What Walmart Learned From the Target Data Breach

By Sean Michael Kerner  |  Posted 2015-04-29 Print this article Print
Walmart CIO

Walmart CIO Karenann Terrell offers provocative comments about retail security and what the Target data breach taught the industry.

LAS VEGAS—The Target data breach in 2013 sent shock waves through the retail industry that reached all the way to Walmart, the world's largest retailer. In a keynote speech on April 28 at the InformationWeek Conference, co-located with the Interop conference here, Walmart CIO Karenann Terrell (pictured) answered a question from the audience about the impact of the Target breach.

"What Target taught the entire industry was that you can't have any single point of failure," Terrell said.

The ability to protect against every single potential breach vector is zero; that's why layered security with a hard, crusty exterior protection layer is needed on each individual component, including infrastructure, data and applications, Terrell said. As part of a layered approach to security, analytics and data that tracks what is happening on a network from a threat-vector perspective is needed, she said, adding that it's also important to watch the movement of data across an organization to see what happens.

Before the Target breach, Walmart knew about the need for multi-layered defensive strategy.

"We have multiple businesses, and in some areas, we look more like a bank than a retailer," Terrell said. "So what we learned is that single points of failure anywhere can have really drastic effects, and the ability for an attack to go undetected for a period of time, just exponentially increases the damage that can occur."

The Target breach had a greater impact on the public than many had expected, she said.

"What we learned is we have to have white-hat testing capability on staff for continual testing," Terrell said.

In the post-Target breach era, Terrell has also focused on the malicious insider threat, which she sees as a real threat (though the Target breach was not caused by a malicious insider). Malicious insiders are extremely difficult to identify today, and that's where data analytics can play a big role, she said.

Terrell's keynote focused mostly on how to organize IT to deliver on business objectives. She described technology is a continuum, with a constant evolution of processes and tools.

Walmart has a different view on how it looks at legacy IT assets.

"We prefer to call it classic rather than legacy," Terrell said.

Using the term "classic" is respectful for the people who are keeping the lights on, and Walmart doesn't want to alienate people by labeling technology as "legacy" systems.

In addition, Terrell said, rolling IT modernization is just a new way of working. "We are in a continuous build-and-operate cycle now," she said. "I think there will be a constant modernization of environments."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel