Lead, Information Risk and GRC
Royal Caribbean Group · Miami, FL · 1 mo ago
Information TechnologyFull-time
Essential Duties and Responsibilities
We are seeking a highly skilled and experienced Lead, Information Risk and GRC with a strong emphasis on Third-Party Risk Management (TPRM) to join the Global Information Security (GIS) team. The ideal candidate will bring deep expertise in managing third-party cyber risk across the vendor lifecycle and enhancing GRC and TPRM programs and platforms.
- Lead and mature the organization’s Third-Party Risk Management (TPRM) program, ensuring alignment with business objectives, vendor strategies, and regulatory requirements.
- Oversee end-to-end third-party risk lifecycle, including; Vendor onboarding and inherent risk tiering; Security due diligence (cyber risk assessments); Continuous monitoring and reassessment; Offboarding and risk closure
- Define and enhance third-party risk methodologies, including; Risk scoring models; Standardized assessment templates; Control validation and evidence review processes;
- Prioritize and assess vendor-related cyber risks, ensuring appropriate mitigation strategies, compensating controls, and risk acceptance processes are implemented.
- Provide executive-level reporting on third-party risk posture, including; Critical vendor risk exposure; Concentration risk insights; Remediation progress and SLA adherence
- Partner with Sr. Director and Sr. Manager to define the strategic roadmap for GRC and TPRM platforms, ensuring scalability and alignment to enterprise risk management needs.
- Lead configuration and optimization of TPRM workflows within platforms such as ServiceNow GRC / Archer / MetricStream; Intake workflows; Automated risk scoring; Evidence tracking; Issue remediation workflows
- Identify automation opportunities to improve; Vendor onboarding cycle time; Assessment throughput; Reporting and dashboards
- Oversee ongoing platform maintenance, enhancements, and user adoption across business units.
- Develop and maintain third-party risk policies, standards, and procedures.
- Ensure cyclical policy reviews with CISO, CIO, and senior leadership, with updates reflecting evolving supply chain threats.
- Act as SME for third-party risk during audits, regulatory reviews, and internal risk councils.
- Partner with Procurement, Legal, Privacy, and Business Owners to embed security requirements in vendor selection and contracting.
- Provide guidance and training to stakeholders on third-party risk processes and expectations.
- Support escalation management for high-risk or non-compliant vendors.
Qualifications, Knowledge and Skills
- Bachelor's in information technology/security, Computer Science is preferred, non-technical degrees with Computer Science fundamentals will be considered combined with technology experience.
- At least one Information Security certification such as CISSP, CCSP, CEH, CRISC, GIAC, CISM, etc. required.
- 5-7 years of Information Security, Information Technology, Risk, Audit and/or a combination of experience.
- 5-7 years of managing projects and/or teams.
- 2-5 years of experience in GRC platform development.
- Proficiency in GRC platforms (e.g., RSA Archer, ServiceNow GRC, MetricStream) and risk assessment tools.
- Strong understanding of information security frameworks (e.g., NIST CSF, ISO 27001).
- Deep understanding of cyber risk management principles, threat modeling, and risk mitigation strategies.
- Strong analytical and problem-solving skills.
- Ability to assess risks, identify solutions, and make data-driven decisions.
- Previous experience in a lead or managerial role is highly desirable.
- Executive level written and verbal communications required.
- Ability to effectively communicate complex security concepts to both technical and non-technical audiences.
- Takes initiative and anticipates needs before they arise.
- Pays close attention to detail while maintaining a big-picture perspective.
- Works well with others and contributes to a positive team culture.
- Thrives in a fast-paced, dynamic environment.