Walmart's Jerry Geisler on the CISO position, retail challenges

When he started working at his local Walmart one summer during college, Jerry Geisler had no idea he would spend 27 years at the retailer, learning everything he could as he moved from market teams to the corporate office in Bentonville, Ark., where he investigated fraud and built an internationally accredited (ASCLD/LAB) forensics lab and eDiscovery program. His next challenges lay in information security as Walmart created a security operations center and vulnerability management program that today scans 1 million IP addresses in about four days. Walmart is the second largest employer worldwide with roughly 11,700 stores, clubs and distribution centers in 28 countries. More than half of Walmart's stores are located outside of the United States. And like Amazon, the company is testing a mix of digital and physical delivery models with e-commerce sites in 11 countries.

Three years ago, Geisler moved into an officer role in the assistant CISO position. In January, he was promoted to senior vice president and global CISO, an opportunity that presented itself when the former Walmart CISO Kerry Kilker retired. How did Geisler end up managing the global cybersecurity program of the Fortune 1 retailer? Here, he discusses his retail journey and how opportunities to support a growing business that "sells toothpaste and tennis shoes" led to his security leadership role.

Editor's note: This interview has been edited for length and clarity.

Can you talk about your career trajectory and the steps that led to the CISO position?

Jerry Geisler: I've been with Walmart for 27 years. I started with my local store right out of high school. So I've had an atypical path, I think, to the role that I hold today. When I started with the company, it was a summer job while I was going to college. Eventually, I decided that I wanted to serve, so I joined the Marine Corps. When I came off active duty, I probably had a better sense of service or a better sense of self in terms of where I wanted to go with regard to my career. I went back to college, came back to Walmart. I was actually pursuing a degree with the intention of moving into law enforcement. As I was nearing the completion of that degree, the company presented me with an opportunity to be part of a market team running an area of stores. You know, I considered that offer -- it was one of those points in life where one makes a decision that will drastically alter things -- and I chose to stay with the company. I probably spent 10 years in the field working as part of a market team until I was presented with an opportunity to come into our corporate office. I came into our corporate office into a role where I was conducting insurance fraud investigations and then eventually moved into a role of what we called at the time a corporate fraud examiner, doing more of the corporate fraud investigations.

Did you have a technical background at that point?

Geisler: I did not, outside of being a hobbyist. I was interested in technology but did not have a technical degree at that point. I took an interest in file system forensics, which was sort of a newer field at that time. I recognized as I was engaging in that type of work that very frequently I was having devices coming in to scope or potentially having relevance into whatever matter I was looking into, so I built a laboratory at home. I started devouring everything I could find on file system forensics and interoperability between applications and operating systems and the hardware layer, and understanding what artifacts might be relevant, depending on the operating system, and started to be self-taught. Walmart actually started a forensics team at that point, and I campaigned to move to that team, certainly realizing that I was not perfectly qualified, not having coming up through a traditional technical route.

At the time, I decided to go back to school to also pursue additional business degrees. I was afforded the opportunity to come over as an engineer onto that [forensics] team, and it was interesting, to say the least, because I was surrounded all of a sudden by people who had spent their entire careers in technology, and certainly it was a humbling experience. I probably suffered from imposter syndrome for the first year that I was on the team, but quickly realized that, hey, this is an opportunity to grow -- not only in my career but in shortcutting my technical education.

It was about 15 years ago that I came into technology, so I started to pursue what was at the time technical certifications, to bury myself in on-the-job training, and I started creating what would become the first iterations of some of the documentation for those practices. As I moved up through the engineering ranks, I had previously held roles at the company with managerial or supervisory responsibilities and eventually was asked to lead a team in information security. So I started leading, what was, at the time, our forensics services practices.

And as I was leading that team, there was a realization, I think, at most companies that there was a need to start building SecOps, or security operations capabilities, so I was asked to start looking at that. This would have been in the 2005 to 2006 timeframe. So, the first thing we started looking at was bringing in a security operations center. Of course, I didn't have any expertise in building a security operations center, so we looked externally for expertise to help us with that. And as we did that, we took a step back and said, 'What are the services that we want to provide in our SecOps practices? How do we want to approach this?' And we quickly realized that we were good at a lot of things; we needed to be great at some of them. The team I was leading at the time had responsibility for forensic services and e-discovery that supported our investigations group; we also had threat research, incident response -- all baked into this one team. So we starting splitting these practices apart and growing them and maturing them to a point where they were a very effective capability for information security practices.

As that was occurring, I was afforded the opportunity to advance in my career, so I started as a manager of one team, [became] the senior manager of multiple SecOps teams, eventually moving into a director role running an entire area of information security and then to a senior director, and then to the point where I was tapped by our previous CISO to step into an officer role position as the assistant CISO. I started into that role three years ago, taking on a larger role in the day-to-day operations of the entire department. Until we get to this point where the CISO has retired and I get this opportunity to step into the Walmart CISO role.

Unlike a lot of IT professionals in the CISO position, you really understood the business as you were learning the security aspects of retail.

Geisler: Right, and I intentionally pursued those degrees with the intent of cutting my technical teeth, in certain situations, with on-the-job training and mentorships.

I think understanding our business has served me well in the leadership roles simply because I have a deep appreciation for the history of the company, its values, what is core in terms of our principles and our mission as a company. And that helps me to keep that front and center for our teams, especially in the technology area with things like information security. It is very easy to fall into a myopic view and focus strictly on information security without taking into consideration what is it ultimately that the organization is trying to accomplish strategically. So keeping that front and center for our teams helps not only enable the business but keeps us all grounded because we, as a company, we exist because we sell toothpaste and tennis shoes and all of those things that customers count on us to provide. At the end of the day, we're not in the information security business. So the day that information security makes that prohibitively difficult, there is really no reason for us to be here, so we have to keep that organizational mission front and center.

