Senior Privacy & Cybersecurity Governance Analyst (Hybrid - Seattle)

Join Nordstrom's Technology team as a Senior Privacy & Cybersecurity Governance Analyst, where you'll play a pivotal role in leading strategic privacy and security governance initiatives across the enterprise. You will be a subject matter expert and trusted advisor to leadership, building comprehensive governance programs that protect customer data, reduce risk, and ensure our organization remains audit-ready across complex regulatory landscapes.

In this role, you will lead domain-specific privacy and cybersecurity governance activities, driving compliance efforts, contributing to policy development, and mentoring junior team members. You will have authority to implement process improvements within your specialized domain and make domain-specific recommendations to senior staff for enterprise-wide changes. You will coordinate across multiple stakeholders to ensure comprehensive privacy and security input while developing integrated frameworks that support business objectives.

Are you a strategic thinker with deep expertise in privacy and cybersecurity governance? Do you have a passion for building scalable programs that protect customers and enable business growth? Do you think about ways to integrate privacy-by-design and security-by-design principles into everything we do? Join our team and be part of a company that is on the cutting edge of retail technology, committed to getting consumers the products they love in a safe, secure, and privacy-respecting environment.

A Day in the Life...

Privacy Subject Matter Expertise

• Serve as primary contact and subject matter expert for domain-specific data privacy activities or those within a specific privacy-related area of expertise (e.g., artificial intelligence, consumer credit, marketing)
• Identify emerging privacy threats and trends and advise on strategic initiatives to enhance data protection across the organization

• Evaluate and enhance privacy related risk assessment processes including identifying and anticipating changes in relevant industry and/or regulatory frameworks
• Implement process improvements within their specialized privacy domain, developing standardized approaches and best practices for recurring data privacy assessment scenarios
   
• Educate stakeholders on data privacy requirements and changes through training sessions, workshops, and consultation to improve organizational privacy awareness and readiness
• Analyze legal and regulatory developments in privacy and assess their business impact, ensuring the organization stays ahead of evolving compliance requirements
• Participate in investigations and remediation of privacy incidents or breaches, supporting incident response coordination and documentation

Integrated Privacy & Security Strategy

• Coordinate operational activities across multiple stakeholders including Legal, IT, Security, and Marketing to ensure comprehensive privacy and security input and effective data governance strategies, including owning initiative scoping, workplans, and milestone tracking end-to-end
• Identify and develop advanced risk management frameworks that integrate privacy and security considerations for holistic risk assessment and treatment
• Lead the build-out and operationalization of the Third-Party Risk Management (TPRM) program, including vendor assessment frameworks, risk tiering, intake workflows, and ongoing monitoring
• Evaluate and enhance privacy and security risk assessment processes, identifying and anticipating changes in relevant industry and regulatory frameworks
• Implement process improvements within specialized domains, developing standardized approaches and best practices for recurring assessment scenarios
• Develop integrated privacy and security metrics and reporting, creating dashboards and analytics that provide actionable insights to management and support strategic decision-making
• Represent the privacy and security governance team in cross-functional governance forums, building relationships and serving as a trusted advisor across the enterprise

Data Governance

• Maintain and mature the personal information (PI) inventory, ensuring data maps and records of processing activities (ROPAs) are accurate and sufficient to support DSR fulfillment and privacy compliance obligations
• Support data classification efforts for personal and sensitive data in partnership with IT and data teams, ensuring privacy requirements are reflected in classification taxonomies and handling standards
• Contribute to data minimization and retention reviews, advising on privacy obligations and regulatory requirements that should inform lifecycle decisions owned by data and legal teams
• Support the evaluation of data governance tooling (e.g., Collibra, BigID, OneTrust Data Mapping) where it intersects with privacy use cases such as data discovery, PI identification, and automated inventory management

Mentorship & Team Development

• Mentor junior analysts by providing guidance on assessment techniques, regulatory interpretation, and organizational privacy and security practices
• Share expertise and best practices to build organizational capability in privacy and cybersecurity governance
• Support the development of team members through coaching on complex privacy and security scenarios

You Own This If You Have...

