The AVP of Governance, Risk & Compliance (GRC) will ensure technology and business teams comply with external regulations and internal requirements. This role will lead efforts to achieve continuous compliance by partnering with technology, business, and brand teams to adhere to policies, reduce security risks, and maintain compliance. The initial focus will be to establish and advance an IT GRC framework supporting RCCL's global environments, including shoreside, shipboard, subsidiaries, mobile, and cloud services. This position will also define and direct activities to meet regulatory requirements such as GDPR, SOX, PCI, HIPAA, and Privacy.

The GRC Associate Vice President (AVP) is a leader with a strong knowledge of security frameworks, controls - NIST CSF, and audit techniques, which seeks to improve how compliance programs are implemented and maintained. The ideal candidate will bring a passion for improving the customer experience by easing operational burdens associated with compliance and will focus on enhancing transparency across the security landscape.

• Governance and Compliance Strategy. Create a global, enterprise-wide cybersecurity risk and compliance strategy aligned with organizational priorities, business objectives, regulatory requirements, and evolving risks.
• Team Leadership. Lead and grow a global team of cybersecurity professionals, managing risk, compliance, assessments, reporting, metrics, policy, awareness, and third-party risk management. The candidate will oversee teams including BISOs, Maritime Cybersecurity Compliance, ServiceNow GRC Development, Information Risk Management, Third-Party Risk Management, Regulatory IT Compliance, Human Risk Management & Awareness, and Cybersecurity Posture Management.
• Peer Interaction. The candidate will work closely with the following peer leaders: Cyber Defense Operations, Identity and Access Management, Cybersecurity Business Enablement and Strategy, and Counter Threat Operations.
• Program Risk Management. Oversee risk and threat-based information security programs ensuring confidentiality, integrity, availability, safety, privacy, and recovery of information.
• Cybersecurity Compliance and Policies. Manage enterprise-wide compliance, risk assessment, reporting, cybersecurity policies, third-party risk management, and security training programs.
• Governance and Compliance Oversight. Conduct information security audits, respond to external questionnaires, and collaborate with control entities (Audit Services, Enterprise Risk Management, Legal Compliance, regulators, and financial institutions).
• Operations Collaboration. Work with the cybersecurity operations team on vulnerability management, threat intelligence, incident management, security architecture, advisory, and identity and access management.
• Security Evaluation. Assess security controls, identify improvement opportunities, and communicate recommendations.
• Technology Configuration. Ensure security technology is configured and operating per standards, with proper logging for incident detection.
• Risk Assessment Validation. Oversee validation of risk assessments, control designs, gap identification, test scripts, evidence, and compensating controls.
• Third-Party Risk Management. Perform risk assessments against 3rd-Parties that interact with RCG, to ensure proper compliance against regulatory requirements.
• Regulatory Compliance. Manage IT GDPR, PCI, SOX compliance efforts, control design, implementation, execution, and annual SOX control walkthroughs.
• Audit Management. Handle annual SOX, PCI DSS testing, internal audits, remediation tracking, evidence collection, and risk identification.
• Remediation Management. Oversee IT remediation processes, tracking and resolving findings from audits, risk assessments, and other control assessments.
• Partnership Development. Build strong partnerships with Senior IT Management, Internal Audit, Ethics and Compliance, Enterprise Risk, relevant business units, and third-party vendors to ensure compliance awareness and responsibilities.
• Audit Response Facilitation. Manage the IT written response process.
• Governance Documentation. Oversee IT governance documentation review and assessment.
• Policy and Standards. Lead the creation of Information Security Policies, technical standards and procedures for secure technology configuration and implementation.
• Human Risk Management and Awareness Program: Sponsor the company-wide Information Security Awareness Program to foster a security mindset across leadership, employees, crew members, and third parties.

• Regulatory Compliance. Strong knowledge and understanding of information security management frameworks and various regulatory requirements such as SOX, CCPA, GDPR, PCI, SOC 2, and HIPAA, Maritime cybersecurity compliance for IMO and IACS.

• Cybersecurity Frameworks. Strong knowledge of security frameworks including NIST CSF, controls, and audit techniques; ability to simplify complex technical information for non-technical leaders. The selected candidate will coordinate maturity assessments against NIST CSF to aid the CISO to develop updates for senior leaders, CEO, and the Board of Directors.

• Personal Attributes. The ideal candidate is highly organized, detail-oriented, and excels in communication. Possess a strong bias for action and continuous improvement, with proven ability to build strong relationships and influence Senior Leadership, IT Staff, and peers. Additionally, understands business processes deeply and can seamlessly integrate governance through teamwork and influence.
• Technical Attributes. Ability to lead technical resources both within the company and at third party vendors. The candidate must be able to identify, prioritize and communicate remediation activities based on risk to the overall enterprise.
• Cybersecurity Technologies. Proven technical expertise across IT applications, infrastructure and information security products (i.e. firewalls, IPS, SIEM, proxy) and application security/vulnerability testing tools and techniques.

• Team Mentorship. Experience developing and mentoring BISOs, Compliance Analysts, Security Analysts and IT control owners in GRC activities, process improvements, and technology solutions.
• Leadership Role. Balance governance, risk, and compliance with the goals of business and executive stakeholders.
• Compliance Performance. Ensure compliance of internal and external stakeholders and align with their regulators and KPIs.
• Financial Responsibility. The candidate is expected to create and manage budgets, understand accounting rules for expenses and capital activities, and ensure efficient resource utilization and accurate forecasting. They must understand IT estimation activities, be accountable for financial implications, and identify opportunities to reduce operational expenses.

• Bachelor's Degree. Information systems or equivalent industry experience.
• Master's Degree. Business Administration and Finance.
• Certifications. CISSP, CISA, CISM.

• Teamwork. Partner with BISOs, BEEs, and various cybersecurity program areas (identity and access management, cyber defense operations, etc.).
• Stakeholder engagement. Strong ability to identify needs, take initiative, and prioritize work efforts, balancing operational tasks with longer-term strategic security efforts

• Cultural Promotion. Actively promote a culture of information security throughout the organization, fostering teamwork and partnership.
• Interaction with Executive Committees. Engage with the Compliance and Ethics, Risk Management, Disclosure Committees, and RCG's Executive Leadership Team in areas such as compliance, risk posture management, analytics, and third-party risk management.
• Continuous Improvement. Advocate for and implement continuous improvements across the security landscape.
• Continuous Learning. Stay updated on security changes impacting regulatory, privacy, and industry best practices.

• Requires 30% travel to support internal business partners.
• Will require travel to RCL offices, ships, and 3rd party service provider facilities.