The retail sector relies on vast amounts of digital technology and complex third-party supply chains to serve customers.
The challenge of cybersecurity has therefore extended far beyond organizations’ internal networks, with attackers recognizing that widely used software products and third parties are often the most effective pathway to infiltrate high-profile targets in the industry.
Infosecurity Magazine spoke to Jerry Geisler, SVP and Global CISO at American multinational retail corporation Walmart, about cybersecurity management in the unique retail sector.
Geisler discussed approaches to managing cybersecurity risk across the retail giant’s vast estate of 10,500 stores and approximately 2.1 million global associates, as well as general sector challenges, such as incorporating AI safely and overcoming the cyber skills gap.
Infosecurity Magazine: What are the main challenges for Walmart in securing its vast estate of retail and e-commerce sites globally? How are these challenges approached?
Jerry Geisler: An advantage Walmart has regarding the size and complexity issue is that it was a very early adopter of information security practices. As a result, as the company and technology has evolved, information security has also been on that journey for nearly the past three decades.
That has allowed information security to keep up with the pace of change in both the business and technology environments in a way that has become second nature.
Walmart employs 2.1 million people, so figuring out how you drive a security culture across over all associates located in various parts of the globe is a huge challenge.
There are different cultures, different levels of companies, so you have to curate customized security awareness training because the messages need to vary slightly depending on your role within the company or where you are in the world.
I have a team dedicated to driving security culture and awareness and managing those training awareness programs that we run around the globe.
IM: What are the unique supply chain security challenges for retailers, and how can this risk be effectively managed without impacting efficiency?
JG: We have a technology supply chain risk, like all companies that leverage technologies. As a retailer, we’re also looking at the retail supply chain that replenishes our stores. Therefore, we have the potential for disruption in both of those areas due to cybersecurity events.
With our technology supply chain, we pay very close attention to companies that have security issues and want to quickly understand if those security issues have an intersection point with our environment or business processes. Typically, we have a process that we go through with new technology suppliers where we’re assessing their security capabilities and posture.
If they have a security event, we will follow-up to make sure we have a deep understanding of what the event was and any implications there might be for Walmart. If there are, we will act accordingly.
Where our merchandise supply chains are concerned, most of the mitigation of potential issues falls to our merchant teams. Our merchant teams are well versed in managing supply chain and logistical challenges through the normal course of the flow of goods. Whatever it might be that disrupts those flow of goods, hopefully the playbook’s going to look very similar, with contingency plans or alternative suppliers to ensure we’re still able to receive the goods to replenish our stores.
That said, we will often engage with a product supplier if they have a security issue. This is because they may not have an incident response capability or an incident response company on retainer, especially smaller companies.
It’s in our interest as members of the business and information security communities to help suppliers through cybersecurity issues. Therefore, we often engage with companies that have had some kind of security event to consult or sometimes actually help them get through the issue and restore their operations.
IM: How is AI impacting cybersecurity, particularly since the availability of generative AI tools? How are you utilizing AI in your security team?
"We will often engage with a product supplier if they have a security issue"
JG: Walmart, like all companies, has an interest in AI and its potential. We’ve seen a number of areas of our business experiment with these tools through different use cases, whether its driving efficiencies or increasing the efficacy of aspects of our business.
There’s a lot of experimentation going on within information security. We started looking at those types of models a number of years ago, even before AI came into its own, in order to drive efficiency and efficacy. This is primarily because in a large company you don’t want to try and solve all of your challenges around that amount of data with just humans.
We’re continuing to explore and experiment. As a company what was important to us was establishing guardrails. One of the ways we did that was publicly sharing our commitment to the ethical and responsible use of AI, and we shared some guiding principles.
Read more: Why Cybersecurity Professionals Have a Duty to Secure AI
Those guiding principles largely inform decisions around experimentation with our datasets. We educate people on the policy and the appropriate use of that new class of tool. We also monitor because we want to understand how the tools are being used effectively in the environment internally.
Ideally, we want to drive people to that internal AI ecosystem for their experimentation because we don’t necessarily want people who are using internet-facing tools risking things like data leak.
IM: What is your advice for CISOs on how to reduce the cyber skills gap in their organization?
JG: This is an issue I think most security leaders spend time thinking about. The challenge with the skills gap is that the necessary skills are constantly changing in cybersecurity.
