Salary Range: $151,411 - $169,169 per year

"This job posting is for an existing vacancy”

“Please click here/refer to Wayfair’s Career Page for information about how Wayfair uses AI to enhance its recruiting and hiring processes.”

Wayfair is the online leader for home furnishings and decor. Through technology and innovation, we make it possible for shoppers to quickly and easily find exactly what they want from a selection of millions of items across home furnishings, décor, home improvement, housewares, and more. Our fast-paced, high-growth environment demands a modern, pragmatic approach to cybersecurity risk.

We are looking for a Risk Engineer to identify, contextualize,analyze, and drive remediation of technical risks across Wayfair. This role is focused on risk remediation and reduction and will also support broader GRC work, including maintaining compliance and contributing to strategic program governance.

You will work at the intersection of risk management, security engineering, compliance, and program execution: helping engineers interact with risk in a structured way, ensuring there is a business understanding of risk that complements the technical view, and driving strategic and technical solutions through to implementation effectively prioritizing changes that remove most of the risk for a fraction of the effort.

What You’ll Do

Risk analysis, ratings & prioritization

• Partner with engineering, platform, product, SOC, and Red Team to identify and refine technical and operational risks from incidents, assessments, vendor findings, and roadmap changes.
• Normalize raw “concerns” into clear, actionable risk statements that describe threat, vulnerability, and business impact in Wayfair terms (systems, data, operations).
• Analyze and contextualize risks using diagrams, data flows, logs, and asset metadata to understand realistic attack paths and blast radius.
• Leverage AI-assisted tools to cluster, summarize, and contextualize large volumes of signals into clear, prioritized risk narratives while maintaining human judgment on final ratings.
• Utilize a combination of quantitative and qualitative risk analysis methods to produce accurate, consistent, defensible ratings, documenting assumptions and challenging outliers.
• Ensure every risk has both a technical understanding (controls, failure modes) and a business understanding (customer, operational, financial, and regulatory impact).

Driving remediation & partnering with engineering

• Prioritize remediation work focusing on driving down existing risk in the register.
• Work side-by-side with engineering teams to design pragmatic remediation plans that balance control maturity, delivery risk, and team capacity.
• Use an 80/20 mindset to identify high‑leverage changes that reduce most of a risk’s exposure with a fraction of the effort.
• Use AI copilots to rapidly draft remediation options, epics, and acceptance criteria, iterating with engineering partners while you retain ownership of trade-offs, feasibility, and final risk reduction decisions.
• Translate risk findings into backlog-ready work (epics, stories, acceptance criteria) with E/PM partners and ensure alignment with platform/domain roadmaps.
• Actively drive risk closure: track remediation, validate implemented controls, update scores/statuses, and help reduce the overall number of open risks in the register (e.g., merging duplicates, closing fully remediated risks).

Compliance, governance & GRC support

• Support security and technology compliance efforts (e.g., PCI DSS, ISO) by mapping risks to controls and evidence and helping prepare for audits and assessments.
• Perform targeted GRC tasks such as maintaining risk/compliance documentation, improving linkages between risks, controls, and issues, and contributing to strategic cyber risk governance through curated risk insights for leadership forums and planning cycles.
• Apply AI assistants to map risks to controls and evidence, pre-draft audit responses, and continuously surface control gaps or inconsistencies for human review and decision-making.

Helping others interact with risk & improving the program

• Act as a partner for engineers helping write, score, and decompose technical risks.

• Create and maintain lightweight guidance and templates so teams can self‑service common risk and GRC tasks.

• Contribute to risk workflow automation and data quality so we can reliably report on trends and posture, and support preparation of concise risk updates and dashboards for security and technology leadership.

• Champion responsible, everyday use of AI across risk and engineering by creating prompts, playbooks, and guardrails so teams can safely self-serve AI for common risk, GRC, and documentation tasks.

