Senior Manager, CyberSecurity Risk Management
Royal Caribbean Group
Journey with us! Combine your career goals and sense of adventure by joining our exciting team of employees. Royal Caribbean Group is pleased to offer a competitive compensation and benefits package, and excellent career development opportunities, each offering unique ways to explore the world.
The Royal Caribbean Group’s Global Information Security Team has an exciting career opportunity for a full time Senior Manager, CyberSecurity Risk Management reporting to the Director, Security Engagement.
This position will work on-site in Miramar, Florida.
Position Summary:
The successful candidate will be responsible for overseeing our cybersecurity risk management program ensuring that our company's information assets and technologies are adequately protected. This is a leadership role and will provide direct management of three teams comprised of Information Risk Management, Third-party Risk Management, and GRC Development.
Essential Duties and Responsibilities:
- Provide day-to-day management over risk team members; support hiring, training and collaboration to work with BISOs, business and IT leaders.
- In coordination with Director Security Engagement, develop comprehensive development plans for risk team members to ensure continued maturation of the risk management program and enabling growth in skills and capabilities of risk team members.
- Using thought leadership, develop, implement, and monitor a strategic, comprehensive enterprise cybersecurity and IT risk management program, enhancing RCG’s information security management framework.
- Drive partnership with Director Security Engagement, BISOs, broader GIS leadership, business and IT stakeholders across the company to communicate and make visible risk management concerns.
- Provide enterprise cybersecurity risk insight to Director Security Engagement, BISOs and Business Enablement Engineering teams to support the overall business technology planning, providing a current knowledge around risk and future vision of technology solutions.
- Partner with BISOs, Compliance, Legal, IT resources to achieve effective working relationship that can further the effectiveness of the Information Security Program.
- Drive continued maturity around the implementation of GRC and third-party security toolset for GIS organization; ensuring collaboration with GRC stakeholders.
- Manage and assist in developing and onboarding IS risk assessment tools, templates, and associated processes to provide transparent reporting on activities and portfolio management.
- Establish goals for the team of risk analysts and leads who manage information security system and third-party risk program working alongside BISOs, business and IT leadership to control information technology risk for the organization.
- Collaborate with BISOs, business and IT leaders, and third parties (where applicable) to initiate, conduct, and complete risk assessments in a timely manner.
- Set direction on legal redlines related to third-party cybersecurity risk.
- Provide quality analysis for application and system controls, documentation, and settings to identify security risks that could lead to non-compliance with RCG policies and standards.
- Implement governance model for providing guidance to technical product teams through security requirements and processes, including but are not limited to: Threat and Vulnerability Management scanning and remediation, Identity and Access Management (IAM) system on-boarding and entitlement reviews, Single Sign-on (SSO) and federation, log monitoring via centralized security information and event management (SIEM) solution, privileged access management (PAM)
- Ensure potential information security risks associated with systems and applications are examined, documented and communicated, including potential compliance risks with Sarbanes-Oxley (SOX), Payment Card Industry Data Security Standard (PCI-DSS), Global Data Protection Regulation (GDPR), and other necessary regulatory requirements.
- Contributes to and aligns risk programs with the NIST CSF based information security program.
- Participate in established project management office (PMO) protocols to integrate IS risk assessment requirements (initiation, planning, analysis, design, build, test, deploy, closeout, etc.).
- Identify and report on metrics related to risk program and policy, communicating risk/reward scenarios to synchronize with RCG’s corporate governance framework.
- Advocate within GIS leadership for required changes and continuous management of policies and standards; leading discussions and answering complex cross-functional policy and standards questions, forecasting best practice in policy.
Knowledge and Skills:
- Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate security and risk-related concepts to technical and nontechnical audiences, and at all levels of leadership.
- Proven track record and experience in developing information security policies and procedures, as well as successfully executing programs that meet the objectives of excellence in a dynamic environment.
- Must be a critical thinker, with strong problem-solving skills.
- Exhibit excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives.
- Strong relationship, team building and facilitation skills.
- Strong with methodologies, tools, best practices and processes related to IS risk assessments.
- Expert with Microsoft Office suite of applications, ability to rationalize raw technology metrics into meaningful reports at an executive level.
- Expert at creating purposeful metrics, KRI’s/KPI’s that convey risk messages and identify areas for improvement that are actionable by executive teams.
- Knowledge of global privacy laws, regulations, and guidelines.
- Ability to formulate and communicate risks, findings, exceptions and technical solutions.
- Ability to articulate information security risk program to employees and third parties at all levels within and outside the organization.
- Holds self and others accountable for meeting customer needs and expectations in a timely, professional manner.
Financial Responsibilities:
- Ensures individual expenses are within corporate guidelines.
- Ensures the GRC toolset aligns with department budget.
- Manages individual and lead level contributors, approving expenses, managing employee compensation within corporate guidelines.
Qualifications:
- Bachelor's degree in Information Security, Computer Science, Information Management Systems, or related field required. Master’s degree preferred.
- Minimum of 10 years of experience in a combination of risk management and information security. At least five must be in a leadership role.
- Expert knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as those from NIST.
- Professional security management certification, such as a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or other similar credentials, is desired. (At least one certification will be required upon completing first year of employment.)
Work Environment:
- 4x1 office working days
- Minimal domestic and international travel may be required
We know there's a lot to consider. As you go through the application process, our recruiters will be glad to provide guidance, and more relevant details to answer any additional questions. Thank you again for your interest in Royal Caribbean Group. We'll hope to see you onboard soon!
It is the policy of the Company to ensure equal employment and promotion opportunity to qualified candidates without discrimination or harassment on the basis of race, color, religion, sex, age, national origin, disability, sexual orientation, sexuality, gender identity or expression, marital status, or any other characteristic protected by law. Royal Caribbean Group and each of its subsidiaries prohibit and will not tolerate discrimination or harassment.
#LI-MP1