Principal Analyst, Technology Compliance

About this Job

The Principal Technology Compliance Analyst is a subject matter expert in compliance management, information security controls, and auditing. This role is responsible for establishing, maintaining, and continuously improving the compliance management framework and processes in alignment with regulatory requirements and industry standards. You will collaborate with Technology management teams to evaluate and design controls, conduct compliance reviews (audits), report results, track issues, and monitor remediation plans. As a hands-on compliance expert, you will advise business and control owners, assist with compliance-related activities, and provide consulting direction on cross-functional projects. You will ensure compliance with policies, procedures, leading practices, access control, asset classification, data privacy, architecture, and company security standards.

Essential Responsibilities

• Design, implement, and maintain enterprise-wide General IT Controls (GITCs) and compliance frameworks aligned with regulatory requirements (PCI DSS, SOX, HIPAA, Data Privacy, etc.).
• Develop and enforce processes and procedures to ensure adherence to company policies, laws, and industry standards (e.g., NIST, ITIL).
• Influence compliance strategy and direction within established standards and guidance.
• Plan and execute compliance testing, control assessments, and documentation for technology environments.
• Validate key controls, identify risks, analyze root causes, and recommend improvements to meet compliance standards.
• Communicate remediation and prevention strategies using leading practices and drive completion of corrective actions.
• Facilitate internal and external audits across technology teams.
• Collaborate with GRC teams to strengthen assessment processes.
• Serve as a trusted advisor and subject matter expert for technology controls.
• Maintain strong knowledge of industry trends, regulations, and emerging standards.
• Assess, design, and implement technical improvements to control testing processes leveraging automation, AI, etc.
• Develop and deliver compliance training and awareness programs across all domains.
• Mentor team members and support professional development to foster organizational maturity.

Qualifications and Requirements

• Degree in Technology, Computer Science, or Business, with solid IT audit or compliance management experience or equivalent work experience
• 7+ years of experience with enterprise compliance, audit, and/or risk management programs, privacy, data security, and control issues across cloud and on-premises environments.
• Strong understanding of key compliance regulations (Sarbanes-Oxley, GLBA, HIPAA, PCI).
• Ability to stay abreast of industry trends, emerging threats, and changing external regulations, and adapt core compliance processes accordingly.
• Experience in designing and implementing enterprise Compliance Governance frameworks, including identification, assessment, and mitigation of compliance exposure.
• Detailed knowledge and experience with IT General Controls and operational testing procedures for SOX, PCI, and privacy.
• Ability to assess alternative compliance approaches and methodologies, both quantitatively and qualitatively, to meet business needs.
• Effective communication skills to convey risks, gather test evidence, and translate compliance findings into actionable steps.
• Ability to assess, identify, and document third-party system compliance deficiencies and recommend solutions.
• Excellent facilitation skills for group discussions, diplomacy, and seeking diverse opinions.
• Strong organizational and time management skills.
• In-depth knowledge of information security, compliance management frameworks, and standards (NIST, OWASP, SANS, ISO-27001/2, COBIT, ITIL).
• Commitment to top-quality service and exceeding customer expectations.
• Demonstrated leadership and ability to gain consensus across teams without direct reporting responsibility.
• Possession of CISA certification (required); CRISC, CIA, CISM, CISSP, PCI certifications (desired).

Work Location and Arrangement: This role can be based out of the CarMax Home Office in Richmond, VA or Dallas Technology Hub and will have a Hybrid work arrangement

Work Authorization: Applicants must be currently authorized to work in the United States on a full-time basis. Sponsorship will not be considered for this specific role.

About CarMax

CarMax disrupted the auto industry by delivering the honest, transparent and high-integrity experience customers want and deserve. This innovative thinking around the way cars are bought and sold has helped us become the nation's largest retailer of used cars, with over 250 locations nationwide.

Our amazing team of more than 25,000 associates work together to deliver iconic customer experiences. Along the way, we help every associate grow their career and achieve their best, at work and in their community. We are recognized for our commitment to training and diversity and are one of the FORTUNE 100 Best Companies to Work For.

Our Commitment to Diversity and Inclusion:

CarMax is committed to bringing together people from different backgrounds and perspectives, providing employees with a safe, welcoming, and inclusive work environment.

CarMax is an equal opportunity employer, and all qualified candidates will receive consideration for employment without regard to age, race, color, religion, sex, sexual orientation, gender identity, genetic information, national origin, protected veteran status, disability status, or any other characteristic protected by law.

Upon an applicant's request, CarMax will consider reasonable accommodation to complete the CarMax Job Application.