Director - Threat Exposure Management

Director - Threat Exposure Management Costco Wholesale - 4.0 Seattle, WA Job Details Full-time $160,000 - $230,000 a year 15 hours ago Benefits AD&D insurance Employee stock purchase plan Disability insurance Dependent care reimbursement Health insurance Dental insurance 401(k) RSU Paid time off Vision insurance Life insurance Qualifications DevSecOps Practices Requirements specification IT management Security team coordination Requirements design Kubernetes Infrastructure as Code (IaC) Security risk assessment investigation Cloud management tools Managing IT teams Microservices Information & network security team management Cloud security best practices implementation Managing engineering teams Vulnerability management Serverless cloud services DevOps automation Web Application Security Testing Security technology solutions implementations Vuls Senior leadership Full Job Description Costco IT is responsible for the technical future of Costco Wholesale , the third largest retailer in the world with wholesale operations in fourteen countries. Despite our size and explosive international expansion, we continue to provide a family, employee centric atmosphere in which our employees thrive and succeed. This is an environment unlike anything in the high-tech world and the secret of Costco's success is its culture. The value Costco puts on its employees is well documented in articles from a variety of publishers including Bloomberg and Forbes. Our employees and our members come FIRST. Costco is well known for its generosity and community service and has won many awards for its philanthropy. The company joins with its employees to take an active role in volunteering by sponsoring many opportunities to help others. Come join the Costco Wholesale IT family . Costco IT is a dynamic, fast-paced environment, working through exciting transformation efforts. We are building the next generation retail environment where you will be surrounded by dedicated and highly professional employees. As a member of the IT Management Team, you are responsible for managing, developing, and leading a team of employees. Your role includes leading the specific functional responsibilities of your team, which involves overseeing team performance and deliverables. However, your role as a leader within our organization requires more than the management of resources and day-to-day operations. As a steward of the company, you are charged with the development and execution of your team's strategic vision and plan and ensuring that your team's actions align with the larger goals of the company and the IT Division. The Director of Threat Exposure Managemen t holds a crucial leadership role, driving a proactive program to identify, assess, and manage security risks and vulnerabilities across the technology landscape. This role is built upon four core functions: overseeing the Penetration Testing Program, including managing internal/external teams and tracking remediation; establishing and running Red Team Operations, which involves advanced adversary emulation and Purple Teaming for defense improvement; owning the full Vulnerability Management lifecycle, from continuous scanning and automation to enforcing remediation SLAs; and managing the Attack Surface Management by continuously mapping the digital footprint, classifying assets, and reducing risk through segmentation. This role is also responsible for the Application Security function, ensuring security is 'shifted left' through secure development lifecycle integration, application scanning (SAST/DAST/IAST), and managing application-specific risks. Additionally, the Director is responsible for critical cross-functional duties, focusing heavily on data-driven risk prioritization. This includes implementing platforms, such as Risk-Based Vulnerability Management (RBVM) to normalize security findings and developing advanced risk scoring models (combining CVSS, exploitability, context, and threat intelligence) to efficiently prioritize and triage issues. Discover, correlate, prioritize, and triage all findings, vulnerabilities, and misconfiguration; report to the technology owners and track actions and mitigation. The Director must clearly communicate findings to technology owners, rigorously track mitigation progress, ensure accountability, escalate risks, and provide executive-level reports detailing overall exposure reduction. The incumbent must build strong cross-functional relationships and systematically drive the implementation, execution, metrication, and long-term sustainability of program objectives to continuously enhance the security operations' capacity to protect against and proactively respond to vulnerabilities and threats worldwide. As the primary conduit between your employees and upper leadership, your role in communicating and modeling the values and guiding principles of our company culture is of vital importance. All members of IT Management should strive to consciously and consistently foster a culture of engagement, trust, and "open door" communication. If you want to be a part of one of the worldwide BEST companies "to work for" , simply apply and let your career be reimagined.

ROLE INTEGRITY

When achieving benchmarks and goals, use methods/strategies that are consistent with the Code of Ethics and the Standard of Ethics for Managers and Supervisors. Always leads by example. Appropriately handles employee concerns and follows through to resolution.

