Logo
Royal Caribbean International

AVP, Governance, Risk & Compliance

Royal Caribbean International, Miami, Florida, us, 33222


The AVP of Governance, Risk & Compliance (GRC) will ensure technology and business teams comply with external regulations and internal requirements. This role will lead efforts to achieve continuous compliance by partnering with technology, business, and brand teams to adhere to policies, reduce security risks, and maintain compliance. The initial focus will be to establish and advance an IT GRC framework supporting RCCL's global environments, including shoreside, shipboard, subsidiaries, mobile, and cloud services. This position will also define and direct activities to meet regulatory requirements such as GDPR, SOX, PCI, HIPAA, and Privacy.

The GRC Associate Vice President (AVP) is a leader with a strong knowledge of security frameworks, controls – NIST CSF, and audit techniques, which seeks to improve how compliance programs are implemented and maintained. The ideal candidate will bring a passion for improving the customer experience by easing operational burdens associated with compliance and will focus on enhancing transparency across the security landscape.

Candidates must have a proven track record of leadership in enterprise-level information security. They should be able to translate complex technical information into strategic insights for technical leaders and simplify it for business leaders. This role demands high intellectual acumen and the ability to make complex technical details accessible to technical and non-technical stakeholders.

The GRC AVP will lead a global team of 30+ cybersecurity and compliance professionals and manage a portfolio of 15 products and technologies to ensure proper compliance, making risk visible for leaders and employees across RCG.

The GRC AVP will oversee maritime business enablement and related areas, ensuring compliance for internal and external stakeholders and their regulators, as well as managing critical performance (KPIs) and risk (KRIs) indicators. You will also develop and implement strategies to manage and mitigate risks across the organization.

Candidates should have experience in developing and empowering team members, including BISOs and experts in governance, compliance, cyber risk posture management, and human risk management. They should also be able to partner with business enablement engineers across all areas of the cybersecurity program, such as identity and access management and cyber defense operations. This highly collaborative role requires strong partnerships within the organization, emphasizing the value placed on teamwork and cooperation.

Candidates should be highly organized and detail-oriented with excellent communication skills and a strong bias towards getting things done while advocating for continuous improvement. As a leader within the Information Security Team, the GRC AVP takes a significant role in actively promoting a culture of information security throughout the organization, a role that is crucial for our overall security strategy and our commitment to continuous improvement.

Essential Duties and Responsibilities:

Governance and Compliance Strategy. Create a global, enterprise-wide cybersecurity risk and compliance strategy aligned with organizational priorities, business objectives, regulatory requirements, and evolving risks.

Team Leadership. Lead and grow a global team of cybersecurity professionals, managing risk, compliance, assessments, reporting, metrics, policy, awareness, and third-party risk management.

Program Risk Management. Oversee risk and threat-based information security programs ensuring confidentiality, integrity, availability, safety, privacy, and recovery of information.

Cybersecurity Compliance and Policies. Manage enterprise-wide compliance, risk assessment, reporting, cybersecurity policies, third-party risk management, and security training programs.

Governance and Compliance Oversight. Conduct information security audits, respond to external questionnaires, and collaborate with control entities (Audit Services, Enterprise Risk Management, Legal Compliance, regulators, and financial institutions).

Operations Collaboration. Work with the cybersecurity operations team on vulnerability management, threat intelligence, incident management, security architecture, advisory, and identity and access management.

Security Evaluation. Assess security controls, identify improvement opportunities, and communicate recommendations.

Technology Configuration. Ensure security technology is configured and operating per standards, with proper logging for incident detection.

Risk Assessment Validation. Oversee validation of risk assessments, control designs, gap identification, test scripts, evidence, and compensating controls.

Third-Party Risk Management. Perform risk assessments against 3rd-Parties that interact with RCG, to ensure proper compliance against regulatory requirements.

Regulatory Compliance. Manage IT GDPR, PCI, SOX compliance efforts, control design, implementation, execution, and annual SOX control walkthroughs.

Audit Management. Handle annual SOX, PCI DSS testing, internal audits, remediation tracking, evidence collection, and risk identification.

Remediation Management. Oversee IT remediation processes, tracking and resolving findings from audits, risk assessments, and other control assessments.

Partnership Development. Build strong partnerships with Senior IT Management, Internal Audit, Ethics and Compliance, Enterprise Risk, relevant business units, and third-party vendors to ensure compliance awareness and responsibilities.

Governance Documentation. Oversee IT governance documentation review and assessment.

Policy and Standards. Lead the creation of Information Security Policies, technical standards and procedures for secure technology configuration and implementation.

Human Risk Management and Awareness Program: Sponsor the company-wide Information Security Awareness Program to foster a security mindset across leadership, employees, crew members, and third parties.

Education, Experience, Knowledge, and Work Environment

Knowledge

The candidate must have proven leadership in enterprise-level information security 10-12 years of experience around governance, risk, and compliance. With demonstrated experience and success in senior leadership roles in risk management and information security working for fortune 200 organizations.

Regulatory Compliance. Strong knowledge and understanding of information security management frameworks and various regulatory requirements such as SOX, CCPA, GDPR, PCI, SOC 2, and HIPAA, Maritime cybersecurity compliance for IMO and IACS.

Cybersecurity Frameworks. Strong knowledge of security frameworks including NIST CSF, controls, and audit techniques; ability to simplify complex technical information for non-technical leaders.

Personal Attributes. The ideal candidate is highly organized, detail-oriented, and excels in communication. Possess a strong bias for action and continuous improvement, with proven ability to build strong relationships and influence Senior Leadership, IT Staff, and peers.

Technical Attributes. Ability to lead technical resources both within the company and at third party vendors. The candidate must be able to identify, prioritize and communicate remediation activities based on risk to the overall enterprise.

Cybersecurity Technologies. Proven technical expertise across IT applications, infrastructure and information security products (i.e. firewalls, IPS, SIEM, proxy) and application security/vulnerability testing tools and techniques.

Team Mentorship. Experience developing and mentoring BISOs, Compliance Analysts, Security Analysts and IT control owners in GRC activities, process improvements, and technology solutions.

Leadership Role. Balance governance, risk, and compliance with the goals of business and executive stakeholders.

Compliance Performance. Ensure compliance of internal and external stakeholders and align with their regulators and KPIs.

Financial Responsibility. The candidate is expected to create and manage budgets, understand accounting rules for expenses and capital activities, and ensure efficient resource utilization and accurate forecasting.

Education

Bachelor’s Degree. Information systems or equivalent industry experience.

Master’s Degree. Business Administration and Finance.

Certifications. CISSP, CISA, CISM.

Skills

Teamwork. Partner with BISOs, BEEs, and various cybersecurity program areas (identity and access management, cyber defense operations, etc.).

Stakeholder engagement. Strong ability to identify needs, take initiative, and prioritize work efforts, balancing operational tasks with longer-term strategic security efforts.

Cultural Promotion. Actively promote a culture of information security throughout the organization, fostering teamwork and partnership.

Interaction with Executive Committees. Engage with the Compliance and Ethics, Risk Management, Disclosure Committees, and RCG’s Executive Leadership Team in areas such as compliance, risk posture management, analytics, and third-party risk management.

Continuous Improvement. Advocate for and implement continuous improvements across the security landscape.

Continuous Learning. Stay updated on security changes impacting regulatory, privacy, and industry best practices.

Work Environment

Requires 30% travel to support internal business partners.

Will require travel to RCL offices, ships, and 3rd party service provider facilities.

#J-18808-Ljbffr