Security Analyst - Vulnerability Management

Costco IT is responsible for the technical future of Costco Wholesale, the third largest retailer in the world with wholesale operations in fourteen countries. Despite our size and explosive international expansion, we continue to provide a family, employee centric atmosphere in which our employees thrive and succeed. As proof, Costco ranks seventh in Forbes “World’s Best Employers”.

This is an environment unlike anything in the high-tech world and the secret of Costco’s success is its culture. The value Costco puts on its employees is well documented in articles from a variety of publishers including Bloomberg and Forbes. Our employees and our members come FIRST. Costco is well known for its generosity and community service and has won many awards for its philanthropy. The company joins with its employees to take an active role in volunteering by sponsoring many opportunities to help others.

Come join the Costco Wholesale IT family. Costco IT is a dynamic, fast-paced environment, working through exciting transformation efforts. We are building the next generation retail environment where you will be surrounded by dedicated and highly professional employees.

This Security Analyst position will be a member of the Cybersecurity Threat Exposure - Vulnerability Management team that will perform configuration, troubleshooting, monitoring, and auditing of information system activities utilizing multiple security related tools to ensure security best practices are enforced; create and maintain documentation related to policies, standards, and procedures; mentor team members; and provide consultative services to teams and stakeholders to improve the vulnerability scanning of their environments.

The Analyst should have in-depth working experience and knowledge of vulnerability assessment methodologies and tools such as Tenable, Qualys, or Tanium. They should have solid skills in Windows and Linux, and familiarity with networks; and have in-depth knowledge and work experience with security best practices.

If you want to be a part of one of the worldwide BEST companies “to work for”, simply apply and let your career be reimagined.

ROLE

Analyzes and administers security policies to control physical and virtual system access.

Identifies and investigates security issues and develops security solutions that address compliance requirements that can/ do impact security.

Identifies, develops, and implements mechanisms to detect security incidents in order to enhance compliance and support of the security standards and procedures.

Demonstrates a comprehensive skill set with testing authorizations for multiple environments and coordinates testing with business/technical users.

Validates system configurations to ensure the safety of information systems assets and protects information systems from intentional or inadvertent access or destruction.

Implements best practice when applying knowledge of information systems security standards/practices (e.g. access control and system hardening, system audit and log file monitoring, security policies, and incident handling).

Designs and coordinates activities/engagements with other departments (loss prevention, legal, networking, etc.).

Determines strategy and protocol for network behavior, analysis techniques, and tool implementation.

Identifies and resolves problems often anticipating issues before they occur or before they grow; develops and evaluates options; and implements solutions that support the business.

Creates dashboards, configures alerts, implements and supports security software platforms, and monitors tools/apps.

Identifies opportunities for streamlining, and increasing effectiveness through continuous process improvement.

Works analytically to solve both tactical and strategic problems within the vulnerability management program.

Plans, develops, configures, and executes vulnerability scans using tools such as Tenable, Qualys, or Tanium on a wide variety of global corporate and business information systems both on prem and cloud based.

Collects and aggregates information from a wide variety of sources and formats for relevance to our environment; monitors and provides metrics on threat level of vulnerabilities using tools such as Power BI, Axonius, and Xpanse.

Participates in the development and maintenance of executive and team dashboards and/or regular reports to communicate department-specific cybersecurity risks and threats.

Contributes to the design and implementation of our vulnerability management program that leverages a risk-based approach to address current vulnerabilities for the most impactful asset categories. Demonstrate in-depth knowledge and understanding of the global threat landscape, cybersecurity trends, emerging technologies, and the ability to relate them to the IT teams and application developers.

Applies knowledge of operating systems, applications, and database vulnerability assessments (to include system configuration checks) on various Information Systems.

Conducts research on current vulnerabilities and exploits using publicly available, trusted resources, and other finished vulnerability products.

Communicates security vulnerabilities and risks to issue owners and assist in remediation planning efforts where possible.

Helps maintain patch and vulnerability management best practices to protect against the exploitation of critical application and system vulnerabilities.

Facilitates the application of risk treatments to vulnerabilities that cannot be remediated through business-as usual (e.g., systems that cannot be updated per regulatory restrictions, systems that require significant technology upgrades, etc.)

