Walmart's plan to build trust through its cybersecurity operations
Walmart has launched a concerted effort to share more about its extensive cybersecurity strategy as it continues to evolve from a big-box retailer to a big-tech competitor.
Driving the news: The retail giant hosted its first-ever cybersecurity media day with six reporters earlier this week at its Bentonville, Arkansas, headquarters.
- The daylong event included its first-ever public tour of an on-site data center, a demonstration of the security teams' ransomware responses, and a handful of panel discussions and roundtables with senior executives.
Why it matters: Walmart, like other big retailers, has historically been hesitant to share much about its cybersecurity program beyond the occasional one-off executive interview or conference panel participation for fear of malicious hackers learning too much about its systems.
- But by sharing the details of its security program, Walmart now hopes to build customer trust in all of its offerings — retail and beyond.
The big picture: Jerry Geisler, Walmart's global chief information security officer, told Axios that this week's event is just the start of the company's efforts to pull back the curtain on his team's wide-reaching efforts.
- "We landed on this realization that, like many companies, we don't talk a lot about this," Geisler said during a brief interview. "We think we're at a point where we want to start telling that story."
- Geisler sees sharing this story as integral to Walmart's mission of building customer trust: If people know how much Walmart pours into securing their personal information, then privacy-minded consumers will keep buying from Walmart.
Between the lines: Cybersecurity at Walmart goes far beyond its brick-and-mortar locations and e-commerce activities.
- Walmart has actively expanded into telemedicine and pharmaceutical services, as well as into digital payments through its Walmart Pay app.
Catch up quick: Walmart has had an information security team for more than two decades, Geisler said, giving the company an advantage in embedding the security team throughout the company's other divisions, including legal and product design.
- "You don't see many companies building information security programs in the late '90s," he added.
Zoom out: As consumers demand more information about the ways their data is collected, stored and protected, more companies are starting to build up their cybersecurity and privacy reputations.
- A prime example is Apple, which has carved out a reputation as a privacy-minded technology company as it expands beyond devices and into services.
Details: Walmart has security workers in Bentonville, the D.C. area, the Bay Area and Bengaluru, India. Soon, it'll have even more at new hubs in Atlanta, Seattle and Toronto.
- The company has lawyers who have developed quantifiable risk analysis scores to help communicate to nonsecurity leaders how much of a threat a new vulnerability is for the company specifically.
- Walmart conducts a quarterly audit of which files current employees have access to, and it is currently studying ways to transition to a full zero-trust plan and to ditch passwords altogether, Melissa Yandell, senior director of Walmart's identity and access management team, told Axios.
The intrigue: Much of Walmart's security operations are in-house, although it still works with some vendors on various detection efforts.
- The company has its own incident response and threat intelligence teams, as well as its own in-house, accredited forensics labs for hardware and data-recovery efforts. Most companies would defer at least one of these to a third-party contractor.
Yes, but: Building out this much in-house cybersecurity tooling doesn't make sense for every company. Not everyone ranks first in the Fortune 500 and has the same resources.
What's next: Geisler said he expects the next phase of Walmart's cyber blitz to focus on consumer education.
- While the precise details are still being hashed out, Walmart already puts together tips on the cybersecurity page of its website.
Sign up for Axios’ cybersecurity newsletter Codebook here.