Who we are

At CarGurus (NASDAQ: CARG), our mission is to give people the power to reach their destination. We started as a small team of developers determined to bring trust and transparency to car shopping. Since then, our history of innovation and go-to-market acceleration has driven industry-leading growth. In fact, we’re the largest and fastest-growing automotive marketplace, and we’ve been profitable for over 15 years.

What we do

The market is evolving, and we are too, moving the entire automotive journey online and guiding our customers through every step. That includes everything from the sale of an old car to the financing, purchase, and delivery of a new one. Today, tens of millions of consumers visit CarGurus.com each month, and ~30,000 dealerships use our products. But they're not the only ones who love CarGurus—our employees do, too. We have a people-first culture that fosters kindness, collaboration, and innovation, and empowers our Gurus with tools to fuel their career growth. Disrupting a trillion-dollar industry requires fresh and diverse perspectives. Come join us for the ride!

Working on the Information Security Risk and Compliance team, you will play a critical role in ensuring the confidentiality, integrity, and availability of data assets while complying with regulatory requirements and industry best practices. 

Identifying, classifying, and outlining mitigation plans for risks associated with the handling, storage, and transmission of sensitive data within our organization are core functions of this role.This position requires a deep understanding of data governance principles, data classification methodologies, strong understanding of technology risk management, and regulatory frameworks and compliance standards. 

A well-qualified candidate will be comfortable taking direction from management and be able to work autonomously when given an assignment or project.The candidate must have strong written, verbal communication and organization skills, and a solid understanding of different data storage technologies, regulations around data security and risk management. Project management and attention to detail as a must. They are also expected to help mentor junior members of the team. 

Responsibilities: 

Data Classification and Inventory:

  • Develop and maintain a comprehensive inventory of organizational data assets, including their classification levels, sensitivity, and associated risks using our data security platform.
  • Implement data classification frameworks and methodologies to categorize data according to its level of sensitivity, criticality, and regulatory requirements.
  • Collaborate with business units and data owners to identify and document data flows, usage patterns, and access controls for classified data.

Risk Assessment and Analysis:

  • Conduct thorough risk assessments of classified data assets to identify potential vulnerabilities, threats, and compliance gaps.
  • Analyze and evaluate the effectiveness of existing controls and security measures in mitigating data-related risks.
  • Develop risk treatment plans and mitigation strategies to address identified vulnerabilities and improve the overall security posture of data assets.

Compliance and Regulatory Alignment:

  • Ensure compliance with relevant data protection regulations, such as GDPR, CCPA, etc., by assessing data handling practices against regulatory requirements.
  • Monitor changes in data protection laws and regulations to ensure ongoing compliance and adapt data classification policies and procedures.
  • Provide guidance and support to business units on regulatory requirements and industry best practices related to data classification and risk management.

Data Protection Controls:

  • Recommend and implement technical controls, encryption mechanisms, access controls, and data loss prevention (DLP) solutions to protect classified data from unauthorized access, disclosure, or misuse.
  • Conduct periodic assessments of data protection controls and security measures to validate their effectiveness and identify areas for improvement.
  • Collaborate with  IT and Security teams to integrate data protection controls into technology systems and infrastructure.

Reporting and Communication:

  • Prepare and present comprehensive risk assessment reports, findings, and recommendations to senior management.
  • Communicate effectively with business units and data owners to raise awareness of data classification requirements, risks, and responsibilities.
  • Collaborate with internal audit teams and external auditors to facilitate data classification reviews and compliance assessments.
  • Work closely with the project team to ensure that deliverables are on time and budget.

Tool Implementation and Maintenance: 

  • Design and architect the implementation of Data Discovery and DLP tools.
  • Coordinate with the vendor account management teams to improve the capabilities of the tools and participate in QBRs.
  • Prepare and present to stakeholders new tool improvements and enhancements.

Qualifications:

  • Bachelor's degree in Information Security, Computer Science, or related field; Master's degree preferred.
  • Relevant certifications such as CISSP, CISM, CRISC, or equivalent are highly desirable.
  • Experience working in an agile development environment.
  • 5+ years of experience in data classification, risk management, or information security.
  • Strong understanding of data classification methodologies, risk assessment frameworks, and regulatory requirements.
  • Experience with data protection technologies, such as encryption, access controls, and data loss prevention (DLP) solutions.
  • Familiarity with relevant data protection regulations, such as GDPR, CCPA, etc.
  • Excellent analytical and problem-solving skills, with the ability to effectively identify and prioritize data-related risks.
  • Strong communication skills, with the ability to convey complex technical concepts to non-technical stakeholders.
  • Strong project management capabilities and holding self and others accountable for their deliverables.
  • Ability to mentor junior team members. 

Working at CarGurus

We reward our Gurus’ curiosity and passion with best-in-class benefits and compensation, including equity for all employees, both when they start and as they continue to grow with us. Our career development and corporate giving programs, as well as our employee resource groups (ERGs) and communities, help people build connections while making an impact in personally meaningful ways. A flexible hybrid model and robust time off policies encourage work-life balance and individual well-being. Thoughtful perks like daily free lunch, a new car discount, meditation and fitness apps, commuting cost coverage, and more help our people create space for what matters most in their personal and professional lives.

We welcome all

CarGurus strives to be a place to which people can bring the ultimate expression of themselves and their potential—starting with our hiring process. We do not discriminate based on race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity, or sexual orientation. We foster an inclusive environment that values people for their skills, experiences, and unique perspectives. That’s why we hope you’ll apply even if you don’t check every box listed in the job description. We also encourage you to tell your recruiter if you require accommodations to participate in our hiring process due to a disability so we can provide the appropriate support. We want to know what only you can bring to CarGurus. #LI-Hybrid

Apply for this Job

* Required

resume chosen  
(File types: pdf, doc, docx, txt, rtf)
cover_letter chosen  
(File types: pdf, doc, docx, txt, rtf)


U.S. Voluntary Demographic Questions

Here at CarGurus, we are serious about our dedication to building a diverse workplace, where our employees can bring their best selves to work in order to learn, thrive, and do great things together. In recent years, we’ve doubled down on our commitments to ensuring we are a values-driven culture supported by strong individuals and leaders. This commitment extends to hiring, where we have set high standards for ourselves to run a positive and inclusive process.

To help us recruit and hire in a way that is respectful of all candidates, we invite you to anonymously self-identify about gender, sexual orientation, race/ethnicity, veteran status, and disabilities. Any information provided is completely voluntary, anonymous, and analyzed in aggregate by a small group on our People & Talent team.

If you prefer not to answer, that’s fine. However, we hope that you will choose to answer so we can gather as much data as possible, and use it to continue making CarGurus a vibrant, diverse, and special place to work.

The legal stuff: We’re committed to providing equal opportunity in employment on the basis of individual merit and personal qualifications to all employees and applicants for employment, regardless of race, color, religion, religious creed, ethnicity, national origin, ancestry, citizenship, sex (including pregnancy, childbirth, breastfeeding, or related medical conditions), sexual orientation, gender, gender identity, gender expression, age, physical or mental disability (handicap), medical condition, protected medical leaves, genetic information, military or covered-veteran status, marital status, height, weight, certain criminal records, or any other classification protected by applicable federal, state or local law.

Gender Identity *




Transgender Identity *



LGBTQIA+ Identity *



Race/Ethnicity (please mark all that apply) *











Veteran Status *



I have a disability (physical or non-physical) *




Please reach out to our support team via our help center.
Please complete the reCAPTCHA above.