasked with doing.
Geisler stepped into the global CISO role at Walmart Inc. in January. An employee since college, Geisler had worked his way from the retail floor to the corporate offices. Once there, his personal interest in technology dovetailed with growing responsibilities in forensic investigations and fraud at the Bentonville, Ark., retail giant.
With Walmart’s digital transformation and retail expansion into 27 countries outside of the United States, a lot has changed in 20 years. In this interview, the new Walmart CISO talks about retail IT security then and now, top risks the retail giant is concerned about today and the company’s new strategy to find tech talent.
Editor’s note: This interview has been edited for space and clarity.
How big is the infrastructure that you are managing, as the global Walmart CISO?
Jerry Geisler: It’s quite large. If we just look at IP addresses, we are into the millions. If we look at endpoints or server assets, we are certainly into the hundreds of thousands. How are we going to assess that as an information security team? It is always going to be a multipronged approach; we are not going to rely on one methodology or one review to tell us what we believe the security posture is across our IP states or across our technology footprint.
One example would be how we have matured our vulnerability management program over the years. When we first started down the path of vulnerability management, for our scanning program, we were somewhat constrained in terms of what was possible because of network speeds and, really, the available tool sets. My challenge to our team was, ‘We are looking at the environment or a portion of the environment on a quarterly basis; we need to be looking at the entire environment on a daily basis.’
By throwing down what was probably seen at the time as an unachievable objective, it really got them thinking differently about how to approach that challenge. They started to review our architecture and the tools that we were evaluating our environment with. And, today, we can scan 1 million IP addresses in about four days. We haven’t made it quite to where I challenged the team to get to, but we have moved forward leaps and bounds in terms of understanding what our environment looks like at any given point.
Of course, if you are scanning a million IP addresses every few days, you also have to be able to ingest the output from those continuous scanning numbers. So, we have built entire practices or entire teams around segments of that practice. We have teams that are responsible just for scanning and ingesting the scanned data, and [we have] teams that are responsible for evaluating and prioritizing — with the help of some algorithms — what that risk really looks like. We have developed roles within those practices that we refer to as our ‘cyber actuaries.’ They’re really trying to determine, ‘What is the real risk of this vulnerability to the organization?’ And it’s not just focusing on numbers. If we have a Microsoft Patch Tuesday, and we have maybe 50,000 instances of a vulnerability, but it is not exposed to the internet, that may not be as significant a risk to the organization as a vulnerability that is exposed.
And then we have an entire separate practice to drag the vulnerability’s [overall assembly] across the organization by the systems’ owner and the application’s owner. When we started that, one of our challenges was identifying who owns what and where does it exist. So, we started aggregating approximately 30 different data sources to tell us as much as we could possibly learn about every asset within our environment, and that moved our percentages in terms of who system and applications’ owners were from a relatively low percentage to well beyond 95% of any endpoint. We know exactly where that system is and who is responsible for it. And the remaining 5% is just driven by organizational churn or people who are changing roles, handing the systems off to other teams and things along those lines.
Many retail companies struggle with data segregation and network segmentation. How are these types of decisions handled at Walmart?
Geisler: In terms of data segmentation, yes, we absolutely have data schemas where we have defined what we would consider highly sensitive data versus sensitive data versus other data. Within those categorizations, we have stratified other data types, such as ‘payment card,’ where we are building or architecting segments of our environment around that type of data.
Walmart was a very early adopter of technology, and it did have some technical debt, like any organization has. But if we look at our environment today, we certainly prioritize a segmented strategy — not only from networks, but also applications and data types, along with the appropriate data access controls around those environments or data types. And that work will never end, candidly, because technology is always building for the new business demands. We are always evaluating where we are creating new instances of data storage: Do we have it appropriately segmented? Do we have it appropriately protected?
We will regularly test that security posture from offensive operations from both our internal and external red teams. We’ll leverage our tabletop practices to identify our point-of-sale environments to ensure that they are appropriately configured. We will leverage what we call our dynamic defensive engineers in our security operations center to ensure that we have appropriate visibility into new environments. We have security risk and compliance reviews that really look at anything new to ensure that we are adhering not only to reference architecture standards, but also all of our security policies and the underlying standards that support those policies.
