Security Governance Risk & Compliance Analyst

Welcome to the Agentic Commerce Era

At Commerce, our mission is to empower businesses to innovate, grow, and thrive with our open, AI-driven commerce ecosystem. As the parent company of Big Commerce, Feedonomics, and Makeswift, we connect the tools and systems that power growth, enabling businesses to unlock the full potential of their data, deliver seamless and personalized experiences across every channel, and adapt swiftly to an ever-changing market.

We believe in harnessing AI responsibly to unlock new possibilities, and we're looking for individuals who use it intentionally to solve problems, accelerate outcomes, and expand what's possible in their role. Our purpose is to help businesses confidently solve complex commerce challenges so they can build smarter, adapt faster, and grow on their own terms. If you want to be part of a team of bold builders, sharp thinkers, and technical trailblazers who shape the future of commerce, this is the place for you.

We're looking for a Senior Security Governance Risk and Compliance Analyst to help support our compliance programs and work with our teams to implement risk improvement processes and projects. Commerce is committed to being a leader in Information Security in the e-commerce space. Your skills and your passion for protecting data and ensuring compliance will be a large factor in Commerce's future success.

This role will report into our GRC function and work cross-functionally with Product Security, Legal, Partnerships, Privacy, and Engineering teams.

What you'll do:

* Function as a frontline representative of Information Security leading by example, being diplomatic yet firm, fair, flexible and consistent in deploying industry standard information security best practices and applicable laws, regulations, and policies.

* Using a risk-based framework, manage third party risk assessments-from onboarding due diligence to continuous monitoring-leveraging platforms like One Trust, Safe Base, or similar

* Partner with fraud operations and data science to model and detect threats such as account takeovers, payment abuse, promo fraud, and affiliate misbehavior; understand fraud detection platforms, e.g., e-Hawk, Recorded Future, etc.

* Maintain metrics and reporting that tie fraud risk to potential loss or customer impact in real terms.

* Demonstrate understanding of BC GRC Office strategic vision, be a self-starter, and responsible for actions promoting this strategic vision.

* Provides support and guidance regarding best practice, regulatory, and legal compliance, including PCI, GDPR, ISO 27001, NIST, and SOX.

* Assistance in evaluating the design and operating effectiveness of the BC Integrated Secure Controls Framework (BC SCF) built from Industry Standards such as NIST, ISO 27001, PCI DSS around technology controls, including, but not limited to Software Development Lifecycle (SDLC), Logical Security, Data interfaces, availability/redundancy, and Cyber / Info security.

* Preparing supporting evidence, documenting test plans which clearly describes the audit procedures performed, results of testing and conclusions reached for various processes.

* Creating technology diagrams detailing the systems and their dependencies during the audit process

* Assisting with the Department's data collection and analytics efforts and Internal Audit report preparation.

* Assisting in the development and tracking of control recommendations for corrective action/improvement.

* Work with Internal Audit leadership to identify and continuously improve departmental practices.

* Monitor and demonstrate compliance with organizational policies and practices, as evidenced by strong quality assurance results, and strong performance within standards and related metrics.

* Stay abreast of current issues and obtain continuing education and training.

* Participate in special projects and perform other duties as requested.

* Interact with all levels of management to provide effective risk and control advice, maintaining active communication to enhance risk and control awareness and manage expectations.

* Provide data analysis support for ongoing compliance monitoring

* Maintain up-to-date knowledge about audit controls and techniques

* Utilize innovative ideas and tools to enhance operational effectiveness

* Evaluate and recommend improvements to business practices, processes, and controls

Who You Are:

* 5-6 years of relevant experience in a technology environment.

* Experience with translating business requirements into project implementation plans and validation, including user acceptance testing.

* Knowledge of network-based services, client/server applications, cloud-based and virtualized environments, mobile applications, enterprise systems and infrastructure, network architecture, and security infrastructure.

* Passion about process improvement and removing friction from systems

* Direct experience with audit and compliance frameworks, e.g., ISO 27001, 2007:2017, PCI, etc.

* Background in IT hardware/software…