Logo
Royal Caribbean Group

AVP, Governance, Risk & Compliance

Royal Caribbean Group, Greendale, Wisconsin, United States, 53129


The AVP of Governance, Risk & Compliance (GRC) will ensure technology and business teams comply with external regulations and internal requirements. This role will lead efforts to achieve continuous compliance by partnering with technology, business, and brand teams to adhere to policies, reduce security risks, and maintain compliance. The initial focus will be to establish and advance an IT GRC framework supporting RCCL's global environments, including shoreside, shipboard, subsidiaries, mobile, and cloud services. This position will also define and direct activities to meet regulatory requirements such as GDPR, SOX, PCI, HIPAA, and Privacy.The GRC Associate Vice President (AVP) is a leader with a strong knowledge of security frameworks, controls – NIST CSF, and audit techniques, which seeks to improve how compliance programs are implemented and maintained. The ideal candidate will bring a passion for improving the customer experience by easing operational burdens associated with compliance and will focus on enhancing transparency across the security landscape.Candidates must have a proven track record of leadership in enterprise-level information security. They should be able to translate complex technical information into strategic insights for technical leaders and simplify it for business leaders. This role demands high intellectual acumen and the ability to make complex technical details accessible to technical and non-technical stakeholders.The GRC AVP will lead a global team of 30+ cybersecurity and compliance professionals and manage a portfolio of 15 products and technologies to ensure proper compliance, making risk visible for leaders and employees across RCG.We seek a hybrid GRC leader - envision a balance between GRC and oversight in the governance piece and interfacing and interacting with the technical side, in partnership with our Business Information Security Officers (BISOs) and Business Enablement Engineers (BEEs).As the GRC AVP, you will oversee maritime business enablement and related areas, ensuring compliance for internal and external stakeholders and their regulators, as well as managing critical performance (KPIs) and risk (KRIs) indicators. You will also develop and implement strategies to manage and mitigate risks across the organization.Essential Duties and Responsibilities:

Governance and Compliance Strategy. Create a global, enterprise-wide cybersecurity risk and compliance strategy aligned with organizational priorities, business objectives, regulatory requirements, and evolving risks.Team Leadership. Lead and grow a global team of cybersecurity professionals, managing risk, compliance, assessments, reporting, metrics, policy, awareness, and third-party risk management.Peer Interaction. Work closely with peer leaders in Cyber Defense Operations, Identity and Access Management, Cybersecurity Business Enablement and Strategy, and Counter Threat Operations.Program Risk Management. Oversee risk and threat-based information security programs ensuring confidentiality, integrity, availability, safety, privacy, and recovery of information.Cybersecurity Compliance and Policies. Manage enterprise-wide compliance, risk assessment, reporting, cybersecurity policies, third-party risk management, and security training programs.Governance and Compliance Oversight. Conduct information security audits, respond to external questionnaires, and collaborate with control entities (Audit Services, Enterprise Risk Management, Legal Compliance, regulators, and financial institutions).Operations Collaboration. Work with the cybersecurity operations team on vulnerability management, threat intelligence, incident management, security architecture, advisory, and identity and access management.Security Evaluation. Assess security controls, identify improvement opportunities, and communicate recommendations.Technology Configuration. Ensure security technology is configured and operating per standards, with proper logging for incident detection.Risk Assessment Validation. Oversee validation of risk assessments, control designs, gap identification, test scripts, evidence, and compensating controls.Third-Party Risk Management. Perform risk assessments against 3rd-Parties that interact with RCG, to ensure proper compliance against regulatory requirements.Regulatory Compliance. Manage IT GDPR, PCI, SOX compliance efforts, control design, implementation, execution, and annual SOX control walkthroughs.Audit Management. Handle annual SOX, PCI DSS testing, internal audits, remediation tracking, evidence collection, and risk identification.Remediation Management. Oversee IT remediation processes, tracking and resolving findings from audits, risk assessments, and other control assessments.Partnership Development. Build strong partnerships with Senior IT Management, Internal Audit, Ethics and Compliance, Enterprise Risk, relevant business units, and third-party vendors to ensure compliance awareness and responsibilities.Audit Response Facilitation. Manage the IT written response process.Governance Documentation. Oversee IT governance documentation review and assessment.Policy and Standards. Lead the creation of Information Security Policies, technical standards and procedures for secure technology configuration and implementation.Human Risk Management and Awareness Program: Sponsor the company-wide Information Security Awareness Program to foster a security mindset across leadership, employees, crew members, and third parties.Knowledge

The candidate must have proven leadership in enterprise-level information security 10-12 years of experience around governance, risk, and compliance. With demonstrated experience and success in senior leadership roles in risk management and information security working for fortune 200 organizations.Regulatory Compliance. Strong knowledge and understanding of information security management frameworks and various regulatory requirements such as SOX, CCPA, GDPR, PCI, SOC 2, and HIPAA, Maritime cybersecurity compliance for IMO and IACS.Cybersecurity Frameworks. Strong knowledge of security frameworks including NIST CSF, controls, and audit techniques; ability to simplify complex technical information for non-technical leaders.Personal Attributes. The ideal candidate is highly organized, detail-oriented, and excels in communication. Possess a strong bias for action and continuous improvement, with proven ability to build strong relationships and influence Senior Leadership, IT Staff, and peers.Technical Attributes. Ability to lead technical resources both within the company and at third party vendors. The candidate must be able to identify, prioritize and communicate remediation activities based on risk to the overall enterprise.Cybersecurity Technologies. Proven technical expertise across IT applications, infrastructure and information security products (i.e. firewalls, IPS, SIEM , proxy) and application security/vulnerability testing tools and techniques.Team Mentorship. Experience developing and mentoring BISOs, Compliance Analysts, Security Analysts and IT control owners in GRC activities, process improvements, and technology solutions.Leadership Role. Balance governance, risk, and compliance with the goals of business and executive stakeholders.Compliance Performance. Ensure compliance of internal and external stakeholders and align with their regulators and KPIs.Financial Responsibility. The candidate is expected to create and manage budgets, understand accounting rules for expenses and capital activities, and ensure efficient resource utilization and accurate forecasting.Education

Bachelor’s Degree. Information systems or equivalent industry experience.Master’s Degree. Business Administration and Finance.Certifications. CISSP, CISA, CISM.Skills

Teamwork. Partner with BISOs, BEEs, and various cybersecurity program areas (identity and access management, cyber defense operations, etc.).Stakeholder engagement. Strong ability to identify needs, take initiative, and prioritize work efforts, balancing operational tasks with longer-term strategic security efforts.Cultural Promotion. Actively promote a culture of information security throughout the organization, fostering teamwork and partnership.Interaction with Executive Committees. Engage with the Compliance and Ethics, Risk Management, Disclosure Committees, and RCG’s Executive Leadership Team in areas such as compliance, risk posture management, analytics, and third-party risk management.Continuous Improvement. Advocate for and implement continuous improvements across the security landscape.Continuous Learning. Stay updated on security changes impacting regulatory, privacy, and industry best practices.Requires 30% travel to support internal business partners.Will require travel to RCL offices, ships, and 3rd party service provider facilities.

#J-18808-Ljbffr