What You’ll Need

Foundational skills & experience

• Bachelor’s degree in Computer Science, Information Security, Engineering, Mathematics or equivalent practical experience.
• 2–4 years of experience in security engineering, risk management, threat modeling, offensive security, SOC/IR, or GRC with demonstrable exposure to technical risk.
• Solid understanding of core security concepts: authentication & authorization, least privilege, logging and monitoring, network segmentation, vulnerability management, and incident response.
• Demonstrated experience experimenting with AI and LLM tools (e.g., document synthesis, data exploration, query assistance) and integrating them into repeatable, auditable workflows while maintaining human judgment on hallucination risks and safeguards.
• Working knowledge of modern infrastructure and application stacks, ideally including:

• • Public cloud (GCP preferred; AWS/Azure acceptable).

  • Containers and orchestration (Docker / Kubernetes) and/or modern CI/CD pipelines.

  • Common SaaS and internal platforms (identity, observability, developer tooling).

Risk, compliance & analysis capabilities

• Ability to read architecture diagrams, data flows, and technical docs, and ask the right questions to uncover real threats and failure modes.
• Experience with risk assessment or control evaluation using common frameworks (e.g., NIST CSF, ISO 27001, PCI DSS) and the ability to apply them pragmatically.
• Comfortable prioritizing based on business impact, likelihood, and control maturity rather than just raw vuln counts or checklists.
• Strong analytical skills; able to synthesize noisy inputs (logs, tickets, incident notes, vendor reports) into clear risk narratives and recommended actions.
• Interest in or experience with compliance and GRC workflows (evidence collection, control testing, audit support, policies/standards).

Collaboration & communication

• Excellent written and verbal communication skills; able to translate between security, engineering, and business audiences (risk language system language).
• Demonstrated experience influencing without authority: driving adoption of recommendations by building trust with engineers, not by policy alone.
• Comfortable working independently in ambiguous problem spaces, yet able to escalate, ask for help, and adjust based on feedback.

Nice to have

• Exposure to quantitative risk methods (e.g., FAIR, Monte Carlo) or strong interest in learning them.
• Prior experience working with GRC / risk workflow tools (e.g., LogicGate) or building light automation around risk or control data.
• Hands-on familiarity with SaaS security, identity perimeters, or cloud guardrails (VPC‑SC, IAM policies, service account hardening, etc.).
• Experience experimenting with AI and LLM tools for security use cases (e.g., log summarization, control mapping, threat modeling) and transitioning successful experiments into repeatable, auditable workflows.

This role is a good fit if you enjoy sitting in the middle of complex systems and people, turning abstract security concerns into clear, data‑backed risks, prioritized remediation, and concrete work that reduces both technical and compliance risk over time.

Assistance for Individuals with Disabilities
Wayfair is fully committed to providing equal opportunities for all individuals, including individuals with disabilities. As part of this commitment, Wayfair will make reasonable accommodations to the known physical or mental limitations of qualified individuals with disabilities, unless doing so would impose an undue hardship on business operations. If you require a reasonable accommodation to participate in the job application or interview process, please let us know by completing our Accomodations for Applicants form.

Need Technical Assistance?
For more information about applying for a career at wayfair, visit our FAQ page here.

About Wayfair Inc.
Wayfair is one of the world’s largest online destinations for the home. Whether you work in our global headquarters in Boston, or in our warehouses or offices throughout the world, we’re reinventing the way people shop for their homes. Through our commitment to industry-leading technology and creative problem-solving, we are confident that Wayfair will be home to the most rewarding work of your career. If you’re looking for rapid growth, constant learning, and dynamic challenges, then you’ll find that amazing career opportunities are knocking.

No matter who you are, Wayfair is a place you can call home. We’re a community of innovators, risk-takers, and trailblazers who celebrate our differences, and know that our unique perspectives make us stronger, smarter, and well-positioned for success. We value and rely on the collective voices of our employees, customers, community, and suppliers to help guide us as we build a better Wayfair – and world – for all. Every voice, every perspective matters. That’s why we’re proud to be an equal opportunity employer. We do not discriminate on the basis of race, color, ethnicity, ancestry, religion, sex, national origin, sexual orientation, age, citizenship status, marital status, disability, gender identity, gender expression, veteran status, genetic information, or any other legally protected characteristic.

Your personal data is processed in accordance with our Candidate Privacy Notice (https://www.wayfair.com/careers/privacy). If you have any questions or wish to exercise your rights under applicable privacy and data protection laws, please contact us at dataprotectionofficer@wayfair.com.