Senior Information Security Risk and Compliance Analyst



IT, Legal
Cambridge, MA, USA
Posted on Thursday, October 12, 2023

Who we are
At CarGurus (NASDAQ: CARG), our mission is to give people the power to reach their destination. We started as a small team of developers determined to bring trust and transparency to car shopping. Since then, our history of innovation and go-to-market acceleration has driven industry-leading growth. In fact, we’re the largest and fastest-growing automotive marketplace, and we’ve been profitable for over 15 years.

What we do
The market is evolving, and we are too, moving the entire automotive journey online and guiding our customers through every step. That includes everything from the sale of an old car to the financing, purchase, and delivery of a new one. Today, tens of millions of consumers visit each month, and ~30,000 dealerships use our products. But they're not the only ones who love CarGurus—our employees do, too. We have a people-first culture that fosters kindness, collaboration, and innovation, and empowers our Gurus with tools to fuel their career growth. Disrupting a trillion-dollar industry requires fresh and diverse perspectives. Come join us for the ride!

Working on the Information Security Risk and Compliance team, this person is charged with assisting the organization with the identification, assessment, measurement, monitoring, and management of risk related to SOX and other compliance requirements.

The Analyst will focus primarily on the IT and Security segments of our IT SOX audits, design and implement controls. This person will work closely with our SOX Manager, internal and external auditors to fulfill control requirements by collecting evidence and demonstrating compliance.

They must have experience in managing and understanding SOX controls including, but not limited to, new acquisitions. Assessing financial, operational, and technical risk is a key requirement when evaluating vendors and partners. This position will require in-depth working knowledge of risk scoring, levels, exceptions, and drafting mitigation plans. The individual must be able to communicate effectively when there is a risk that needs to be reviewed by senior management.

As part of the team, this person will be responsible for helping maintain, launch, and monitor our security awareness program inclusive of phishing training and campaigns.

A well-qualified candidate will be comfortable taking direction from senior members of the Risk and Compliance team and be able to work autonomously when given an assignment or project.

The candidate must have strong written and verbal communication skills, strong organization skills and a good understanding of SOX controls, cyber security principles, concepts, and risk management. Project management and attention to detail as a must.

They are also expected to help mentor junior members of the team.

Responsibilities would include:

  • Perform risk assessments and audits across all areas of the business including regulatory and compliance controls such as SOX, SOC 2 Type 2, etc.
  • Document risk and develop risk mitigation plans and strategies which help promote an agile, innovative culture.
  • Manage multiple projects simultaneously.
  • Develop and deliver security awareness training to the organization and ensure compliance.
  • Conduct third-party vendor, partner and contractor, security risk assessments.
  • Ability to perform audit to test the design and operational effectiveness of controls
  • Lead risk-focused culture by building and emphasizing security training and compliance.
  • Work closely with financial application owners, design, socialize and implement SOX controls.
  • Deliver reporting metrics and KPIs to senior Information Security leadership on program deliverables.
  • Must have an appetite for continuous learning and stay current with industry trends relating to cyber security, privacy, and risk.
  • Mentor junior team members.


  • Bachelor’s Degree or equivalent combination of education and experience in Information Security, Computer Science, Management Information Systems or related curriculum.
  • 5 years of experience in risk management, information security, audit, regulatory compliance, and data privacy functions.
  • Knowledge of the following frameworks/compliance regimes; CIS Controls, NIST, PCI, SOX, SOC 2 Type 2, CCPA/CPRA, and GDPR compliance.
  • Proven experience of working with control owners, designing and implementing risk-based SOX controls.
  • Proven understanding of risk assessment methodologies, frameworks, procedures and the ability to work flexibly with them to meet organizational size, maturity, and culture considerations.
  • Ability to gauge risks posed to the company, based on contextual factors and the organization’s risk tolerance.
  • Knowledge of risk assessment tools, technologies, and methods.
  • Ability to think strategically about security risks and tie those to tactical organizational activities and goals.
  • Open to learning and working on new domains and technology.
  • Ability to clearly articulate issues and communicate in an effective and personable manner.
  • Ability to adjust quickly to the security needs of a highly agile organization.
  • Experience building relationships cross functionally and facilitating good partnership is critical in the role.

Working at CarGurus
We reward our Gurus’ curiosity and passion with best-in-class benefits and compensation, including equity for all employees, both when they start and as they continue to grow with us. Our career development and corporate giving programs, as well as our employee resource groups (ERGs) and communities, help people build connections while making an impact in personally meaningful ways. A flexible hybrid model and robust time off policies encourage work-life balance and individual well-being. Thoughtful perks like daily free lunch, a new car discount, meditation and fitness apps, commuting cost coverage, and more help our people create space for what matters most in their personal and professional lives.

We welcome all
CarGurus strives to be a place to which people can bring the ultimate expression of themselves and their potential—starting with our hiring process. We do not discriminate based on race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity, or sexual orientation. We foster an inclusive environment that values people for their skills, experiences, and unique perspectives. That’s why we hope you’ll apply even if you don’t check every box listed in the job description. We want to know what only you can bring to CarGurus.