Security Engineer - Costco Travel

Costco IT is responsible for the technical future of Costco Wholesale, the third largest retailer in the world with wholesale operations in fourteen countries. Despite our size and explosive international expansion, we continue to provide a family, employee centric atmosphere in which our employees thrive and succeed.

This is an environment unlike anything in the high-tech world and the secret of Costco's success is its culture. The value Costco puts on its employees is well documented in articles from a variety of publishers including Bloomberg and Forbes. Our employees and our members come FIRST. Costco is well known for its generosity and community service and has won many awards for its philanthropy. The company joins with its employees to take an active role in volunteering by sponsoring many opportunities to help others.

Come join the Costco Travel IT family. Costco IT is a dynamic, fast-paced environment, working through exciting transformation efforts. We are building the next generation retail environment where you will be surrounded by dedicated and highly professional employees.

Security Engineers develop, design, implement, and integrate security systems used to safeguard enterprise assets against cyber-attack. Security Engineers drive innovation, influence delivery, and maximize performance. They deliver high quality artifacts, develop and run security tests and continuously tune security tools for optimization. Security Engineers identify gaps and inefficiencies and work with the business to implement solutions based on their requirements.

At Costco Travel, the Security Engineer supports the overarching values and business goals of the company by architecting and implementing security systems that safeguard enterprise assets and member data against evolving cyber threats. They ensure legal, ethical, and regulatory compliance while maintaining a secure technology environment through the development of robust security controls, defenses, and countermeasures designed to prevent attacks and data infiltration. Driven by innovation, the Security Engineer identifies efficiency gaps and continuously tunes security tools for optimization. This role is highly collaborative, providing subject matter expertise and consultative services to business partners, evaluating vendor solutions, and performing comprehensive system auditing and risk assessments. Through proactive research of threat patterns and the implementation of technical and administrative best practices, the Security Engineer ensures the integrity, availability, and resilience of information systems across both on-premises and cloud environments.

If you want to be a part of one of the worldwide BEST companies "to work for", simply apply and let your career be reimagined.

ROLE
Provides security and technical expertise to support the development of security objects to satisfy business requirements.
Analyzes and administers security policies to control physical and virtual system access.
Identifies and investigates security issues and develops security solutions that address compliance requirements that can/ do impact security.
Identifies, develops, and implements mechanisms to detect security incidents in order to enhance compliance and support of security standards and procedures.
Assesses business role requirements, reviews authorization roles, and supports authorizations.
Demonstrates a comprehensive skill set with testing authorizations for multiple environments and coordinates testing with business/technical users.
Validates system configurations to ensure the safety of information systems assets and protects information systems from intentional or inadvertent access or destruction.
Implements best practice when applying knowledge of information systems security standards/practices (e.g.access control and system hardening, system audit and log file monitoring, security policies, and incident handling).
Designs and coordinates activities/engagements with other departments (loss prevention, legal, networking, etc).
Identifies security gaps that expose Costco to potential exploit and develop short- and long-term prioritized remediation to address those gaps.
Develops and executes security controls, defenses, and countermeasures to intercept and prevent internal/external data infiltrations.
Determines strategy and protocol for network behavior, analysis techniques, and tool implementation.
Identifies and resolves problems, often anticipating issues before they occur or before they grow; develops and evaluates options; and implements solutions that support the business.
Provides subject matter expertise in systems security policies, standards/practices, protocols, and technologies.
Configures, deploys, maintains, and supports security tools.
Protects confidentiality, integrity, and availability of information from being disclosed to unauthorized parties.
Creates dashboards, configure alerts, implements and supports security software platforms, and monitors tools/apps.
Identifies opportunities for streamlining and increasing effectiveness through continuous process improvement.
Implement practices, processes, and procedures consistent with Costco's information security policy and IT standards.
Develop documents security events and incident handling procedures into Playbooks.
Ensures that incident documentation is comprehensive, accurate, and complete.
Triages, prioritizes, investigates, and coordinates security events and incident handling activities.
Collaborate with business partners, project teams, and team members to build secure solutions that protects data and enables the business with tools and processes that make sense and adapt to changing business needs both on-premises and in the cloud.
Works with internal and external auditors.
Designs, configures and maintains various degrees of security.

