Royal Caribbean Group
Senior Lead, Business Information Security Officer (BISO)
Royal Caribbean Group, Greendale, Wisconsin, United States, 53129
Senior Lead, Business Information Security Officer (BISO)
Journey with us! Combine your career goals and sense of adventure by joining our incredible team of employees at Royal Caribbean Group. We are proud to offer a competitive compensation and benefits package, and excellent career development opportunities, each offering unique ways to explore the world. We are proud to be the vacation-industry leader with global brands — including Royal Caribbean International, Celebrity Cruises and Silversea Cruises — the most innovative fleet and private destinations, and the best people. Together, we are dedicated to turning the vacation of a lifetime into a lifetime of vacations for our guests.Royal Caribbean Group’s IT - Global Information Security Team has an exciting career opportunity for a full-time Senior Lead, Business Information Security Officer (BISO) reporting to the Director, Security Engagement. This position will work on-site in Miramar, Florida.Position Summary:Royal Caribbean Group (RCG) is seeking a Business Information Security Officer (BISO) to be the Information Technology (IT) and Global Information Security (GIS) risk leader responsible for leading, developing, managing, and communicating information IT/IS risk to a NIST CSF based governance structure.The BISO is the Information Security primary point of contact for the assigned IT and business unit teams, driving the creation and supporting the implementation of the security program and assessing the risk of RCG’s applications, systems and third parties. As a trusted advisor, the BISO will collect business requirements and technical requirements, providing advice and oversight to ensure that Information Security policy is complied with for processes and systems. This BISO will provide direct support to the enterprise organization with multiple transformational programs in areas of guest loyalty, guest reservations, enterprise financials, and enterprise data across Royal Caribbean International, Celebrity Cruises and Silversea Cruises brands.The successful candidate for this position will champion the risk management methodology and cultivate a team of IT/GIS subject matter experts with the brand(s) and support business verticals. Additionally, it will opine on the risk organization and collaborate with a team of risk managers that informs management of IT application and third-party risk enterprise wide. This position will require superior communication, networking, leadership and technical risk management skills. RCG is regulated globally so the candidate should have good experience working with a variety of country specific privacy laws.Essential Duties and Responsibilities:Act as the primary security contact, collaborating with business and IT leaders to balance risk/reward to improve security in IT applications and third-party engagements, developing deep understanding of business processes, systems, technologies, data, stakeholders and third-party partners.Contribute as a technical security control SME in major programs or change initiatives aimed at increasing the enterprise security capabilities.Partner with Compliance, Legal, IT resources to achieve effective working relationship that can further the effectiveness of the Information Security Program.Support goals for the team of IT risk managers who manage information security system and third-party risk program working alongside business and IT leadership to control information technology risk for the organization.Collaborate with RCCL business sponsors, information technology (IT), and third parties (where applicable) to initiate, conduct, and complete risk assessments in a timely manner.Analyze application and system controls, documentation, and settings to identify security risks that could lead to non-compliance with RCG policies and standards.Guide technical product teams through security requirements and processes, including but not limited to: Threat and Vulnerability Management scanning and remediation, Identity and Access Management (IAM) system on-boarding and entitlement reviews, Single Sign-on (SSO) and federation, log monitoring via centralized security information and event management (SIEM) solution, privileged access management (PAM).Partner with Enterprise Security Architects to perform security architecture reviews around innovative technology delivery models.Ensure potential information security risks associated with systems and applications are examined, documented and communicated, including potential compliance risks with Sarbanes-Oxley (SOX), Payment Card Industry Data Security Standard (PCI-DSS), Global Data Protection Regulation (GDPR), and other necessary regulatory requirements.Manage and assist in developing and onboarding IS risk assessment tools, templates, and associated processes to provide transparent reporting on activities and portfolio management.Participate in established project management office (PMO) protocols to integrate IS risk assessment requirements (initiation, planning, analysis, design, build, test, deploy, closeout, etc.).Identify and report on metrics related to risk program and policy, communicating risk/reward scenarios to synchronize with RCG’s corporate governance framework.Advocate