Senior Security Analyst

Summary

Join Stitch Fix's Governance, Risk, and Compliance team as a Lead Security Engineer I. Collaborate with engineering, platform, governance, and legal teams to enhance Stitch Fix's security posture. Develop and maintain information security policies, standards, and procedures. Execute third-party risk assessments and provide actionable recommendations. Serve as a subject matter expert for the GRC platform, generating reports and supporting audits. Provide strategic insights to enable risk-informed decision-making. This role requires 5+ years of experience in a GRC environment and strong communication skills. The ideal candidate will possess expertise in security frameworks (NIST, PCI DSS) and GRC tools.

Requirements

• Bring 5+ years of hands-on experience in a Governance, Risk, and Compliance (GRC) environment, with a deep understanding of risk management principles
• Excel at translating complex technical concepts into clear, accessible language for non-technical stakeholders, helping teams navigate security concerns with confidence
• Demonstrate strong written and verbal communication skills, with experience creating technical documentation, policy guidance, and best practices
• Are well-versed in GRC tools and terminology, and know how to leverage them to support compliance and audit readiness
• Have a solid grasp of security frameworks (e.g., NIST, ISO, PCI DSS) and understand their practical applications in a business environment
• Understand core cloud security principles and can apply them across modern infrastructure environments
• Are a natural problem-solver and critical thinker, skilled at identifying security gaps and driving thoughtful solutions
• Possess the ability to analyze complex systems, evaluate risks, and develop actionable mitigation strategies
• Thrive in a collaborative, fast-paced environment, and enjoy working cross-functionally to drive impact and influence outcomes

Responsibilities

• Drive Policy and Standard Development: Collaborate cross-functionally to develop and maintain information security policies, standards, and procedures that align with Stitch Fix’s risk appetite. Your work will balance security requirements with the practical needs of business operations, enabling teams to move quickly while maintaining compliance
• Execute Third-Party Risk Assessments: Support the end-to-end third-party risk management process by conducting security assessments of vendors and partners. Offer clear, actionable recommendations and partner with business owners to ensure our third-party relationships uphold Stitch Fix’s security and compliance standards
• GRC Tool Ownership and Reporting: Serve as a subject matter expert for our GRC platform (e.g., Drata, Archer, or equivalent). Maintain the tool’s configuration and workflows, generate reports and metrics, and support audit and compliance activities through effective data collection and visualization
• Enable Risk-Informed Decision Making: Provide strategic insights and operational support to enable business units to make informed decisions regarding risk. Support internal audits, regulatory reviews, and compliance initiatives across the organization

Benefits

• We offer comprehensive compensation packages and inclusive health and wellness benefits
• This role will receive a competitive salary, benefits, and equity
• The position is eligible for medical, dental, vision, and other benefits
• This position is eligible for new hire and ongoing grants of restricted stock units depending on employee and company performance