REQUIRED
GSEC (GIAC Security Essentials).
7+ years of verifiable Information Security related experience.
Demonstrate the ability to clearly communicate Information Security matters (risks, threats, and vulnerabilities, etc.) to both technical and non-technical audiences (including executives, auditors, and end users).
Ability to interpret information security data and processes to identify potential compliance issues.
Ability to quickly understand security systems in order to identify and validate security requirements.
Knowledge and understanding of PCI, GDPR, SOX, CCPA and other regulatory directives.
Experience implementing vulnerability scanning technologies and performing vulnerability scans and assessments utilizing tools such as Nessus.
Experience with Endpoint Detection and Response (EDR) technologies and processes.
Demonstrate strong understanding of Windows, Unix/Linux, networking, telephony, and wireless security skills.
Experience administering and using at least three of the following technologies: IDS/IPS systems, security information and event correlations systems, DLP products, endpoint security technologies, encryption technologies, penetration testing tools, firewalls, content filtering, anti-virus, Web Application Firewalls, and secure code application development and testing tools.
Strong working knowledge of network topologies and protocols (such as TCP, UDP, TLS, SFTP, SMTP, NTP, NetBIOS and DHCP).
Working knowledge of information systems security standards and practices (e.g., access control and system hardening, system audit and log file monitoring, security policies, and incident handling).
Must be self-motivated and able to coordinate with others to implement changes.
Ability to manage and prioritize multiple tasks, projects and ability to work with little or no supervision.
Able to support off hours work as required including evenings, weekends, holidays.
Must be team oriented and willing to assist other members when needed.

Recommended
A Bachelor's degree or equivalent experience in Computer Science or related field.
Experience with Security testing of enterprise networks.
Experience with tools such as Nmap, NetCat and Enum.
Experience with File Integrity Management tools.
Experience with packet sniffers and analysis of packet captures in support of security event research and analysis.
Experience with current web-server security and maintenance (Apache, IIS, Java, etc.).
Experience with web application security, secure coding and OWASP.
Excellent problem determination/troubleshooting and analytical skills.
Experience with penetration testing tools, leading incident response teams, and ethical hacking techniques.
Experience using forensic tools and performing forensic collections.
Experience designing processes and creating policies and standards based on industry best practices.
Knowledge of cloud security practices and containerization concepts.
Understanding risk management and risk evaluations of security or incident events.
Proficient in Microsoft Workspace applications, including Outlook, Word, Excel, PowerPoint, and Teams.
Successful internal candidates will have spent one year or more on their current team.

Required Documents
Cover Letter
Resume

California applicants, please click here to review the Costco Applicant Privacy Notice.

Pay Ranges:

Level Senior - $150,000 - $190,000, Bonus and Restricted Stock Unit (RSU) eligible

Level Staff - $180,000 - $225,000, Bonus and Restricted Stock Unit (RSU) eligible

We offer a comprehensive package of benefits including paid time off, health benefits - medical/dental/vision/hearing aid/pharmacy/behavioral health/employee assistance, health care reimbursement account, dependent care assistance plan, short-term disability and long-term disability insurance, AD&D insurance, life insurance, 401(k), stock purchase plan to eligible employees.
Costco is committed to a diverse and inclusive workplace. Costco is an equal opportunity employer. Qualified applicants will receive consideration for employment without regard of race, national origin, gender, gender identity, sexual orientation, protected veteran status, disability, age, or any other legally protected status. If you need assistance and/or a reasonable accommodation due to a disability during the application or the recruiting process, please send a request to
If hired, you will be required to provide proof of authorization to work in the United States. In some cases, applicants and employees for selected positions will not be sponsored for work authorization, including, but not limited to H1-B visas.