As the new Walmart CISO, but also as someone who has been at the company a long time, are you primarily focused on ongoing initiatives? Are there any new projects that you are hoping to roll out, perhaps, around mobile web and payment systems?
Geisler: In terms of security initiatives, we are going to focus a lot on the things that we have already talked about: Do we have appropriate segmentation where we need segmentation? Do we have encryption deployed in terms of data in transit and data at rest and everywhere we would be building new models? An example of that would be, as we migrate into cloud, determining what the security stack needs to look like for a [service organization control] SOC-defined security stack, recognizing that as technology innovates and new models emerge, the security industry as a whole tends to lag a little bit behind. It’s re-evaluating the stack that we have in place today and [looking at] what new tools we may need to bring in to cover those gaps in the cloud so that we are not allowing our security posture to erode.
Looking at the user experience is fairly high on our priority list — the modernization of our authentication service to provide a friction-free and seamless experience for our users as they navigate from application to application or from environment to environment in a way that maintains that security posture that we believe is necessary to mitigate the risk.
When we look at our environment overall, where we see risk coming from really hits in three big buckets: user credentials, our security posture and whether we have an exposed or exploitable vulnerability. We are constantly evaluating how effectively we are managing those user credentials, and the hygiene or health of our environment and our related security, and effectively identifying and churning through that vulnerability portfolio.
We’ll also take breach scenarios that we see throughout our industry, and we’ll run those breach scenarios across our environment. If this breach scenario unfolded here at Walmart, how well would we fare? And [we’ll] try to identify gaps or places where we would be vulnerable and try to identify plans around how we would mitigate that and then execute against those plans. The real key for us is visibility [and] never allowing the organization to build environments that we cannot see, meaning that we cannot effectively protect, and we would start to have that security posture erode.
And it’s not just about the new. There are always new projects that technology is driving, and we are going to be hand and glove on gains across infrastructure and applications. But it is also, to a large degree, having to do with the current operating environment. One of the things that I am always pressing my team on is how do we know that what we believe to be true remains true? The last thing that I want to have occur is a security incident, and I’m going through it with our teams and I ask, ‘Well, how did that happen? Because I thought we have a certain control in place.’ And for the team to say, ‘Well, there was a change control some time back, and we didn’t realize that it degraded our security posture.’
So, I’m always pressing on the teams: Don’t take anything for granted. Don’t assume that the controls that we put in place are still there. Let’s constantly validate what we believe to be the security posture of our environment, taking the approach that we can never be satisfied. Not in a way that is demoralizing and demotivating to our teams and our talented engineers, but in a way in which we won’t allow ourselves to rest on our laurels. Learning from others, from what we see in the industry, constantly challenging our impressions of our environment, looking for ways to deliver against the mission. The company depends on us, and our customers depend on us to deliver day in and day out.
Jerry Geislersenior vice president and global CISO, Walmart Inc.
You were talking about the importance of visibility, and that is one of the main concerns in cloud. How is Walmart approaching that issue?
Geisler: We work very closely with our vendor partners, and the cloud model is starting to emerge as a viable model. We were not comfortable with the degree of visibility that we had into the [cloud] environment or the tools that were available within those environments, or even the tools that we can deploy into those environments. So, over the last three years, we have worked very closely with those providers and have seen them move forward by leaps and bounds by not only what we can deploy into the cloud, but what the providers can offer to us within those environments.
When we first started on our cloud journey, the security department really drew a line in the sand that, ‘Hey, we can’t put highly sensitive workloads in the cloud, because we can’t see it well enough.’ And even if it is perfectly configured, it still represents a blind spot to us. Now, we know that things aren’t always perfectly configured, so we had to closely watch configuration management. We had to figure out: How do we scan those environments effectively? How do we get visibility into those environments? And as those capabilities have evolved and improved, we have come to a point where we will allow more sensitive workloads into our cloud environments. It didn’t happen overnight. It was absolutely a journey to get there. And what I would say is it’s not where an on-premises enterprise stack would be; it’s to the point where we can get commensurate visibility to what we would expect to have on premise versus the cloud environment.
How does Walmart, especially with the growing online segment, apply ‘trust, but verify’ to third-party partners?