for required change and continuously manage policy and standards exceptions program. Lead discussions and answer complex cross-functional policy and standards questions, forecasting best practice in policy.Support implementation of GRC and third-party security toolset for GIS organization. Ensure collaboration with GRC stakeholders.Contribute to and align risk programs with the NIST CSF based information security program.Communicate, oversee and carryout technical implementation of security solutions required to meet business objectives.Ensure individual expenses are within corporate guidelines.Qualifications:Bachelors in information technology/security, Computer Science is preferred, non-technical degrees with Computer Science fundamentals will be considered combined with technology experience.At least one Information Security certification such as CISSP, CCSP, CEH, CRISC, GIAC, CISM, etc. required.7-10 years of Information Security, Information Technology, Risk, Audit and/or a combination of experience.7-10 years of managing projects and/or teams.2-5 years of security development or operations experience.Experience with design and engineering of security controls; demonstrable experience with public cloud platforms (AWS, Azure, GCP).Executive level written and verbal communications required.Knowledge and Skills:Strong relationship, team building and facilitation skills.Possess strong / experienced application development and/or application security background; with solid knowledge of SDLC from design, testing, deployment to post-production and the different risk elements associated with each step.Strong with methodologies, tools, best practices and processes related to IS risk assessments.Expert with Microsoft Office suite of applications, ability to rationalize raw technology metrics into meaningful reports at an executive level.Expert at creating purposeful metrics, KRI’s/KPI’s that convey risk messages and identify areas for improvement that are actionable by executive teams.Expert knowledge of information security frameworks such as NIST, ISO, FISMA, etc.Expert knowledge of risk frameworks such as Octave, FAIR, ISACA RiskIT, ISO 27005, and/or NIST 800-30 or 800-37.Knowledge of global privacy laws, regulations, and guidelines.Ability to formulate and communicate exceptions/findings and technical solutions.Ability to articulate information security risk program to employees and third parties at all levels within and outside the organization.Holds self and others accountable for meeting customer needs and expectations in a timely, professional manner.Up to 25% travel internationally may be required.We know there's a lot to consider. Thank you again for your interest in Royal Caribbean Group. We'll hope to see you onboard soon!
#J-18808-Ljbffr
Journey with us! Combine your career goals and sense of adventure by joining our incredible team of employees at Royal Caribbean Group. We are proud to offer a competitive compensation and benefits package, and excellent career development opportunities, each offering unique ways to explore the world. We are proud to be the vacation-industry leader with global brands — including Royal Caribbean International, Celebrity Cruises and Silversea Cruises — the most innovative fleet and private destinations, and the best people. Together, we are dedicated to turning the vacation of a lifetime into a lifetime of vacations for our guests.Royal Caribbean Group’s IT - Global Information Security Team has an exciting career opportunity for a full-time Senior Lead, Business Information Security Officer (BISO) reporting to the Director, Security Engagement. This position will work on-site in Miramar, Florida.Position Summary:Royal Caribbean Group (RCG) is seeking a Business Information Security Officer (BISO) to be the Information Technology (IT) and Global Information Security (GIS) risk leader responsible for leading, developing, managing, and communicating information IT/IS risk to a NIST CSF based governance structure.The BISO is the Information Security primary point of contact for the assigned IT and business unit teams, driving the creation and supporting the implementation of the security program and assessing the risk of RCG’s applications, systems and third parties. As a trusted advisor, the BISO will collect business requirements and technical requirements, providing advice and oversight to ensure that Information Security policy is complied with for processes and systems. This BISO will provide direct support to the enterprise organization with multiple transformational programs in areas of guest loyalty, guest reservations, enterprise financials, and enterprise data across Royal Caribbean International, Celebrity Cruises and Silversea Cruises brands.The successful candidate for this position will champion the risk management methodology and cultivate a team of IT/GIS subject matter experts with the brand(s) and support business verticals. Additionally, it will opine on the risk organization and collaborate with a team of risk managers that informs management of IT application and third-party risk enterprise wide. This position will require superior communication, networking, leadership and technical risk management skills. RCG is regulated globally so the candidate should have good experience working with a variety of country specific privacy laws.Essential