Required Qualifications

Experience:

• 5-7 years of experience in privacy, information security, legal, or compliance roles
• Demonstrated leadership in privacy or security program/project delivery with proven ability to drive initiatives to completion
• Practical experience operationalizing privacy regulations and security frameworks in business environments
• Experience coordinating across multiple stakeholders to achieve comprehensive privacy and security outcomes
• Hands-on experience building or maturing a third-party risk management (TPRM) function, including vendor assessment, risk tiering, and ongoing monitoring

Education:

• Bachelor's or Master's degree in Information Technology, Computer Science, Engineering, Information Security, or related field, or equivalent work experience

Certifications:

• IAPP certifications preferred (CIPP/US, CIPM, CIPT, or similar)
• Advanced security certification required (CISSP, CISM, CISA, or equivalent)

Technical Knowledge:

• Deep understanding of privacy regulations including U.S. privacy laws (CCPA/CPRA and emerging state privacy laws) and their practical application
• In-depth knowledge of cybersecurity frameworks (NIST CSF, ISO 27001, CIS Controls, SOC 2, PCI DSS) and regulatory environments
• Strong understanding of security controls, risk assessment methodologies, and compliance frameworks
• Expertise in control design, implementation, and effectiveness assessment across multiple security domains
• Demonstrated experience with project management tools (e.g., Jira, Confluence, Smartsheet, or similar) to manage initiative tracking, documentation, and cross-functional collaboration

Skills:

• Strong communication, leadership, and influence skills with ability to build relationships across all organizational levels
• Effective communicator who can translate complex technical and regulatory requirements into actionable business guidance
• Expert attention to detail, quality, and consistency in program delivery and documentation
• Excellent technical writing and stakeholder communication abilities, including presentation skills
• Proven ability to lead cross-functional initiatives and collaborate across enterprise teams to achieve shared objectives
• Strong bias for results and can operate with autonomy to address bottlenecks, provide escalation management, and encourage behavior to maximize business benefit

Preferred Qualifications

Advanced Certifications:

• Multiple IAPP certifications (CIPP, CIPM, CIPT)
• Multiple security certifications (CISSP, CISM, CISA)
• Governance certifications such as CGEIT or CRISC valued

Additional Experience:

• Experience with integrated privacy and security control implementations across multiple domains
• Background in developing risk assessment methodologies and frameworks
• Experience with GRC, privacy, and vendor management platforms (e.g., OneTrust, ServiceNow GRC, Onspring) to optimize program delivery
• Knowledge of privacy automation and data governance technologies
• Experience with security architecture governance and design principles
• Background in third-party security risk assessment programs

We’ve got you covered…

Our employees are our most important asset and that’s reflected in our benefits. Nordstrom is proud to offer a variety of benefits to support employees and their families, including:

• Medical/Vision, Dental, Retirement and Paid Time Away

• Life Insurance and Disability

• Merchandise Discount and EAP Resources

A few more important points...

The job posting highlights the most critical responsibilities and requirements of the job. It’s not all-inclusive. There may be additional duties, responsibilities and qualifications for this job.

For Los Angeles or San Francisco applicants: Nordstrom is required to inform you that we conduct background checks after conditional offer and consider qualified applicants with criminal histories in a manner consistent with legal requirements per Los Angeles, Cal. Muni. Code 189.04 and the San Francisco Fair Chance Ordinance. For additional state and location specific notices, please refer to the Legal Notices document within the FAQ section of the Nordstrom Careers site.

Applicants with disabilities who require assistance or accommodation should contact the nearest Nordstrom location, which can be identified at www.nordstrom.com. 

Please be mindful that there may be legal notices and requirements related to this job posting that are specific to your state. Review the Career Site FAQ’s for relevant information and guidelines.

© 2022 Nordstrom, Inc  

Current Nordstrom employees: To apply, log into Workday, click the Careers button and then click Find Jobs.

Nordstrom keeps job postings open for at least one day after the posting date.

Pay Range Details

The pay range(s) below has been provided in compliance with state specific laws. Pay ranges may be different for other locations. 
Pay offers are dependent on the location, as well as job-related knowledge, skills, and experience.