Senior GRC Compliance Analyst (Hybrid - Seattle)

Join Nordstrom's Governance, Risk, and Compliance (GRC) team as a Senior Analyst specializing in PCI compliance. You will be a key member of our Compliance Assessment (CA) Team, building scalable compliance programs to enhance Nordstrom's security posture, reduce risk, and ensure audit success across complex regulatory frameworks.

In this role, you will lead domain-specific regulatory compliance activities, adapting standard procedures to address varying regulatory scenarios while educating stakeholders on compliance requirements and regulatory changes. You will have authority to implement process improvements within your specialized domain and make domain-specific recommendations to senior staff for enterprise-wide changes.

Are you a skilled compliance analyst who enjoys managing security assessments? Do you have a passion for protecting companies from the latest security threats? Do you think about ways to foster continuous improvement in security controls using AI and automation? Join our team and be part of a company that is on the cutting edge of retail technology geared at getting consumers the products they love in a safe and secure environment.

A Day in the Life...

Compliance Assessment & Regulatory Expertise

• Design and execute specialized compliance assessments for complex regulatory environments, emerging regulations, multi-jurisdictional requirements, and specific industry standards, adapting methodologies as needed
• Serve as a PCI subject matter expert and lead the annual merchant assessment process
• Support various regulatory and security assessments, applying both qualitative and quantitative assessment techniques and developing test approaches for compliance validation
• Provide guidance and best practices to Nordstrom engineers and leadership on how to effectively meet regulatory requirements

Stakeholder Coordination & Remediation

• Coordinate operational activities across multiple stakeholders including Legal, IT, Finance, and Business teams to ensure comprehensive regulatory coverage and effective remediation strategies
• Manage the full lifecycle of applicable risk/compliance remediation plans, including the development of detailed treatment plans, their documentation, rigorous tracking, and validation of efforts from internal stakeholders

Process Improvement & Standardization

• Implement process improvements within specialized compliance domains, developing standardized approaches and best practices for recurring regulatory assessment scenarios
• Drive the standardization and enhancement of assessment programs and improve the Common Control Framework to increase control testing efficiency
• Identify and implement process improvements to enhance operational efficiency
• Provide input and guidance on security policies and standards to ensure compliance with regulatory requirements

Metrics, Reporting & Strategic Support

• Develop compliance metrics and reporting for specialized regulatory domains, creating dashboards and analytics that provide actionable insights to management and support regulatory reporting
• Define KPIs and KRIs and continuously measure and report on the effectiveness of our control posture, driving year-over-year improvement and sustained audit success
• Support quarterly strategic initiatives by contributing regulatory expertise to short-term compliance projects and organizational improvement efforts
• Contribute to the strategic vision and roadmap for the Compliance Assessment Team, supporting the development of reusable, scalable solutions to enhance program efficiency and support organizational growth

Education & Mentorship

• Educate stakeholders on regulatory compliance requirements and changes through training sessions, workshops, and consultation to improve organizational compliance awareness and readiness
• Mentor junior analysts by providing guidance on assessment techniques, regulatory interpretation, and organizational compliance practices

You Own This If You Have...

Required Qualifications

Experience:

• 5+ years of experience in regulatory compliance with demonstrated specialization in specific regulatory domains
• 5+ years of experience managing technically complex PCI assessments end to end with external assessors
• Deep knowledge of PCI assessment processes and requirements at a Level 1 merchant, including data centers, retail locations, call centers, and cloud computing environments

Education:

• Bachelor's or Master's degree in Information Technology, Computer Science, Cybersecurity, or related field, or equivalent work experience

Technical Knowledge:

• Demonstrated proficiency with security and regulatory frameworks (CIS, NIST, SOX, HIPAA, PCI DSS, CCPA, etc.)
• Broad and deep understanding of the retail business domain, including experience with online, phone order, and physical store sales channels
• Knowledge of how regulatory requirements can be met across a diverse set of technical environments—from legacy mainframe computers to containers in the cloud
• Experience building or maintaining a Common Control Framework

Skills:

• Advanced compliance assessment capabilities and stakeholder management experience
• Ability to adapt methodologies to complex regulatory scenarios
• Strong bias for results and can operate with autonomy to address bottlenecks, provide escalation management, anticipate and make trade-offs, and encourage behavior to maximize business benefit
• Highly collaborative skillsets and can build and leverage relationships with internal and external stakeholders
• Excellent written and verbal communications, including presentation skills, and proven ability to effectively communicate with all levels of the organization, as well as with external parties

Preferred Qualifications

Certifications:

• Professional-level certification preferred (CISA, CRISC, CIPP, CPA, CIA, CISM, CISSP, or equivalent)
• Domain-specific certifications valued (PCI Professional, SOX certifications, privacy certifications, or relevant regulatory specializations)

Additional Experience:

• Experience with assessment automation
• Technical background and demonstrated proficiency in security tooling
• Experience with Onspring GRC platform

We’ve got you covered…

Our employees are our most important asset and that’s reflected in our benefits. Nordstrom is proud to offer a variety of benefits to support employees and their families, including:

• Medical/Vision, Dental, Retirement and Paid Time Away

• Life Insurance and Disability

• Merchandise Discount and EAP Resources

A few more important points...

The job posting highlights the most critical responsibilities and requirements of the job. It’s not all-inclusive. There may be additional duties, responsibilities and qualifications for this job.

For Los Angeles or San Francisco applicants: Nordstrom is required to inform you that we conduct background checks after conditional offer and consider qualified applicants with criminal histories in a manner consistent with legal requirements per Los Angeles, Cal. Muni. Code 189.04 and the San Francisco Fair Chance Ordinance. For additional state and location specific notices, please refer to the Legal Notices document within the FAQ section of the Nordstrom Careers site.

Applicants with disabilities who require assistance or accommodation should contact the nearest Nordstrom location, which can be identified at www.nordstrom.com. 

Please be mindful that there may be legal notices and requirements related to this job posting that are specific to your state. Review the Career Site FAQ’s for relevant information and guidelines.

© 2022 Nordstrom, Inc  

Current Nordstrom employees: To apply, log into Workday, click the Careers button and then click Find Jobs.

Nordstrom keeps job postings open for at least one day after the posting date.

Pay Range Details

The pay range(s) below has been provided in compliance with state specific laws. Pay ranges may be different for other locations. 
Pay offers are dependent on the location, as well as job-related knowledge, skills, and experience.