Director - Threat Exposure Management
Costco IT · Seattle, WA · 1 mo ago
ManagementFull-time
About the role
The Director of Threat Exposure Management at Costco IT is responsible for driving a proactive program to identify, assess, and manage security risks and vulnerabilities across the technology landscape. This role oversees the Penetration Testing Program, establishes and runs Red Team Operations, owns the Vulnerability Management lifecycle, and manages the Attack Surface Management. Additionally, the Director is responsible for the Application Security function, ensuring security is 'shifted left' through secure development lifecycle integration, application scanning, and managing application-specific risks.
Responsibilities
- Oversee the Penetration Testing Program, including managing internal/external teams and tracking remediation
- Establish and run Red Team Operations, involving advanced adversary emulation and Purple Teaming for defense improvement
- Owning the full Vulnerability Management lifecycle, from continuous scanning and automation to enforcing remediation SLAs
- Manage the Attack Surface Management by continuously mapping the digital footprint, classifying assets, and reducing risk through segmentation
- Ensure security is 'shifted left' through secure development lifecycle integration, application scanning (SAST/DAST/IAST), and managing application-specific risks
- Implement platforms like Risk-Based Vulnerability Management (RBVM) to normalize security findings and develop advanced risk scoring models
- Discover, correlate, prioritize, and triage all findings, vulnerabilities, and misconfiguration
- Report to technology owners and track actions and mitigation
- Communicate findings to technology owners, rigorously track mitigation progress, ensure accountability, escalate risks, and provide executive-level reports detailing overall exposure reduction
- Build strong cross-functional relationships and systematically drive the implementation, execution, metrication, and long-term sustainability of program objectives
- Communicate and model the values and guiding principles of our company culture
- Use methods/strategies consistent with the Code of Ethics and the Standard of Ethics for Managers and Supervisors
- Lead by example, appropriately handle employee concerns, and follow through to resolution
- Provide and ensure staff provides an exceptional member experience
- Ensure proper department coverage, understand department budget, and research and explain budget variances
- Coach and mentor employees to provide support and guidance, have regular open and honest conversations with employees to discuss work performance and career development, and identify learning opportunities to strengthen employee knowledge, skills, and abilities
- Regularly share information with employees via meetings and one-on-one conversations, successfully navigate difficult conversations with employees, members, and suppliers, listen, express empathy, and adapt to get points across, address issues immediately to ensure a timely resolution and to avoid escalating the situation, demonstrate business knowledge during interactions with senior management
- Demonstrate sound judgment, take a partner when necessary, encourage different approaches and ideas to work and accomplish goals, seek employee input
- Create clear and concise communications/recommendations for senior leadership review related to strategic business plans and initiatives
- Integrate vulnerability and misconfiguration checks directly into CI/CD pipelines (e.g., using Terraform, CloudFormation, or Kubernetes security tools)
- Take Red Team findings and translate them into "Engineering Requirements"
Requirements
- 5+ years’ of experience in leading penetration testing teams, red teams, and vulnerability management organizations in a global security organization
- A history of defining and enforcing remediation timelines based on risk levels, including managing the friction that arises with DevOps and Engineering teams
- Experience facilitating collaboration between offensive (Red) and defensive (Blue) teams to ensure that findings actually result in better detection logic
- Experience negotiating with CTOs and VPs of Engineering to balance security patches with product feature velocity
- Deep understanding of the OWASP Top 10 and CWE Top 25
- Experience working within CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins) and understanding how to inject security without breaking the build
- Knowledge of modern stacks—microservices, Kubernetes, serverless, and cloud-native security (AWS, Azure, GCP)
- Experience with frameworks, such as STRIDE, PASTA, or LINDDUN
- Ability to translate a theoretical threat into a business risk
- Ability to move away from being a "bottleneck" that blocks releases, and move toward providing "paved roads" (pre-approved, secure configurations) for developers
Qualifications
- Master’s Degree in a relevant technology field or equivalent experience
- Certified Information Security Manager (CISM) or Certified Information Systems Security Professional (CISSP)
- Demonstrate a logical and structured approach to time management and task prioritization
- Proficient in Google Workspace applications, including Sheets, Docs, Slides, and Gmail
Skills
- Strategic thinking and problem-solving
- Collaborative leadership
- Technical expertise in security domains
- Strong communication and interpersonal skills
- Ability to manage multiple priorities and deadlines
- Experience with CI/CD pipelines and security tools
- Knowledge of modern software development practices
Benefits
- Paid time off
- Health benefits - medical/dental/vision/hearing aid/pharmacy/behavioral health/employee assistance
- Health care reimbursement account
- Dependent care assistance plan
- Short-term disability and long-term disability insurance
- AD&D insurance
- Life insurance
- 401(k)
- Stock purchase plan to eligible employees
Pay
$160,000 - $230,000, Bonus and Restricted Stock Unit (RSU) eligible
Schedule
Full-time management/leadership position (45+ hours per week)