Duties and Responsibilities:Act as the primary security contact, collaborating with business and IT leaders to balance risk/reward to improve security in IT applications and third-party engagements, developing deep understanding of business processes, systems, technologies, data, stakeholders and third-party partners.Contribute as a technical security control SME in major programs or change initiatives aimed at increasing the enterprise security capabilities.Partner with Compliance, Legal, IT resources to achieve effective working relationship that can further the effectiveness of the Information Security Program.Support goals for the team of IT risk managers who manage information security system and third-party risk program working alongside business and IT leadership to control information technology risk for the organization.Collaborate with RCCL business sponsors, information technology (IT), and third parties (where applicable) to initiate, conduct, and complete risk assessments in a timely manner.Analyze application and system controls, documentation, and settings to identify security risks that could lead to non-compliance with RCG policies and standards.Guide technical product teams through security requirements and processes, including but not limited to: Threat and Vulnerability Management scanning and remediation, Identity and Access Management (IAM) system on-boarding and entitlement reviews, Single Sign-on (SSO) and federation, log monitoring via centralized security information and event management (SIEM) solution, privileged access management (PAM).Partner with Enterprise Security Architects to perform security architecture reviews around innovative technology delivery models.Ensure potential information security risks associated with systems and applications are examined, documented and communicated, including potential compliance risks with Sarbanes-Oxley (SOX), Payment Card Industry Data Security Standard (PCI-DSS), Global Data Protection Regulation (GDPR), and other necessary regulatory requirements.Manage and assist in developing and onboarding IS risk assessment tools, templates, and associated processes to provide transparent reporting on activities and portfolio management.Participate in established project management office (PMO) protocols to integrate IS risk assessment requirements (initiation, planning, analysis, design, build, test, deploy, closeout, etc.).Identify and report on metrics related to risk program and policy, communicating risk/reward scenarios to synchronize with RCG’s corporate governance framework.Advocate for required change and continuously manage policy and standards exceptions program. Lead discussions and answer complex cross-functional policy and standards questions, forecasting best practice in policy.Support implementation of GRC and third-party security toolset for GIS organization. Ensure collaboration with GRC stakeholders.Contribute to and align risk programs with the NIST CSF based information security program.Communicate, oversee and carryout technical implementation of security solutions required to meet business objectives.Ensure individual expenses are within corporate guidelines.Qualifications:Bachelors in information technology/security, Computer Science is preferred, non-technical degrees with Computer Science fundamentals will be considered combined with technology experience.At least one Information Security certification such as CISSP, CCSP, CEH, CRISC, GIAC, CISM, etc. required.7-10 years of Information Security, Information Technology, Risk, Audit and/or a combination of experience.7-10 years of managing projects and/or teams.2-5 years of security development or operations experience.Experience with design and engineering of security controls; demonstrable experience with public cloud platforms (AWS, Azure, GCP).Executive level written and verbal communications required.Knowledge and Skills:Strong relationship, team building and facilitation skills.Possess strong / experienced application development and/or application security background; with solid knowledge of SDLC from design, testing, deployment to post-production and the different risk elements associated with each step.Strong with methodologies, tools, best practices and processes related to IS risk assessments.Expert with Microsoft Office suite of applications, ability to rationalize raw technology metrics into meaningful reports at an executive level.Expert at creating purposeful metrics, KRI’s/KPI’s that convey risk messages and identify areas for improvement that are actionable by executive teams.Expert knowledge of information security frameworks such as NIST, ISO, FISMA, etc.Expert knowledge of risk frameworks such as Octave, FAIR, ISACA RiskIT, ISO 27005, and/or NIST 800-30 or 800-37.Knowledge of global privacy laws, regulations, and guidelines.Ability to formulate and communicate exceptions/findings and technical solutions.Ability to articulate information security risk program to employees and third parties at all levels within and outside the organization.Holds self and others accountable for meeting customer needs and expectations in a timely, professional manner.Up to 25% travel internationally may be required.We know there's a lot to consider. Thank you again for your interest in Royal Caribbean Group. We'll hope to see you onboard soon!
#J-18808-Ljbffr