Network Security Engineer III

Ahold Delhaize USA, a division of global food retailer Ahold Delhaize, is part of the U.S. family of brands, which also includes five leading omnichannel grocery brands – Food Lion, Giant Food, The GIANT Company, Hannaford and Stop & Shop. Ahold Delhaize USA associates support the brands with a wide range of services, including Finance, Legal, Sustainability, Commercial, Digital and E-commerce, Technology and more.

Salisbury, NC

Ahold Delhaize USA

<p class="p1"><strong><br />Ahold Delhaize USA, a division of global food retailer Ahold Delhaize, is part of the U.S. family of brands, which also includes five leading omnichannel grocery brands &ndash; Food Lion, Giant Food, The GIANT Company, Hannaford and Stop &amp; Shop. Ahold Delhaize USA associates support the brands with a wide range of services, including Finance, Legal, Sustainability, Commercial, Digital and E-commerce, Technology and more.<br /><br /></strong>Join our Talent Community to stay updated on opportunities with Ahold Delhaize USA. You&rsquo;ll be the first to know about new positions that match your career aspirations. To join, click here: <strong><a href="https://aholddelhaizeusa.careerswithus.com/talent-community" target="_blank" title="Talent Community - Ahold Delhaize USA (careerswithus.com)" rel="noopener noreferrer">Talent Community - Ahold Delhaize USA (careerswithus.com)</a></strong>.&nbsp;</p> <p class="p2">&nbsp;</p> <p class="p1"><strong><a href="https://aholddelhaizeusacareers.appvault.com/create" target="_blank" title="Talent Community " rel="noopener noreferrer"></a><br /></strong></p> https://www.adusa.com/

keywords: position summary,position details,schedule,authorized to work in the u.s.,management,review,compliance,operations,technical,develop,security,network,experience,knowledge,skills,education,certification

