Sr. Network Security Engineer; Hybrid - Seattle, WA

Sr. Network Security Engineer (Hybrid - Seattle, WA)
Job Description

Are you passionate about securing the infrastructure that powers one of retail's most iconic brands? Nordstrom is on a journey to modernize and fortify the systems that connect our employees, partners, and customers across 400+ locations and multi-cloud environments. To support that mission, we are hiring a Senior Network Security Engineer to join our NIO organization.

You will be part of a team of highly skilled security and infrastructure professionals responsible for designing, operating, and automating the network security controls that protect Nordstrom's enterprise. The ideal candidate thinks in automation first, understands how networks actually work, and brings deep expertise in cloud security, identity, and access. You will partner closely with engineers, architects, and platform teams to execute on both strategic and day-to-day security goals.

• Design, deploy, and operate network security controls across enterprise, cloud (AWS, Azure, GCP), and retail edge environments
• Implement and maintain zero-trust network access (ZTNA) policies, microsegmentation, and perimeter security using tools like Zscaler, Palo Alto Networks, and cloud-native NGFWs
• Build and maintain automation pipelines for security policy management, firewall rule lifecycle, and compliance validation — treating infrastructure as code
• Collaborate with cloud, platform, and application teams to integrate security at the network layer without blocking delivery velocity
• Serve as a subject matter expert for authentication and authorization frameworks: 802.1X, EAP-TLS, RADIUS/Clear Pass, certificate management, and IAM integrations
• Monitor, triage, and respond to network security events; drive root cause analysis and long-term remediation
• Author engineering documentation, threat models, and security runbooks; contribute to architecture reviews
• Mentor engineers across the NIO organization on security best practices and automation patterns
• Participate in on-call rotation for critical security infrastructure

• You approach every problem with an automation-first mindset — if you're doing something twice, you're already writing the script
• You understand the network well enough to implement security without needing a network engineer in the room — you can read a routing table, troubleshoot a VLAN, and reason about traffic flows
• You've operated security in cloud environments and understand how AWS Security Groups, Azure NSGs, cloud NGFW, and service mesh fit into a layered defense model
• Authentication and authorization are not just check boxes to you — you have strong opinions about certificate life cycles, EAP methods, and identity-aware policy enforcement
• You communicate clearly with both engineers and executives, translating complex security posture into business risk
• You thrive in ambiguity, work with urgency during incidents, and bring calm, structured thinking under pressure
• Passionate about continuous improvement and raising the security bar across teams you work with

• Bachelor's or master's degree in Computer Science, Engineering, Cybersecurity, or equivalent education and experience
• 7+ years of progressive enterprise security engineering experience with demonstrated depth in network security domains
• Hands‑on experience with cloud security architecture across two or more major cloud platforms (AWS, Azure, GCP, OCI) — including cloud NGFW, VPC security controls, and private connectivity patterns
• Strong automation and IaC experience:
  Python, Terraform, Ansible, or equivalent — you write production-grade automation, not one-off scripts
• Deep expertise in network security technologies: next‑gen firewalls (Palo Alto), ZTNA/SWG (Zscaler), IDS/IPS, and DDoS mitigation
• Strong working knowledge of authentication and authorization: 802.1X, EAP‑TLS, RADIUS, Clear Pass/ISE, SAML, OAuth, and PKI/certificate management
• Solid foundational network knowledge: TCP/IP, BGP, SD‑WAN concepts, VLAN segmentation, DNS, and routing protocols — enough to own security outcomes independently
• Experience with security policy‑as‑code, CI/CD pipelines for network security…