Security Compliance Analyst

About the Role

The Security Compliance Analyst will work as a critical part of the Security Compliance Team, operating within the wider Navan Governance, Risk, Compliance, and Trust (GRCT) Team. In this role, you will ensure our continued compliance with global security regulations and industry frameworks—including GDPR, Sarbanes-Oxley ITGCs, ISO 27001, PCI DSS, and SOC 1/SOC 2. Acting as a key bridge between technical engineering teams, end users, external assessors, and international business units, you will play an essential part in safeguarding our platforms, maintaining customer trust, and scaling Navan’s global operations securely.

What You’ll Do

In this role, you will protect and enhance Navan's security posture, directly furthering our company goal of providing a secure, world-class global travel and expense platform. Your typical responsibilities will include:

• Coordinating and supporting internal and external security audits, technical assessments, and penetration tests across our environments.
• Partnering closely with US-based compliance auditors and external audit firms; this includes a flexible schedule to work late (until 9:00 PM–10:00 PM) a few days per month on specific alignment days to facilitate direct collaboration with US teams.
• Managing audit findings and remediation tracking items to ensure compliance issues and non-conformities are resolved in a timely manner.
• Performing regular testing of security compliance controls to identify operational deficiencies, track Key Performance Indicators (KPIs), and report on overall compliance health and continuous improvements.
• Partnering with engineering teams to gather and implement automated evidence collection workflows, utilizing JIRA and AI platforms to drive efficiency and reduce manual overhead.
• Translating complex technical security requirements into clear, actionable business language to collaborate effectively with internal technical teams and external stakeholders at all levels.

What We’re Looking For

• Experience: Minimum of 3 years of hands-on experience in information security compliance, ideally paired with a technical background (such as experience as a developer, software engineer, or systems administrator).
• Framework Expertise: Strong working understanding of Sarbanes-Oxley 404 IT General Controls (ITGCs) and the PCI DSS, alongside familiarity with frameworks like ISO 27001, Cyber Essentials Plus, NIST CSF, or SOC 1 and SOC 2.
• Tools & Systems: Practical experience using GRC software (e.g., Optro/AuditBoard, SafeBase) alongside standard ticketing platforms like JIRA.
• Core Skills & Flexibility: Excellent attention to detail, a proactive approach to problem-solving, and the flexibility to adapt your working hours monthly to accommodate collaboration with US-based auditing bodies.
• Education & Certifications: A degree-level education in Cybersecurity, Computer Science, or a related field (or equivalent practical experience); industry certifications like CompTIA Security+, ISO 27001 Lead Auditor, or ISC2 CGRC are highly advantageous.
• Bonus: As Navan works with colleagues around the globe, proficiency in French, Spanish, Italian, or German is highly beneficial.