When looking at the skills gap, we need to start with encouraging an environment of continuous learning and how we position ourselves to be a continuous learning organization.
Then you need to focus on the skills we need today and what we think they’re going to be in a year, three years and five years.
Walmart has started a program called Live Better University, where we partner with a number of universities around the US to offer degrees to associates. Those degrees are offered at no cost and we advocated early on to include cybersecurity and technology degrees in those offerings.
We’ve had a number of associates take advantage of those programs to finish their formal education in fields we are trying to hire people into. That has enabled people who were in vastly different roles in the company to pursue a degree in cybersecurity or technology, some of whom are now in roles in my own department.
It also comes down to being intentional about investing in the talent that you have. So how do you grow the people you have hired to allow them to continue to advance their career and skills, to remain current with whatever the emerging technology is and the emerging security needs.
One of the ways we’re doing that is with our global tech centre in India, and through them we’ve launched a program we’re calling School of Cybersecurity. We’ve partnered with Coursera and others and are now offering 200 different courses in the cybersecurity domain that all focus on domain-specific training.
This means if we have an associate who wants to take their cybersecurity career path in a specific direction, such as cryptography or network security, we’ve built a learning mechanism that’s self-paced so they can learn this new area of practice and start to build relevant skillsets.
"Today, we’re at a point where security is no longer an afterthought"
That kind of intentional investment helps make an organization more sticky – because we want to retain people and for them to grow their career with us.
That helps to close the skill gap and also resolve that challenge around the competitiveness in the industry to hire in cybersecurity.
IM: How have the types of skills required in cybersecurity professionals evolved during your career?
JG: I think it mirrors technology largely. Every couple of years there is a new emerging hot topic in tech. There’s been blockchain, the cloud, the Metaverse and now we’re focused on AI. We’re seeing things constantly evolving and that largely informs where we need to evolve our security practices.
From a macro view, the largest change I’ve seen in information security in my 20 years in the industry is looking back to the earliest days of technology, when we were all running open systems. When those systems were built, at some level it was to create, store and share data, which is still largely what technology facilitates.
If you think about those early systems, there was no concept of needing to build security into your system. It just was not part of the mindset. You wanted to share the data that you were creating on the system. Back then, it was much harder to share – you had a much smaller community. So there was this inherent trust among people who have the capability to do that.
As technology advanced, it became clear that we have an obligation to protect data and systems, and then it became a conversation of how you do that. So security for a long time was very much an afterthought. This was hard because it wasn’t necessarily how the system was designed or intended to function.
Today, we’re at a point where security is no longer an afterthought. Organizations that use or build technologies all recognize how critical building secure applications and systems is.
This is a complete reframing of how we think about security and in a large part today people recognize that it’s not a negotiable topic anymore.
IM: What are your biggest concerns in cybersecurity today?
JG: If Walmart ever paints anything I say frequently on the wall, it will simply be this question: how do we know the things we believe to be true remain true? We work to secure an environment and datasets and have controls in place to do so. But how do we know those controls are still serving us effectively? I’m constantly challenging my team around that.
Alongside that would be what are we not thinking about that maybe we should be? What are we not anticipating, or not thinking about in the right context or perspective? For us it’s so critical that we remain students of our business and remain tightly coupled with our business – understanding what the business strategy is, where the business is going, and what technology is needed to unlock those business strategies. Cybersecurity plays a part in that enablement in protecting the environment.
IM: What are the biggest successes the cybersecurity industry is experiencing today?
JG: It goes back to the evolution in the mindset around security. When I first came into the industry, security teams were often viewed as the department of no. Security teams were seen to some extent as an impediment or a point of friction, and that thinking has changed.
Philosophically speaking, I want our business to win. I am thinking about my role in helping the business win. That’s not to say that we in any way minimize our remit as security practitioners, but we want start with that business strategy and how we enable our technology partners to achieve that strategy in a way that doesn’t allow the organization to experience untenable risk. That evolution in thinking has been the biggest win.
IM: If you could give one piece of advice to fellow CISOs, what would it be?
JG: Be a lifelong learner. I think it’s important at every level of the organization to not allow yourself to become static. Become a lifelong learner of technology and information security and also whatever business or organization you are serving. You’ve got to constantly be in that learning mode to ensure you understand where your business or organization is headed. That’s critical for anybody to be successful.
Image credit: ValeStock / Shutterstock.com