Full Time

485754

Overview: The Sr. Network Security Engineer will lead the engineering, delivery, and operations of ADUSA's network security platforms with a key focus on zero trust architecture, next-generation firewalls, and secure connectivity across the enterprise. This role is responsible for the technical design, implementation, and management of mission-critical network security infrastructure spanning ADUSA's data centers, cloud environments, retail locations, corporate offices, and distribution centers.<br /><br />The Sr. Network Security Engineer will drive the multi-year strategy to transform ADUSA's network security posture, championing zero trust principles and ensuring all network traffic is inspected, segmented, and secured in alignment with PCI-DSS, HIPAA, and other regulatory compliance frameworks. This role has overall responsibility for the delivery of secure connectivity, threat mitigation, incident response coordination, firewall and proxy platform management, and policy enforcement across all brands.<br /><br />Our flexible/hybrid work schedule includes 3 in-person days at one of our core locations and 2 remote days. Our core office locations are Salisbury, NC &amp; Quincy, MA.<br /><br />Applicants must be currently authorized to work in the United States on a full-time basis.
Responsibilities: <ul> <li>Lead the design, engineering, and operations of ADUSA's network security platforms including next-generation firewalls (Palo Alto, Fortinet), secure web gateways, and cloud security solutions (Zscaler ZIA/ZPA), ensuring high availability, performance, and compliance across all environments.</li> <li>Architect and implement zero trust network security frameworks across the enterprise, defining and enforcing micro-segmentation, least-privilege access policies, identity-based authentication, and continuous verification strategies to minimize the attack surface.</li> <li>Manage and maintain firewall rule sets, security policies, NAT configurations, and VPN infrastructure across Palo Alto and Fortinet platforms, ensuring policies are optimized, documented, and aligned with PCI-DSS, HIPAA, and corporate security standards.</li> <li>Oversee Zscaler cloud security platform administration including ZIA (Zscaler Internet Access) and ZPA (Zscaler Private Access), managing URL filtering, SSL inspection, DLP policies, cloud firewall rules, and application access policies for all users and locations.</li> <li>Drive compliance initiatives by implementing and maintaining network security controls required for PCI-DSS, HIPAA, SOX, and other regulatory frameworks; lead audit preparation activities, evidence collection, and remediation of security findings.</li> <li>Act as a subject matter expert in network security design and architecture, evaluating emerging threats and technologies, and providing recommendations to the Network Architecture team for continuous improvement of the security posture.</li> <li>Participate in security incident response and forensic analysis, working with the SOC, threat intelligence, and risk teams to investigate network-based threats, contain breaches, and implement preventive controls.</li> <li>Develop and maintain network security automation to streamline firewall provisioning, policy deployment, configuration compliance checks, and security reporting across all platforms.</li> <li>Review and establish security documentation, standard operating procedures, and runbooks; ensure these standards are maintained and audit-ready at all times.</li> <li>Act as a point of escalation to external ADUSA managed service providers and internal teams in the incident management process, assisting in reviewing security incident and problem data, performing root cause analysis, and driving continuous improvement.</li> <li>Monitor and manage the security device lifecycle, including firmware maintenance, certificate management, and license compliance for all firewalls, proxies, IDS/IPS, and related network security infrastructure.</li> <li>Manage and influence analysis of business requirements to ensure that network security solutions meet established policies, risk tolerance, and compliance controls while enabling business agility.</li> </ul>
Requirements: <ul> <li>Bachelor's degree or equivalent years of work experience.</li> <li>5+ years of progressive experience in network security engineering, with deep hands-on expertise in enterprise firewall platforms (Palo Alto Networks, Fortinet FortiGate).</li> <li>Strong experience with Zscaler cloud security platforms (ZIA, ZPA) including deployment, policy management, SSL inspection, and troubleshooting.</li> <li>Demonstrated experience designing and implementing zero trust network architectures in large-scale enterprise environments.</li> <li>Knowledge of PCI-DSS and HIPAA compliance requirements as they relate to network security controls, segmentation, and audit readiness.</li> <li>Strong experience in network security design and architecture including DMZ design, network segmentation, micro-segmentation, VPN technologies (IPSec, SSL), and secure remote access solutions.</li> <li>Experience with security information and event management (SIEM) platforms, and network monitoring tools such as Panorama, FortiManager, FortiAnalyzer, and SolarWinds.</li> <li>Proficiency in automation and scripting for network security device management, policy deployment, and compliance reporting.</li> <li>Solid technical foundation in networking (CCNA/CCNP level equivalent) with strong knowledge of L2/L3 technologies, routing protocols (BGP, OSPF), and switching.</li> <li>Experience with cloud security architectures including AWS, Azure, cloud-based firewalls, and hybrid connectivity security.</li> </ul> <br /><strong>Preferred Qualifications:</strong><br /> <ul> <li>Holds one or more industry certifications: PCNSE (Palo Alto Networks), NSE 7/8 (Fortinet), ZCCA/ZCCP (Zscaler), CISSP, CCNP Security, CCIE Security.</li> <li>Experience with network access control (NAC), 802.1X, and identity-based network segmentation solutions.</li> <li>Experience with IDS/IPS platforms, DDoS mitigation, and advanced threat protection technologies.</li> <li>Experience working in an Agile (SAFe) environment.</li> <li>Familiarity with DevSecOps practices and integrating network security into CI/CD pipelines.</li> <li>Experience with Infoblox DDI, F5 load balancers, and Arista/Cisco ACI in the context of security policy enforcement and micro-segmentation.</li> </ul> <br /><br /><br /><br /><strong>Salary Range:</strong>&nbsp;$125,040 - $187,560<br /><br />All ADUSA job offers take multiple factors into consideration including, but not limited to salary range, internal equity, a candidate's qualifications, geographic region, job-related knowledge and skills.<br /><br />This position is eligible for an incentive bonus based on company performance as provided by the plan terms and governing documents.