MEMBER SERVICE

Provides and ensures staff provides an exceptional member experience.

ADMINISTRATION

: Ensures proper department coverage (writing schedule and break aids if needed). Understands department budget, able to research and explain budget variances.

MANAGING PERFORMANCE

: Coaches and mentors employees to provide support and guidance. Has regular open and honest conversations with employees to discuss work performance and career development. Identifies learning opportunities to strengthen employee knowledge, skill and ability.

COMMUNICATION

: Regularly shares information with employees via meetings and one-on-one conversations. Successfully navigates difficult conversations with employees, members, and suppliers. Listens, expresses empathy and adapts to get points across. Addresses issues immediately to ensure a timely resolution and to avoid escalating the situation. Consistently demonstrates business knowledge during interactions with senior management. Create clear and concise communications/recommendations for senior leadership review related to strategic business plans and initiatives

SELF-MANAGEMENT

Demonstrates sound judgment, taking a partner when necessary.

INCLUSION

: Encourages different approaches and ideas to work and to accomplish goals. Seeks employee input. Take the time to get to know or reach out to candidates who show potential that may not come forward on their own.

COMPLIANCE AND SAFETY

Takes measures to ensure employee and member information is kept confidential and adheres to IS security policy. Works directly with the Senior Executive team to design, develop, and assist in the implementation of InfoSec strategies, ensuring alignment to corporate vision/goals. This is a full-time management/leadership position (45+ hours per week).

REQUIRED

5+ years' of experience in leading penetration testing teams, red teams, and vulnerability management organizations in a global security organization. A history of defining and enforcing remediation timelines based on risk levels, including managing the friction that arises with DevOps and Engineering teams. Experience facilitating collaboration between offensive (Red) and defensive (Blue) teams to ensure that findings actually result in better detection logic. Experience negotiating with CTOs and VPs of Engineering to balance security patches with product feature velocity. Deep understanding of the OWASP Top 10 and CWE Top 25. Experience working within CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins) and understanding how to inject security without breaking the build. Knowledge of modern stacks—microservices, Kubernetes, serverless, and cloud-native security (AWS, Azure, GCP). Experience with frameworks, such as STRIDE, PASTA, or LINDDUN. Ability to translate a theoretical threat into a business risk. Experience taking Red Team findings and translating them into "Engineering Requirements." For example, if a Red Team exercise repeatedly bypasses authentication, the Director doesn't just ask for a patch; they work with Engineering to implement a standardized identity service across the org. Ability to move away from being a "bottleneck" that blocks releases, and move toward providing "paved roads" (pre-approved, secure configurations) for developers. Experience integrating vulnerability and misconfiguration checks directly into CI/CD pipelines (e.g., using Terraform, CloudFormation, or Kubernetes security tools). HIPAA Training and Supervisors Orientation (within 30 days of hire); Leadership Development 101 (within one year); Costco Pay Policies (within 90 days of promotion). Recommended Master's Degree in a relevant technology field or equivalent experience. Certified Information Security Manager (CISM) or Certified Information Systems Security Professional (CISSP). Demonstrate a logical and structured approach to time management and task prioritization. Proficient in Google Workspace applications, including Sheets, Docs, Slides, and Gmail. Required Documents Cover Letter Resume California applicants, please review the Costco Applicant Privacy Notice.

Pay Range:

$160,000 - $230,000, Bonus and Restricted Stock Unit (RSU) eligible We offer a comprehensive package of benefits including paid time off, health benefits - medical/dental/vision/hearing aid/pharmacy/behavioral health/employee assistance, health care reimbursement account, dependent care assistance plan, short-term disability and long-term disability insurance, AD&D insurance, life insurance, 401(k), stock purchase plan to eligible employees. Costco is committed to a diverse and inclusive workplace. Costco is an equal opportunity employer. Qualified applicants will receive consideration for employment without regard of race, national origin, gender, gender identity, sexual orientation, protected veteran status, disability, age, or any other legally protected status. If you need assistance and/or a reasonable accommodation due to a disability during the application or the recruiting process, please send a request to If hired, you will be required to provide proof of authorization to work in the United States. Applicants and employees for this position will not be sponsored for work authorization, including, but not limited to H1-B visas.