Manager, Security Governance Risk & Compliance

CommerceAustin, TX
$112,870 - $169,306

About The Position

At Commerce, our mission is to empower businesses to innovate, grow, and thrive with our open, AI-driven commerce ecosystem. As the parent company of BigCommerce, Feedonomics, and Makeswift, we connect the tools and systems that power growth, enabling businesses to unlock the full potential of their data, deliver seamless and personalized experiences across every channel, and adapt swiftly to an ever-changing market. We believe in harnessing AI responsibly to unlock new possibilities, and we’re looking for individuals who use it intentionally to solve problems, accelerate outcomes, and expand what’s possible in their role. Our purpose is to help businesses confidently solve complex commerce challenges so they can build smarter, adapt faster, and grow on their own terms. If you want to be part of a team of bold builders, sharp thinkers, and technical trailblazers who shape the future of commerce, this is the place for you. As a Manager of Security GRC, you will lead our compliance programs and serve as the strategic owner of our audit portfolio at Commerce. You will oversee our most critical certification and regulatory programs — including PCI DSS, SOC 2, ISO 27001, and other security audits — ensuring compliance is embedded into our "business as usual" (BAU) operations and that our control environment is continuously audit-ready across Commerce, Feedonomics, and Makeswift. You will serve as the organizational bridge between Engineering, Infrastructure, Legal, Privacy, and external auditors, translating complex regulatory requirements into clear, executable programs. A core part of this role is working directly with control owners across all business units to ensure they understand their obligations, maintain evidence, and operate within the control framework. This role reports into our GRC function and leads a team of analysts responsible for audit success and control framework integrity.

Requirements

  • 6–10 years in Information Security, IT Audit, or GRC, with demonstrated ownership of enterprise-level audit programs (PCI, SOC 2, ISO 27001, or SOX).
  • Proven track record managing Level 1 Service Provider assessments and navigating complex, multi-framework audit environments spanning multiple business units or legal entities.
  • Demonstrated ability to work cross-functionally with control owners and operational teams, holding stakeholders accountable to their compliance obligations while maintaining strong working relationships.
  • Deep working knowledge of PCI DSS 4.0, ISO 27001:2022, SOC 2 Trust Service Criteria, and SOX IT general controls.
  • Ability to influence and manage cross-functional stakeholders at all levels — from engineers to executives — with clarity, diplomacy, and conviction.
  • Skilled at translating compliance requirements into business-relevant language that drives enablement rather than friction.
  • PCI ISA, CISA, CISSP, or equivalent audit/security certification strongly preferred.
  • Experience applying GRC frameworks in cloud-native environments and familiarity with modern cloud security tooling.
  • You build compliance programs that improve security posture — not just check boxes. Your teams and control owners understand the intent behind every requirement.
  • You can hold your own in a conversation about IAM policies or network segmentation, and you can turn that same conversation into an executive briefing.
  • You are comfortable operating across distinct business units with different tech stacks, cultures, and maturity levels — bringing consistency to the control framework without losing sight of context.
  • You thrive in high-stakes audit cycles and know how to keep teams focused, organized, and confident when external scrutiny is highest.

Nice To Haves

  • Prior experience at a Big 4 advisory or audit firm (Deloitte, PwC, EY, KPMG) in an IT audit, risk advisory, or security compliance capacity is a strong plus.

Responsibilities

  • Own the end-to-end lifecycle of Commerce's core audit programs — PCI DSS 4.0, SOC 2 Type 2, ISO 27001, and SOX — across Commerce, Feedonomics, and Makeswift, including scoping, evidence strategy, auditor management, and final report outcomes.
  • Partner with control owners across all three business units to ensure they understand their compliance obligations, maintain audit-ready evidence, and operate effectively within the BC Secure Controls Framework on an ongoing basis.
  • Serve as the primary point of contact for QSAs, external auditors, and certification bodies. Defend the control environment, manage audit timelines, and minimize disruption to technical teams.
  • Drive the operationalization of audit requirements into BAU workflows across all business units, reducing reliance on point-in-time evidence collection and eliminating audit fatigue organization-wide.
  • Own the tracking and closure of audit findings and control gaps across Commerce, Feedonomics, and Makeswift. Partner with control owners to deliver pragmatic, risk-informed remediation plans within defined timelines.
  • Direct the ongoing maturity of Commerce's PCI DSS 4.0 program, including Targeted Risk Analyses (TRAs), customized approach applicability, and annual assessment planning.
  • Partner with Cloud Engineering to validate and maintain PCI scope across Commerce's global footprint, ensuring effective network segmentation and data flow isolation.
  • Manage and support ISA-designated personnel; ensure the ISA function operates with rigor and consistency aligned to PCI Council standards.
  • Oversee Commerce's Secure Controls Framework (SCF), built from NIST, ISO 27001, and PCI DSS, ensuring controls are designed, tested, and documented to satisfy multiple regulatory obligations simultaneously across all business units.
  • Provide GRC leadership on architectural reviews, product launches, and infrastructure changes across Commerce, Feedonomics, and Makeswift to ensure regulatory requirements are addressed upstream — not as an afterthought.
  • Stay ahead of emerging requirements across PCI, SOC, and ISO 27001:2022, translating regulatory changes into actionable program updates.

Benefits

  • The Commerce story is one of global growth, incredible talent, and unstoppable passion in all we do. Despite our huge success so far, we’re still just getting started! Explore our history, mission and values. You’ll see we’re set on shaping the now - and the future - of ecommerce.
  • Join our Commerce Talent Community, and plug in to our latest news and career opportunities.
  • We’re a group of clever, committed, curious people, unleashing talent in all we do. We believe in the power of togetherness, striving at the edge of what’s possible, impacting the lives of billions of people for the better. In all we do, We Do Extraordinary–and that’s no small feat!
  • Our people are our power. It’s only through dedication, collaboration, and inspiration that we can Do Extraordinary. We’re natural problem-solvers, champions of empowering businesses, and hungry learners… but we also play nerf wars in the office, support each other, and hang out outside of work.
© 2026 Teal Labs, Inc
Privacy PolicyTerms of Service