How much of Walmart's business is online? Is the company still focused on a big box strategy? What are the changes going on there, and how is that affecting your information security programs?

Jerry Geisler

Geisler: Great question! If you look at what the company is doing strategically, it is an omnichannel retail strategy, so certainly brick-and-mortar will remain central, but e-commerce is just as important to us. We want to be able to interact with the consumer however they choose to shop with the company, whether that's in-store, online or via mobile device, and it certainly changes our back-end technology model to deliver those capabilities. New models for security have to emerge as well. So if you think about perhaps the most significant shift occurring across a number of portals, it is the migration to public cloud. As that occurs, we have to rethink how we deploy our security stack in such an environment, and how we have to think differently about security to enable our technology partners and our infrastructure application areas to deliver those services that the business is demanding, that our consumers are demanding, in a way obviously that remains effectively secure.

A [few months] ago, it was reported that one of Walmart's third-party partners likely had a misconfiguration issue with Amazon storage. What happened there?

Geisler: Yes, that's correct. If you look at how retail is evolving in terms of online commerce, it is becoming a platform for other sellers. If you think about Amazon's marketplace or Walmart's marketplace, we are inviting third parties to transact with consumers on our platform. In this particular case, we were contacted by a security researcher who thought that we had exposed a customer database. We quickly triaged that with our incident response team and recognized that it wasn't our environment. It wasn't our database either. It was a company that was selling through our platform, and others, that essentially was storing its customer information. They stored that database in an Amazon S3 bucket, and it was misconfigured and left exposed to the internet. Unfortunately for us, they had named that database Walmart SQL. When you look at the database, there were a number of other retailers in that database besides Walmart, but we were contacted and we got associated with the story.

What is your view of the top challenges for the CISO position in modern environments? Things that are going on now -- you mentioned cloud.

Geisler: I think that it is multifaceted. There is a constantly evolving and emerging threat landscape. We see attacks increase in terms of frequency -- and sophistication. Today, what you see are very sophisticated attacks that can be executed by adversaries that may not be all that technically sophisticated. It has become an underground economy of crimeware services, so you're not dealing with a handful of highly sophisticated and technical miscreants; you could be dealing with thousands more who really are just paying a fee, buying a service, and then pointing an attack at an organization. So I think, in any modern enterprise, the CISO is balancing the business objectives and strategies with the risk that comes hand in hand with those. We have to recognize that most enterprises are not in the information security business; they are in some other business, and you have to understand how to facilitate and enable that business to be successful to achieve those strategic objectives, while also ensuring that we are meeting our obligations of adequately protecting the organization against risk and threats.

I think another area that is a challenge for every CISO is the lure for talent. It is well-documented that security has near full employment or negative unemployment, and you read articles very frequently about what the shortage is going to be in the next two, three, five years. How do you attract that talent to your organization? How do you retain talent? There's a lot of conversation about the diversity of talent in the cybersecurity workforce, and we play a role in creating the opportunities to attract the entirety of the workforce to our organization. What are we doing to grow that next generation of security practitioners or information security leaders so that when it comes time for my retirement or exit from the organization, or any other personnel from the organization, what's our plan to ensure that we don't miss a beat?

When you look at the ever-increasing demand on technology to deliver capabilities to the business, how does security engage in that agile development environment? Are we effectively engaging with our other technology partners so that security does not become the bottleneck or choke point to that business value? And that takes a very concerted and intentional effort but also a mindset that is dedicated to that way of thinking so that security does not start to get perceived as the department of 'no.' Really, security is a partner that helps to solve a technology problem so that the technology organization can deliver value for the business in a way that we are ensuring that we are protecting the business, our customers and our associates.

Your rise to the CISO position is somewhat unique in that your career in security has grown along with the security operations of the organization. Are there any anecdotes that you could share that illustrate some of the lessons that you have learned along the way that may help those who are interested in pursuing a senior security management career?

Geisler: Sure. It is not necessarily my anecdote; it is one that comes from our [president and] CEO Doug McMillon, and I'm certainly not comparing myself to him. And I will tell you that my security journey or my career journey, while it may be somewhat atypical, it is not unique within Walmart. I can point to people all over the organization that have started in vastly different roles and been given the opportunity to do things that they never would have conceived of, myself included. Doug started at the company as a forklift driver in a warehouse, and today [he heads] a Fortune 1 company. And someone asked, 'How does that happen?' And Doug hesitated and then he said, 'You know I just raised my hand a lot.' And I thought that is such a simple answer, but it was absolutely brilliant. And I think how I would translate that back to my own career is when opportunity is presented, while you may realize that you are not perfectly qualified, don't shy away from it.

 The other thing I would say is, don't ever feel like you've arrived; be a continuous, lifelong learner. Read a lot. Understand your industry, understand the security industry. Be a mentor; look for mentors. And if you are a mentor, realize that you learn from your mentees as well, so it's not just a one-way conversation.

I'm an average individual that's been offered extraordinary opportunities. And I've been fortunate enough to take those opportunities when presented -- I raised my hand. So, I raised my hand, and then I quickly made a point to understand, 'How am I going to be successful in this next step?' and invested the time necessary to grow and develop as a security practitioner and as a technologist and probably most importantly as a leader.

Find out more about Walmart's vulnerability management and other security initiatives across its environments, including cloud, in part two of this interview.