Lead, Information Risk and GRC

Lead, Information Risk and GRC Journey with us! Combine your career goals and sense of adventure by joining our exciting team of employees. Royal Caribbean Group is pleased to offer a competitive compensation and benefits package, and excellent career development opportunities, each offering unique ways to explore the world. The Royal Caribbean Group’s IT-Global Information Security Team has an exciting career opportunity for a full‑time Lead, IS Third Party Risk Management reporting to the Sr Mgr, CyberSecurity Risk Management. The position is onsite and based in Miramar, Florida. Essential Duties and Responsibilities: Lead and mature the organization’s Third‑Party Risk Management (TPRM) program, ensuring alignment with business objectives, vendor strategies, and regulatory requirements. Oversee end‑to‑end third‑party risk lifecycle, including: Vendor onboarding and inherent risk tiering; Security due diligence (cyber risk assessments); Continuous monitoring and reassessment; Offboarding and risk closure. Define and enhance third‑party risk methodologies, including: Risk scoring models; Standardized assessment templates; Control validation and evidence review processes; Prioritize and assess vendor‑related cyber risks, ensuring appropriate mitigation strategies, compensating controls, and risk acceptance processes are implemented. Provide executive‑level reporting on third‑party risk posture, including: Critical vendor risk exposure; Concentration risk insights; Remediation progress and SLA adherence. Partner with Sr. Director and Sr. Manager to define the strategic roadmap for GRC and TPRM platforms, ensuring scalability and alignment to enterprise risk management needs. Lead configuration and optimization of TPRM workflows within platforms such as ServiceNow GRC / Archer / MetricStream; Intake workflows; Automated risk scoring; Evidence tracking; Issue remediation workflows. Identify automation opportunities to improve: Vendor onboarding cycle time; Assessment throughput; Reporting and dashboards. Oversee ongoing platform maintenance, enhancements, and user adoption across business units. Develop and maintain third‑party risk policies, standards, and procedures. Ensure cyclical policy reviews with CISO, CIO, and senior leadership, with updates reflecting evolving supply chain threats. Act as SME for third‑party risk during audits, regulatory reviews, and internal risk councils. Partner with Procurement, Legal, Privacy, and Business Owners to embed security requirements in vendor selection and contracting. Provide guidance and training to stakeholders on third‑party risk processes and expectations. Support escalation management for high‑risk or non‑compliant vendors. Qualifications, Knowledge and Skills: Bachelor's in information technology/security, Computer Science is preferred; non‑technical degrees with Computer Science fundamentals considered combined with technology experience. At least one Information Security certification such as CISSP, CCSP, CEH, CRISC, GIAC, CISM, etc. required. 5‑7 years of Information Security, Information Technology, Risk, Audit and/or a combination of experience. 5‑7 years of managing projects and/or teams. 2‑5 years of experience in GRC platform development. Proficiency in GRC platforms (e.g., RSA Archer, ServiceNow GRC, MetricStream) and risk assessment tools. Strong understanding of information security frameworks (e.g., NIST CSF, ISO 27001). Deep understanding of cyber risk management principles, threat modeling, and risk mitigation strategies. Strong analytical and problem‑solving skills; ability to assess risks, identify solutions, and make data‑driven decisions. Previous experience in a lead or managerial role is highly desirable. Executive level written and verbal communications required; ability to effectively communicate complex security concepts to both technical and non‑technical audiences. Takes initiative and anticipates needs before they arise. Pays close attention to detail while maintaining a big‑picture perspective. Works well with others and contributes to a positive team culture. Thrives in a fast‑paced, dynamic environment. It is the policy of the Company to ensure equal employment and promotion opportunity to qualified candidates without discrimination or harassment on the basis of race, color, religion, sex, age, national origin, disability, sexual orientation, sexuality, gender identity or expression, marital status, or any other characteristic protected by law. Royal Caribbean Group and each of its subsidiaries prohibit and will not tolerate discrimination or harassment. #J-18808-Ljbffr Royal Caribbean Group