Collaborates and communicates with Compliance, Internal Audit, the Business teams, and others to identify, analyze, and communicate risk; and provides support around vulnerability management within their business requirements.

Responds to tickets and incidents in a proactive manner based on the enterprise SLA’s.

Coordinates with the Incident Response team to remediate security incidents as needed.

Understands compliance requirements that may impact security and effectively collaborates with business areas and project teams to develop security solutions that address these requirements.

Assumes a leadership role in advocating internally and externally for compliance to security measures to protect corporate applications and environments.

Works with information systems owners and administrators to understand their security needs and assists with implementing practices and procedures consistent with Costco’s security policies.

Builds and maintains supplier partnerships to further Costco’s mission and goals.

Maintains current knowledge of industry trends and standards.

Creates and maintains environmental documentation, tasks, change records, etc.

Continues professional growth in the areas of technology, business knowledge, and Costco policies and platforms.

REQUIRED

3-5 years’ experience in a vulnerability management role to include vulnerability management scanners and application scanning/testing tools and strategies.

Hands-on experience with vulnerability scanning tools or endpoint protection such as Tenable, Qualys, or Tanium.

Knowledge of the vulnerability management process including remediation planning.

Thorough understanding of security frameworks such as HIPAA, SOX, PCI, GDPR, CCPA, etc.

Experience with Windows, Linux, and networking environments.

Understands the OSI model, as well as IPv4/IPv6 protocol suite.

Working knowledge of information security best practices, policies, standards, and baselines, including industry standards and guidelines from ISO 27001/27002, NIST, CIS, and OWASP.

Technical working experience/knowledge of operating systems, databases, web applications, middleware, and other computing devices/software components.

Experience in computer software or computer networking.

Strong analytical and problem-solving skills.

Strong communication skills, both written and verbal with the ability to clearly communicate Information Security matters to executives, auditors, end users, and engineers, using appropriate language, examples, and tone.

Ability to quickly understand systems in order to identify and validate security requirements.

Demonstrated logical and structured approach to time management and task prioritization in support of team work goals.

Knowledge of and practical experience with Agile methodologies.

Strong documentation skills, and awareness of change management.

Ability to adapt to changing priorities and working in an ambiguous environment.

Possesses a strong collaborative mindset; able to function as a contributing member of the team.

Ability to handle highly confidential information in a strictly professional manner.

Supports 24x7x365 on-call rotation.

Recommended

Security certifications preferred (e.g., Security+, GCIA, GCIH, CISSP, CEH, CCSP, CISA, GSEC, etc.)

Ability to work with cross-business and cross-functional teams in a geographically distributed environment.

Ability to work independently, as well as part of the team.

Ability to conduct root cause analysis against vulnerabilities and determine feasible technical solutions.

Ability to examine issues both strategically and analytically.

Ability to work on multiple, simultaneous initiatives.

Bachelor’s degree in Information Security, Computer Science, or equivalent experience.

Experience in security testing of web application, mobile applications, APIs, Cloud hosted application, Containers and on-prem data centers.

General knowledge of scalable multi-tier enterprise-level applications.

General cloud and networking knowledge.

Experience with technologies such as TCP, UDP, NMAP, DNS, SSL, FTP, SMTP, NetBIOS, DHCP, NGFW, and SIEMs.

Familiarity ITILv2/v3 processes such as Service Support, Service Delivery, or Continual Service Improvement.

Familiarity with Kanban or Agile continuous improvement methodologies.

Required Documents

• Cover Letter

• Resume

California applicants, please click here to review the Costco Applicant Privacy Notice.

Pay Range: $125,000 - $165,000

We offer a comprehensive package of benefits including paid time off, health benefits - medical/dental/vision/hearing aid/pharmacy/behavioral health/employee assistance, health care reimbursement account, dependent care assistance plan, short-term disability and long-term disability insurance, AD&D insurance, life insurance, 401(k), stock purchase plan to eligible employees.

Costco is committed to a diverse and inclusive workplace. Costco is an equal opportunity employer. Qualified applicants will receive consideration for employment without regard of race, national origin, gender, gender identity, sexual orientation, protected veteran status, disability, age, or any other legally protected status. If you need assistance and/or a reasonable accommodation due to a disability during the application or the recruiting process, please send a request to [email protected]

If hired, you will be required to provide proof of authorization to work in the United States.