Geisler: It depends on what it is that we are going to be sharing with them, or what they are going to be hosting for us; that really dictates what types of certifications we are going to be looking for from those organizations or what type of assessment we are going to conduct. Then, based on what we learn out of those assessments, we are going to come back to the business or the technology team that is looking to transact with that particular third party with a recommendation. And the recommendation may require mitigation or remediation on the part of the third party. There may be a risk advisory for our internal partners.
Walmart has opened several tech centers. One opened in Plano, Texas, in March, and there’s been some discussion of internet of things, machine learning and other projects. Will any of those projects tie into security?
Geisler: Certainly. When we ultimately evolve to a point where we expect to deploy it into a production environment and gain some business value, we will be engaged in it. The opening of the tech centers is as much a location strategy to tap into other markets that are rich in tech talent. To include security, we intend to use some of those centers to expand some of our own practices in terms of recruiting the talent that we need at Walmart.
Are you worried about attackers’ use of machine learning and artificial intelligence? There’s been a lot of discussion in the security industry about these technologies being used by threat actors.
Geisler: As the capabilities for those technologies evolve, certainly, it is not beyond reason to expect that adversaries will leverage those things to attack organizations. And my view on it is, as we start to turn that corner, then organizations will defend themselves using the same type of technology.
When you look at our SIEM solution that is collecting all of the events for us around the globe, we have to leverage some degree of machine learning to understand what is occurring across the environment, and we also leverage it to evaluate when we have events that aren’t necessarily managed automatically by one of our security layers, but are nascent to one of our engineers. [We look at] how are they responding, and then compare it to how peers have previously responded to similar events so that we can understand at the human layer what the efficacy of our response is. Do we have training opportunity because somebody found a better way?
There is an event called the Cyber Grand Challenge; it’s put on by DARPA, and they demonstrated in last year’s event how an autonomous system could defend itself. And it was really fascinating to watch, because these systems were completely air-gapped from human intervention. Three of the systems were instructed to identify vulnerabilities on a target system and attack and exploit them. And as the systems did that, they were actually identifying zero-days that hadn’t been previously known, and they were exploiting this attack surface.
At the same time, the system that was tasked with defending the system was able to identify those attacks, mitigate the attacks and then ultimately start proactively looking for the attack surface itself and fixing things before they could be exploited. It was really cutting-edge. Certainly, it’s nothing we would expect to see at a broad scale at this point, but it did open that door to say, ‘Here’s what is possible.’ I believe that as you see these types of tools become more broadly available and accessible where they are used for various purposes, the same technology will be used to defend against those that have malicious intent.
I’m sure you’ve followed some of the General Data Protection Regulation and data privacy issues that have emerged regarding Facebook and other companies. Is Walmart capturing a lot of data? How is that data being used or secured?
Geisler: Our privacy practices fall to another office; I can speak to it to some extent. We publish our privacy policies where consumers are concerned, and we are very clear on what data we collect and how we would utilize it. And, certainly, Walmart has collected a considerable amount of data that is driven by our retail operations. We are looking to capture that omnichannel consumer experience. Walmart’s mission of helping people to save money and live better is truly at the heart of the company. And saving money may not only be found in price point; it may also be found in how we’re going to make that weekly shopping trip much more efficient for you as a consumer to give you that time back to apply to other priorities in your life.
What do you think about the consumer data privacy issues that are being discussed around Facebook?
Geisler: Certainly, there’s been an ebb and flow in terms of customers or even what certain generations feel about privacy and how their data is used. I think you are seeing the cutting edge of that in Europe with the right to be forgotten where consumers can say, ‘I don’t want you to track me; I don’t want you to save things about me.’
As a security practitioner, my bias is less data is better, because if we have security incidents, we have less data [that can be exposed]. Obviously, businesses may look at that quite differently in terms of, ‘We want data so that we can understand that customer.’ And I’m not talking for Walmart here, I am talking just in general. It goes back to exactly what Facebook is doing; they are looking at, how do we gain insights through that data? Personally, I tend to skew more toward privacy and the individual rights, so I think it is a conversation that society at large needs to have [about] where people are able to make the choice of how their data is used.
Learn more about Geisler’s career path and how it led to his role as senior vice president and Walmart CISO in part one of this interview.