Security Governance Risk & Compliance Analyst

At Commerce, our mission is to empower businesses to innovate, grow, and thrive with our open, AI-driven commerce ecosystem. As the parent company of BigCommerce, Feedonomics, and Makeswift, we connect the tools and systems that power growth, enabling businesses to unlock the full potential of their data, deliver seamless and personalized experiences across every channel, and adapt swiftly to an ever-changing market. We believe in harnessing AI responsibly to unlock new possibilities, and we’re looking for individuals who use it intentionally to solve problems, accelerate outcomes, and expand what’s possible in their role. Our purpose is to help businesses confidently solve complex commerce challenges so they can build smarter, adapt faster, and grow on their own terms. If you want to be part of a team of bold builders, sharp thinkers, and technical trailblazers who shape the future of commerce, this is the place for you.

We're looking for a Senior Security Governance Risk and Compliance Analyst to help support our compliance programs and work with our teams to implement risk improvement processes and projects. Commerce is committed to being a leader in Information Security in the e-commerce space. Your skills and your passion for protecting data and ensuring compliance will be a large factor in Commerce’s future success.  This role will report into our GRC function and work cross-functionally with Product Security, Legal, Partnerships, Privacy, and Engineering teams.

What you’ll do:

• Function as a frontline representative of Information Security leading by example, being diplomatic yet firm, fair, flexible and consistent in deploying industry standard information security best practices and applicable laws, regulations, and policies.

• Using a risk-based framework, manage third party risk assessments—from onboarding due diligence to continuous monitoring—leveraging platforms like OneTrust, SafeBase, or similar

• Partner with fraud operations and data science to model and detect threats such as account takeovers, payment abuse, promo fraud, and affiliate misbehavior; understand fraud detection platforms, e.g., e-Hawk, Recorded Future, etc.

• Maintain metrics and reporting that tie fraud risk to potential loss or customer impact in real terms.

• Demonstrate understanding of BC GRC Office strategic vision, be a self-starter, and responsible for actions promoting this strategic vision.

• Provides support and guidance regarding best practice, regulatory, and legal compliance, including PCI, GDPR, ISO 27001, NIST, and SOX.

• Assistance in evaluating the design and operating effectiveness of the BC Integrated Secure Controls Framework (BC SCF) built from Industry Standards such as NIST, ISO 27001, PCI DSS around technology controls, including, but not limited to Software Development Lifecycle (SDLC), Logical Security, Data interfaces, availability/redundancy, and Cyber / Info security.

• Preparing supporting evidence, documenting test plans which clearly describes the audit procedures performed, results of testing and conclusions reached for various processes.

• Creating technology diagrams detailing the systems and their dependencies during the audit process

• Assisting with the Department’s data collection and analytics efforts and Internal Audit report preparation.

• Assisting in the development and tracking of control recommendations for corrective action/improvement. 

• Work with Internal Audit leadership to identify and continuously improve departmental practices.

• Monitor and demonstrate compliance with organizational policies and practices, as evidenced by strong quality assurance results, and strong performance within standards and related metrics.

• Stay abreast of current issues and obtain continuing education and training.

• Participate in special projects and perform other duties as requested.

• Interact with all levels of management to provide effective risk and control advice, maintaining active communication to enhance risk and control awareness and manage expectations.

• Provide data analysis support for ongoing compliance monitoring

• Maintain up-to-date knowledge about audit controls and techniques

• Utilize innovative ideas and tools to enhance operational effectiveness

• Evaluate and recommend improvements to business practices, processes, and controls

Who You Are:

• 5-6 years of relevant experience in a technology environment.

• Experience with translating business requirements into project implementation plans and validation, including user acceptance testing.

• Knowledge of network-based services, client/server applications, cloud-based and virtualized environments, mobile applications, enterprise systems and infrastructure, network architecture, and security infrastructure.

• Passion about process improvement and removing friction from systems

• Direct experience with audit and compliance frameworks, e.g., ISO 27001, 2007:2017, PCI, etc.

• Background in IT hardware/software concepts and processes used within the business, covering

  • Core security concepts

  • Cloud-based services

  • Windows and Linux operating systems

  • Open-source ecosystem (databases, applications, etc.)

• Experience with auditors and the evidence collection process

• Experience with the design and testing of IT security controls in a managed hosting and/or Software-as-a-Service environment

• Experience in building relationships across business functions, locations, and technical stakeholders.

• Self-direction, attention to detail with a passion to solve practical problems while dealing with a number of variables.

• Ability to present ideas/solutions and communicate clearly, concisely, and accurately with others at all levels of the organization.

• Experience in reading the culture of a company, adjusting your style and adapting as needed.

• Collaborative, upbeat work ethic where you both take ownership and have fun.

• Able to meet deliverables and drive your work to completion within specified timelines.

• Great verbal and written communication skills.

This is a Hybrid role - Beginning March 1, 2026, employees who live within commuting distance of a Dedicated Office will be expected to be in the office three days per week.

#LI-KE1

#LIHYBRID

(Pay Transparency Range: $49,729.00 - $84,100.00)

The national base salary range for this role is posted above in this job post.

Final compensation will be determined based on factors such as relevant experience, skills, qualifications and geographic location. We also consider internal equity to help ensure fair and consistent pay practices across our teams.

Where applicable, this role may also be eligible for variable compensation (such as bonus or commission), equity, and benefits in accordance with local policies. Details will be shared during the hiring process. We are committed to equitable and transparent pay practices that align to market data, internal equity, and individual contribution.

At Commerce, we believe that celebrating the unique histories, perspectives and abilities of every employee makes a difference for our company, our customers and our community. We are an equal opportunity employer and the inclusive atmosphere we build together will make room for every person to contribute, grow and thrive.

We are committed to creating an inclusive and accessible hiring experience for all candidates. If you require accommodations or adjustments at any stage of the recruitment process, please let us know and we will work with you to meet your needs.

Learn more about the Commerce team, culture and benefits at https://www.commerce.com/careers/

Commerce, along with many other employers, has become the subject of fraudulent job offers to hopeful prospective job seekers.
Be advised:
Commerce does not offer jobs to individuals who do not go through our formal hiring process.
Commerce will never:

• require payment of recruitment fees from candidates;

• request personally identifiable information through unsanctioned websites or applications;

• attempt to solicit money from you as part of the hiring process or as part of an employment offer;

• solicit money to complete visa requirements as part of a job offer.

If you receive unsolicited offers of employment from Commerce, we urge you to be extremely cautious and avoid engaging or responding.