AVP of Governance, Risk & Compliance (GRC) - Royal Caribbean Group

POSITION: AVP, Governance, Risk & Compliance

LOCATION: Miramar, FL

REPORTS TO: VP, Information Security

POSITION OVERVIEW

The AVP of Governance, Risk & Compliance (GRC) will ensure technology and business teams comply with external regulations and internal requirements. This role will lead efforts to achieve continuous compliance by partnering with technology, business, and brand teams to adhere to policies, reduce security risks, and maintain compliance. The initial focus will be to establish and advance an IT GRC framework supporting RCCL's global environments, including shoreside, shipboard, subsidiaries, mobile, and cloud services. This position will also define and direct activities to meet regulatory requirements such as GDPR, SOX, PCI, HIPAA, and Privacy.

The GRC Associate Vice President (AVP) is a leader with a strong knowledge of security frameworks, controls – NIST CSF, and audit techniques, which seeks to improve how compliance programs are implemented and maintained. The ideal candidate will bring a passion for improving the customer experience by easing operational burdens associated with compliance and will focus on enhancing transparency across the security landscape.

Candidates must have a proven track record of leadership in enterprise-level information security. They should be able to translate complex technical information into strategic insights for technical leaders and simplify it for business leaders. This role demands high intellectual acumen and the ability to make complex technical details accessible to technical and non-technical stakeholders.

The GRC AVP will lead a global team of 30+ cybersecurity and compliance professionals and manage a portfolio of 15 products and technologies to ensure proper compliance, making risk visible for leaders and employees across RCG.

We seek for a hybrid GRC leader - Envision a balance between GRC and oversight in the governance piece and interfacing and interacting with the technical side, in partnership with our Business Information Security Officers (BISOs) and Business Enablement Engineers (BEEs).

Engagement, exposure, and significant involvement with the technology leaders, business leaders, and the Global CISO, participating in compliance, analytics, third-party risk management, etc.

As the GRC AVP, you will oversee maritime business enablement and related areas, ensuring compliance for internal and external stakeholders and their regulators, as well as managing critical performance (KPIs) and risk (KRIs) indicators. You will also develop and implement strategies to manage and mitigate risks across the organization.

Understands the balance between governance/risk/compliance, the various other dynamics of a security program, business enablement engineers, and the needs and goals of business and executive stakeholders and can straddle both in a leadership role.

Candidates should have experience in developing and empowering team members, including BISOs and experts in governance, compliance, cyber risk posture management, and human risk management. They should also be able to partner with business enablement engineers across all areas of the cybersecurity program, such as identity and access management and cyber defense operations.

RESPONSIBILITIES

Governance and Compliance Strategy. Create a global, enterprise-wide cybersecurity risk and compliance strategy aligned with organizational priorities, business objectives, regulatory requirements, and evolving risks.

Team Leadership. Lead and grow a global team of cybersecurity professionals, managing risk, compliance, assessments, reporting, metrics, policy, awareness, and third-party risk management. The candidate will oversee teams including BISOs, Maritime Cybersecurity Compliance, ServiceNow GRC Development, Information Risk Management, Third-Party Risk Management, Regulatory IT Compliance, Human Risk Management & Awareness, and Cybersecurity Posture Management.

Peer Interaction. The candidate will work closely with the following peer leaders: Cyber Defense Operations, Identity and Access Management, Cybersecurity Business Enablement and Strategy, and Counter Threat Operations.

Program Risk Management. Oversee risk and threat-based information security programs ensuring confidentiality, integrity, availability, safety, privacy, and recovery of information.

Cybersecurity Compliance and Policies. Manage enterprise-wide compliance, risk assessment, reporting, cybersecurity policies, third-party risk management, and security training programs.

Governance and Compliance Oversight. Conduct information security audits, respond to external questionnaires, and collaborate with control entities (Audit Services, Enterprise Risk Management, Legal Compliance, regulators, and financial institutions).

Operations Collaboration. Work with the cybersecurity operations team on vulnerability management, threat intelligence, incident management, security architecture, advisory, and identity and access management.

Security Evaluation. Assess security controls, identify improvement opportunities, and communicate recommendations.

Technology Configuration. Ensure security technology is configured and operating per standards, with proper logging for incident detection.

Risk Assessment Validation. Oversee validation of risk assessments, control designs, gap identification, test scripts, evidence, and compensating controls.

Third-Party Risk Management. Perform risk assessments against 3rd-Parties that interact with RCG, to ensure proper compliance against regulatory requirements.

Regulatory Compliance. Manage IT GDPR, PCI, SOX compliance efforts, control design, implementation, execution, and annual SOX control walkthroughs

Audit Management. Handle annual SOX, PCI DSS testing, internal audits, remediation tracking, evidence collection, and risk identification.

Remediation Management. Oversee IT remediation processes, tracking and resolving findings from audits, risk assessments, and other control assessments.

Partnership Development. Build strong partnerships with Senior IT Management, Internal Audit, Ethics and Compliance, Enterprise Risk, relevant business units, and third-party vendors to ensure compliance awareness and responsibilities.

Audit Response Facilitation. Manage the IT written response process.

Governance Documentation. Oversee IT governance documentation review and assessment.

Policy and Standards. Lead the creation of Information Security Policies, technical standards and procedures for secure technology configuration and implementation.

Human Risk Management and Awareness Program

Sponsor the company-wide Information Security Awareness Program to foster a security mindset across leadership, employees, crew members, and third parties.

KNOWLEDGE & QUALIFICATIONS

The candidate must have proven leadership in enterprise-level information security 10-12 years of experience around governance, risk, and compliance. With demonstrated experience and success in senior leadership roles in risk management and information security working for fortune 200 organizations.

Regulatory Compliance. Strong knowledge and understanding of information security management frameworks and various regulatory requirements such as SOX, CCPA, GDPR, PCI, SOC 2, and HIPAA, Maritime cybersecurity compliance for IMO and IACS.

Cybersecurity Frameworks. Strong knowledge of security frameworks including NIST CSF, controls, and audit techniques; ability to simplify complex technical information for non-technical leaders. The selected candidate will coordinate maturity assessments against NIST CSF to aid the CISO to develop updates for senior leaders, CEO, and the Board of Directors.

Personal Attributes. The ideal candidate is highly organized, detail-oriented, and excels in communication. Possess a strong bias for action and continuous improvement, with proven ability to build strong relationships and influence Senior Leadership, IT Staff, and peers. Additionally, understands business processes deeply and can seamlessly integrate governance through teamwork and influence.

Technical Attributes. Ability to lead technical resources both within the company and at third party vendors. The candidate must be able to identify, prioritize and communicate remediation activities based on risk to the overall enterprise.

Cybersecurity Technologies. Proven technical expertise across IT applications, infrastructure and information security products (i.e. firewalls, IPS, SIEM, proxy) and application security/vulnerability testing tools and techniques.

Team Mentorship. Experience developing and mentoring BISOs, Compliance Analysts, Security Analysts and IT control owners in GRC activities, process improvements, and technology solutions.

Leadership Role. Balance governance, risk, and compliance with the goals of business and executive stakeholders.

Compliance Performance. Ensure compliance of internal and external stakeholders and align with their regulators and KPIs.

Financial Responsibility. The candidate is expected to create and manage budgets, understand accounting rules for expenses and capital activities, and ensure efficient resource utilization and accurate forecasting. They must understand IT estimation activities, be accountable for financial implications, and identify opportunities to reduce operational expenses.

WORK ENVIORNMENT

• Requires 30% travel to support internal business partners.
• Will require travel to RCL offices, ships, and 3rd party service provider facilities.