Director - Threat Exposure Management
Costco Wholesale · Seattle, WA · 3 wk ago
ManagementFull-time
About the role
The Director of Threat Exposure Management at Costco IT is a crucial leadership position. This role oversees the Penetration Testing Program, Red Team Operations, Vulnerability Management lifecycle, and Application Security. The Director must drive a proactive program to identify, assess, and manage security risks and vulnerabilities across the technology landscape.
Responsibilities
- Oversee the Penetration Testing Program, including managing internal/external teams and tracking remediation
- Establish and run Red Team Operations, involving advanced adversary emulation and Purple Teaming for defense improvement
- Owning the full Vulnerability Management lifecycle, from continuous scanning and automation to enforcing remediation SLAs
- Manage the Attack Surface Management by continuously mapping the digital footprint, classifying assets, and reducing risk through segmentation
- Ensure security is 'shifted left' through secure development lifecycle integration, application scanning (SAST/DAST/IAST), and managing application-specific risks
- Implement platforms like Risk-Based Vulnerability Management (RBVM) to normalize security findings and develop advanced risk scoring models
- Discover, correlate, prioritize, and triage all findings, vulnerabilities, and misconfiguration
- Report to technology owners and track actions and mitigation
- Communicate findings to technology owners, rigorously track mitigation progress, ensure accountability, escalate risks, and provide executive-level reports
- Build strong cross-functional relationships and drive the implementation, execution, metrication, and long-term sustainability of program objectives
Requirements
- 5+ years’ of experience in leading penetration testing teams, red teams, and vulnerability management organizations in a global security organization
- A history of defining and enforcing remediation timelines based on risk levels, including managing the friction that arises with DevOps and Engineering teams
- Experience facilitating collaboration between offensive (Red) and defensive (Blue) teams to ensure that findings actually result in better detection logic
- Experience negotiating with CTOs and VPs of Engineering to balance security patches with product feature velocity
- Deep understanding of the OWASP Top 10 and CWE Top 25
- Experience working within CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins) and understanding how to inject security without breaking the build
- Knowledge of modern stacks—microservices, Kubernetes, serverless, and cloud-native security (AWS, Azure, GCP)
- Experience with frameworks, such as STRIDE, PASTA, or LINDDUN
- Ability to translate a theoretical threat into a business risk
- Experience taking Red Team findings and translating them into "Engineering Requirements"
Qualifications
- Master’s Degree in a relevant technology field or equivalent experience
- Certified Information Security Manager (CISM) or Certified Information Systems Security Professional (CISSP)
- Demonstrate a logical and structured approach to time management and task prioritization
- Proficient in Google Workspace applications, including Sheets, Docs, Slides, and Gmail
Skills
- Strategic planning and execution
- Collaborative problem-solving
- Effective communication and interpersonal skills
- Leadership and mentorship
- Technical expertise in security and IT
Benefits
- Paid time off
- Health benefits - medical/dental/vision/hearing aid/pharmacy/behavioral health/employee assistance
- Health care reimbursement account
- Dependent care assistance plan
- Short-term disability and long-term disability insurance
- AD&D insurance
- Life insurance
- 401(k)
- Stock purchase plan to eligible employees
Pay
$160,000 - $230,000, Bonus and Restricted Stock Unit (RSU) eligible
Schedule
Full-time management/leadership position (45+ hours per week)
Application Instructions
Please visit Costco's careers page to apply. Applicants and employees for this position will not be sponsored for work authorization, including, but not limited to H1-B visas.