Security Governance Risk & Compliance Analyst

At Commerce our mission is to empower businesses to innovate grow and thrive with our open AI-driven commerce ecosystem. As the parent company of BigCommerce Feedonomics and Makeswift we connect the tools and systems that power growth enabling businesses to unlock the full potential of their data deliver seamless and personalized experiences across every channel and adapt swiftly to an ever-changing market. We believe in harnessing AI responsibly to unlock new possibilities and we’re looking for individuals who use it intentionally to solve problems accelerate outcomes and expand what’s possible in their role. Our purpose is to help businesses confidently solve complex commerce challenges so they can build smarter adapt faster and grow on their own terms. If you want to be part of a team of bold builders sharp thinkers and technical trailblazers who shape the future of commerce this is the place for you.

We're looking for a Senior Security Governance Risk and Compliance Analyst to help support our compliance programs and work with our teams to implement risk improvement processes and projects. Commerce is committed to being a leader in Information Security in the e-commerce space. Your skills and your passion for protecting data and ensuring compliance will be a large factor in Commerce’s future success.  This role will report into our GRC function and work cross-functionally with Product Security Legal Partnerships Privacy and Engineering teams.

What you’ll do:

• Function as a frontline representative of Information Security leading by example being diplomatic yet firm fair flexible and consistent in deploying industry standard information security best practices and applicable laws regulations and policies.

• Using a risk-based framework manage third party risk assessments—from onboarding due diligence to continuous monitoring—leveraging platforms like OneTrust SafeBase or similar

• Partner with fraud operations and data science to model and detect threats such as account takeovers payment abuse promo fraud and affiliate misbehavior; understand fraud detection platforms e.g. e-Hawk Recorded Future etc.

• Maintain metrics and reporting that tie fraud risk to potential loss or customer impact in real terms.

• Demonstrate understanding of BC GRC Office strategic vision be a self-starter and responsible for actions promoting this strategic vision.

• Provides support and guidance regarding best practice regulatory and legal compliance including PCI GDPR ISO 27001 NIST and SOX.

• Assistance in evaluating the design and operating effectiveness of the BC Integrated Secure Controls Framework (BC SCF) built from Industry Standards such as NIST ISO 27001 PCI DSS around technology controls including but not limited to Software Development Lifecycle (SDLC) Logical Security Data interfaces availability/redundancy and Cyber / Info security.

• Preparing supporting evidence documenting test plans which clearly describes the audit procedures performed results of testing and conclusions reached for various processes.

• Creating technology diagrams detailing the systems and their dependencies during the audit process

• Assisting with the Department’s data collection and analytics efforts and Internal Audit report preparation.

• Assisting in the development and tracking of control recommendations for corrective action/improvement. 

• Work with Internal Audit leadership to identify and continuously improve departmental practices.

• Monitor and demonstrate compliance with organizational policies and practices as evidenced by strong quality assurance results and strong performance within standards and related metrics.

• Stay abreast of current issues and obtain continuing education and training.

• Participate in special projects and perform other duties as requested.

• Interact with all levels of management to provide effective risk and control advice maintaining active communication to enhance risk and control awareness and manage expectations.

• Provide data analysis support for ongoing compliance monitoring

• Maintain up-to-date knowledge about audit controls and techniques

• Utilize innovative ideas and tools to enhance operational effectiveness

• Evaluate and recommend improvements to business practices processes and controls

Who You Are:

• 5-6 years of relevant experience in a technology environment.

• Experience with translating business requirements into project implementation plans and validation including user acceptance testing.

• Knowledge of network-based services client/server applications cloud-based and virtualized environments mobile applications enterprise systems and infrastructure network architecture and security infrastructure.

• Passion about process improvement and removing friction from systems

• Direct experience with audit and compliance frameworks e.g. ISO 27001 2007:2017 PCI etc.

• Background in IT hardware/software concepts and processes used within the business covering

  • Core security concepts

  • Cloud-based services

  • Windows and Linux operating systems

  • Open-source ecosystem (databases applications etc.)

• Experience with auditors and the evidence collection process

• Experience with the design and testing of IT security controls in a managed hosting and/or Software-as-a-Service environment

• Experience in building relationships across business functions locations and technical stakeholders.

• Self-direction attention to detail with a passion to solve practical problems while dealing with a number of variables.

• Ability to present ideas/solutions and communicate clearly concisely and accurately with others at all levels of the organization.

• Experience in reading the culture of a company adjusting your style and adapting as needed.

• Collaborative upbeat work ethic where you both take ownership and have fun.

• Able to meet deliverables and drive your work to completion within specified timelines.

• Great verbal and written communication skills.

This is a Hybrid role - Beginning March 1 2026 employees who live within commuting distance of a Dedicated Office will be expected to be in the office three days per week.

#LI-KE1

#LIHYBRID

(Pay Transparency Range: $49729.00 - $84100.00)

The national base salary range for this role is posted above in this job post.

Final compensation will be determined based on factors such as relevant experience skills qualifications and geographic location. We also consider internal equity to help ensure fair and consistent pay practices across our teams.

Where applicable this role may also be eligible for variable compensation (such as bonus or commission) equity and benefits in accordance with local policies. Details will be shared during the hiring process. We are committed to equitable and transparent pay practices that align to market data internal equity and individual contribution.

At Commerce we believe that celebrating the unique histories perspectives and abilities of every employee makes a difference for our company our customers and our community. We are an equal opportunity employer and the inclusive atmosphere we build together will make room for every person to contribute grow and thrive.

We are committed to creating an inclusive and accessible hiring experience for all candidates. If you require accommodations or adjustments at any stage of the recruitment process please let us know and we will work with you to meet your needs.

Learn more about the Commerce team culture and benefits at https://www.commerce.com/careers/

Commerce along with many other employers has become the subject of fraudulent job offers to hopeful prospective job seekers.
Be advised:
Commerce does not offer jobs to individuals who do not go through our formal hiring process.
Commerce will never:

• require payment of recruitment fees from candidates;

• request personally identifiable information through unsanctioned websites or applications;

• attempt to solicit money from you as part of the hiring process or as part of an employment offer;

• solicit money to complete visa requirements as part of a job offer.

If you receive unsolicited offers of employment from Commerce we urge you to be extremely cautious and avoid engaging or responding.

What We Do

Commerce (Nasdaq: CMRC) empowers businesses to innovate grow and thrive through an open AI-driven commerce ecosystem. As the parent company of BigCommerce Feedonomics and Makeswift we help brands unlock the full potential of their data connect systems and deliver seamless personalized experiences across every channel. Visit commerce.com or follow us for more. #PoweredByCommerce

Why Work With Us

Ask any employee what makes Commerce unique they will tell you it's the people. The team is full of brilliant dedicated individuals focused on revolutionizing the world of ecommerce. We foster a culture that encourages inclusion of every employee celebrating our individuality and the values that bring us together.

Gallery