Compliance Engineers support the overarching values and business goals of Costco as they relate to meeting legal and regulatory obligations, identifying technical risks to the business, protecting member data and privacy, and ensuring continued compliance with Costco's policies. Compliance Engineers work cross functionally to define and set guidance in response to emerging standards and legislations, ensure policies and procedures are implemented and well documented, perform technical architecture, network and system reviews, ensure compliance requirements and controls are designed and implemented prior to go-live and identify compliance problems that require formal attention. Compliance Engineers speak both technical and business language interchangeably to effectively communicate and lead.
Engineers have deep knowledge and hands-on experience in enterprise-wide platforms, and solve technical problems while
working on technology initiatives. Engineers have strong architectural, leadership, and technical skills. They ensure delivery of
high-quality artifacts, and adhere to and follow Costco's SDLC. Engineers interact in a highly effective manner with other team
members and management, drive innovation, and influence delivery and performance.
The Compliance Engineer in Security Risk Management is responsible for the hands-on design, execution, and continuous improvement of the security risk management program. Responsibilities include owning specific functional responsibilities that directly contribute to security risk assessment deliverables and organizational risk posture. However, the role as an engineer involves more than execution of day-to-day operations. As a subject matter expert, responsibilities would include development and execution of teams strategic vision and plan ensuring work delivers value aligned to overall information security organization's goals and objectives.
We are seeking a dynamic and experienced engineer to join our Security Risk Management team. This role will be pivotal in executing our risk management strategy, including owning the identification and assessment of security risks, the design and implementation of automated risk and control assessment processes and maintaining a centralized risk register and reporting that drives organizational decisions
As a key individual contributor engineer will work independently and with high autonomy, driving innovation in security risk management operations. Will work closely with security teams, privacy experts, legal and other IT and business leaders to provide actionable insights and drive risk based decision making across the organization.
ROLE- Promotes and supports a culture of compliance, risk avoidance/mitigation, and corporate accountability throughout the organization through technical leadership, knowledge of business need, development and communication of policies, procedures, and plans, and assurance of solution designs that are in compliance with architecture standards, technology guardrails, security, and operational guidelines.
- Works well under pressure to identify and problem-solve high intensity situations with a strong sense of urgency; shows the ability to make decisions and work through ambiguity.
- Leads/Participates in the creation, implementation, monitoring, and maintenance of Security Policies and Standards.
- Serves as subject matter expert for enterprise security risk assessments, risk response, and risk management programs.
- Aggregates and analyzes risk signals from vulnerability management, threat intelligence, cloud security, and other security domains to inform risk decisions and priorities.
- Utilizes a risk-based approach to assess, prioritize, and communicate security risks across the organization.
- Researches and monitors emerging risks associated with new technologies such as Artificial Intelligence (AI), implementations, and configurations, applying industry best practices to reduce organizational exposure.
- Identifies attack surface reduction opportunities through analysis of risk and environment data across the enterprise.
- Works analytically to solve both tactical and strategic risk problems, balancing short-term response with long-term program maturity.
- Translates business and compliance requirements into technical risk specifications and partners with security teams to ensure appropriate controls are in place.
- Understands regulatory and compliance requirements that impact security and collaborates with business and project teams to develop risk-appropriate solutions, including supporting audit activities.
- Collaborates with Compliance, Internal Audit, and Business teams to identify, analyze, and communicate risk within their operational context.
- Assumes a leadership role in advocating for adherence to security controls that protect corporate applications and environments.
- Leads efforts to mature the organization's risk management program, partnering cross-functionally with Vulnerability Management, AppSec, Cloud Security, and other security domains.
- Influences and drives adoption of security risk best practices and quality standards across the division without direct ownership of execution.
- Presents risk posture, technical findings, and recommendations to executives, management, and cross-functional audiences to build consensus and drive decisions.
- Leverages AI-powered tools to enhance risk identification, prioritization, and reporting workflows, identifying opportunities to responsibly automate risk processes.
- Automates, documents, educates, and delegates risk processes to improve efficiency and scalability across the team.
- Participates in and oversees the collection and aggregation of risk data from a wide variety of sources and formats to assess relevance to the environment.
- Contributes as an active member of the InfoSec and Compliance team, participating in planning, skills development, and initiatives that improve team communication and quality of work.
- Maintains current knowledge of industry trends, frameworks, and standards; proactively pursues professional growth in technology, business acumen, and organizational platforms and policies.
- This is a full-time position (45+ hours per week).
REQUIRED- 8 -12+ years of directly related experience.
- Strong understanding of Information Security and Security Governance, Risk and Compliance frameworks, methodologies, and practices.
- Technical security and architecture knowledge with the ability to recognize, analyze and troubleshoot issues, and articulate those to both technical and non-technical audiences
- Strong leadership and team management skills, with a demonstrated ability to lead cross-functional teams and drive organizational change
- Superb communication and relationships skills, especially the ability to understand and articulate advanced technical topics to non-technical audiences and build consensus among partners and leadership.
- HIPAA Training and Supervisors Orientation (within 30 days of hire); Leadership Development 101 (within one year); Costco Pay Policies (within 90 days of promotion).
Recommended- Bachelor's degree in Information Technology, Artificial Intelligence, Cybersecurity, Risk Management, or related field.
- Relevant certifications such as CISSP, CISM, or CRISC.
- Proficient in Google Workspace applications, including Sheets, Docs, Slides, and Gmail.
Required Documents• Cover Letter
• Resume
Pay Ranges:
Level SR - $150,000 - $190,000
Level Staff - $180,000 - $225,000
We offer a comprehensive package of benefits including paid time off, health benefits - medical/dental/vision/hearing aid/pharmacy/behavioral health/employee assistance, health care reimbursement account, dependent care assistance plan, short-term disability and long-term disability insurance, AD&D insurance, life insurance, 401(k), stock purchase plan to eligible employees.
