Information Security Risk & Compliance Analyst - Remote USA (*eligible states)

The Information Security team’s mission is to build and protect stakeholder trust - customers, employees, investors - in our business, especially where technology is involved. Information Security & Privacy at The RealReal reinforces customer trust and is core to the business. We guide organizational security risk decisions and partner with technology and business teams. We bring integrity, knowledge, and a passion for technology.

We are seeking an Information Security Risk & Compliance Analyst to join our Information Security Team. This role will support Governance, Risk, and Compliance (GRC) initiatives. The Analyst will help mature our security and compliance programs, such as SOX, NIST CSF, PCI DSS, and Privacy.

The ideal candidate has hands-on experience with compliance frameworks, conducting risk assessments, conducting vendor risk assessments, supporting audits, and developing policies and procedures.

*States Not Eligible: AK, AR, DE, KS, MS, ND, SD, WY

• Compliance & Audit Support – Assist with internal and external audits (SOX, PCI DSS, Privacy), including evidence collection, process documentation, and remediation tracking.

• Policy & Procedure Management – Draft, update, and maintain security and compliance policies to align with regulatory requirements and industry best practices.

• Change Management Security Reviews – Collaborate with Product, Engineering, and Privacy teams to assess security and compliance risks in new product features, infrastructure changes, and business processes.

• Third-Party Risk Management (TPRM) – Conduct vendor risk assessments, evaluate security controls, and support contract security reviews.

• Risk Management – Perform risk assessments, track remediation efforts, and collaborate with stakeholders to mitigate security and compliance risks, following industry best practices (NIST CSF, ISO27001, CIS).

• Access & Security Reviews – Conduct user access audits, support user access review process, and improve onboarding/offboarding access controls.

• Security Awareness and Training – Coordinate and conduct regular security awareness including simulated phishing campaigns. Monitor and report on key performance indicators (KPIs) to track the security awareness program's effectiveness.

Minimum Requirements:

• 2 years in GRC, IT compliance, security, or risk management.

• Working knowledge of various frameworks, such as NIST CSF, ISO27001, CIS, SOX, PCI DSS, COBIT, and related frameworks.

• Familiarity with IT environments, cloud environments, security controls, and compliance tooling (e.g., change management, access and identity, and other related GRC tools).

• Hands-on experience conducting risk assessments, supporting audits, and supporting compliance reporting.

• Ability to translate compliance requirements into actionable policies and procedures.

Preferred Requirements:

• Bachelor’s degree or equivalent work experience.

• GRC experience in the retail, e-commerce, or marketplace industries.

• Hands-on experience supporting SOX audits

• Hands-on experience designing and assessing SOX controls (ITGC, ITAC)

• Experience with Service Organization Controls (SOC1, SOC2) reviews.

• Certifications (Preferred): CGRC, CISA, CRISC, CISSP, or equivalent.

The expected salary range for this role is $96,872.00-$114,485.00. To determine starting pay we carefully consider a variety of factors, including primary work location and an evaluation of a candidate’s skills, experience, market demands, and internal parity. Additionally, salary is just one component of TRR’s total rewards package. Depending on role, employees may also be eligible for a bonus program, incentive pay and benefits.

The RealReal is the world’s largest online marketplace for authenticated, resale luxury goods, with 37 million members. With a rigorous authentication process overseen by experts, The RealReal provides a safe and reliable platform for consumers to buy and sell their luxury items. We have hundreds of in-house gemologists, horologists, and brand authenticators who inspect thousands of items each day. As a sustainable company, we give new life to pieces by thousands of brands across numerous categories—including women's and men's fashion, fine jewelry and watches, art, and home—in support of the circular economy. We make selling effortless with free virtual appointments, in-home pickup, drop-off, and direct shipping. We handle all of the work for consignors, including authenticating, using AI and machine learning to determine optimal pricing, photographing and listing their items, as well as shipping and customer service.