Job Description

We are seeking a Director of Security Governance and Risk to be responsible for building, implementing and executing a Governance and Risk Program that will identify, evaluate, and monitor the overall security risk profile across the company by assessing the effectiveness of compliance processes across Carnival Corp and the Operating Lines.  They are responsible for defining and aligning strategies for the governance and risk team to support the continued maturity of Carnival’s Global Security transformation and ensure exposures to cyber risks are identified and managed at an acceptable level.  

This program and role will act as a catalyst for driving the business in achieving its’ objectives through the proactive evaluation and enhancement of the compliance program activities and controls that prevent or mitigate the impact of compliance risk manifestation. They will create the security risk strategy and provide cyber governance and risk management oversight; establishing and managing the security policy framework and relevant standards; overseeing applicable security, contractual and compliance requirements (e.g., SOC2, MRC, ISO27001, GDPR, CCPA, NIST CSF, DPAs and local privacy laws) through strategy development, controls definition and assessment and process oversight. The scope of this position is global in nature and will work collaboratively across Carnival’s brands and operating companies to facilitate cybersecurity risk prioritization in conjunction with the Regional Information Security and Compliance Services Security Officers.   

ESSENTIAL FUNCTIONS

• Governance and Strategy
  • Collaborate with Legal, Privacy, Compliance and key business leaders to identify information management and protection laws and regulations and implement actions to ensure compliance
  • Identify global cyber security regulatory, legislative, and industry specific compliance requirements
  • Establish annual and long-term goals, defining risk and governance strategies, metrics, and reporting mechanisms
  • Develop strategies and action plans to drive security maturity improvement in areas where controls do not adequately mitigate risks
  • Foster and maintain business relationships in representing GISCS during executive steering committees across each of the Carnival Brands
  • Support the development of executive and board level communications as related to corporate cybersecurity posture
  • Develop, document, and assess measures, metrics, and internal controls related to cyber security program maturity
• Policies and Standards
  • Lead the development and implementation of effective and reasonable policies and practices to secure sensitive data and ensure security and compliance with contracts, regulatory requirements, and industry standards
  • Collaborate across the Brands, Legal, Regional Information Security and Compliance Teams, IT teams, HR and Global Data Privacy Council in the development of global security policies
  • Champion the annual global security policies and standards review with key stakeholders to ensure alignment with corporate business strategy, cybersecurity strategy and regulatory requirements
• Security Risk Management & Tracking:
  • Develop and manage the cybersecurity risk management strategy, framework and approach
  • Integrate cyber security risk reporting and aggregate reporting into an Enterprise risk framework
  • Provide briefings to leadership and advise of critical issues that may affect business or enterprise cybersecurity objectives in partnership with the Regional Information Security Officers
  • Partner with Global Security Architecture & Engineering, Global Threat Intelligence & Readiness, and Compliance Assurance teams, to develop risk mitigation strategies, solutions, and recommendations to reduce components, systems, or enterprise security risk
• Develop and maintain a Security Risk Management Framework (RMF) per industry standards and applicability (E.g. NIST CSF). Perform annual Security Risk Assessment against RMF
• Recommend programs to enhance maturity in Security and track their progress 
• Evaluate existing risk monitoring metrics and tools, develop metrics and insights, and seek to enhance maturity of analytics. Develop security reports and dashboards for varied audience
• Develop risk register and manage remediation plans to respond to previously unidentified or inadequately addressed risk areas
• Understand legal requirements and identify emerging security risks and work with the relevant business groups to facilitate proactive implementation of mitigation measures
• Review contractual language for security related
• Implement and Manage the GRC platform (OneTrust) and its integration with other IT tools
• Security Awareness & Training
  • Champion and manage Global Information Security Awareness and Training programs
  • Support Regional Information Security and Compliance teams to host business outreach campaigns
  • Distribute security bulletins, alerts, updates, and other security related information
• Develop a comprehensive control catalog and workflows with cross-walks
• Monitor compliance to the controls and catalog risk assessment utilized by the business as it pertains to security risk and evaluate for best practices and gaps
• Maintain a rolling three-year compliance risk and governance strategy to facilitate discussion with senior leadership of the key challenges and opportunities around security risk
  • This will drive our focus on continuous improvement and prioritization of programs within the organization’s plan process
• Identify, engage, coach and broker appropriate talent to ensure highest performance of Governance and Risk function
• Set team’s goals and coach the team members to attain maximum productivity through motivation and dedication
• Less than 25% shipboard travel likely
• Less than 25% non-shipboard travel likely

QUALIFICATIONS

• Bachelor’s degree in Information Security, Information Technology, Audit, Risk Management
• Certified in Governance of Enterprise IT (CGEIT) by ISACA, COBIT 5 Foundation/Implementer/Assesor by ISACA, Certified in Risk and Information Systems Control (CRISC), among others
• 10+ years’ of progressive IT, auditing, investigations, strategic risk management, and/or business/management consulting with exposure to Fortune 500, culminating in an IS security role
• 3-5 years’ experience managing cross-functional, multi-business unit projects reflective of leadership role
• Experience building and/or growing an IT Security practice with direct hands-on technology skillsets
• OneTrust hands-on experience
• Recent experience leading an IT organization and establishing governance and strategy for a global organization
• Exceptional and current experience in third party risk management, managing security risks, developing and implementing security training programs
• Experience leading corporate privacy and third-party initiatives is also a plus
• Demonstrated experience in communicating effectively in written and spoken form to broad internal and external entities including non-technical executives, corporate officers, business colleagues, product and service vendors and external peers
• Strong ability to influence and persuade others through collaboration
• Strategic thinker who can translate vision into tactical execution; strong decision-making and project management skills; and ability to prioritize effectively in a highly dynamic work environment
• Experience interviewing, hiring, and counseling direct report employees
• Delegating activities to appointed managers and other team members
• Ensuring that responsibilities, authorities, and accountability of all subordinates are defined and understood
• Experience in establishing IT governance, policies and standards
• Experience managing third party vendors
• Experience working and excelling in a Global organization. Manage and control Operational and Capital budgets
• Demonstrated ability to manage multiple work streams and initiatives simultaneously
• Ability to work in a fast-paced setting
• Strong knowledge of risk identification, assessment, and management frameworks
• Proven ability to drive change despite internal and external challenges - a self-starter with a desire to learn and continuously improve, intellectual curiosity
• Strong business acumen
• Ability to analyze complex problems that include interrelationships and dependencies in order to identify common themes and solutions
• Inquisitive nature, resourceful, and an ability to seek out information
• Advanced proficiency in Microsoft Office suite including Power BI and Power Automate
• Personal initiative, and enthusiasm for success in a complex and challenging environment

#LI-SH1

#LI-Remote

The range for this role’s base salary is $150,000 - $160,000.  Offers to selected candidates will be made on a fair and equitable basis, taking into account specific job-related skills and experience.  

At Carnival, your total rewards package is much more than your base salary. All non-sales roles participate in an annual cash bonus program, while sales roles have an incentive plan. Director and above roles may also be eligible to participate in Carnival’s discretionary equity incentive plan. Plus, Carnival provides comprehensive and innovative benefits to meet your needs, including:

• Health Benefits:
  • Cost-effective medical, dental and vision plans
  • Employee Assistance Program and other mental health resources
  • Additional programs include company paid term life insurance and disability coverage 
• Financial Benefits:
  • 401(k) plan that includes a company match
  • Employee Stock Purchase plan
• Paid Time Off
  • Holidays – All full-time and part-time with benefits employees receive days off for 7 company-wide holidays, plus an additional floating holiday to be taken at the employee’s discretion. 
  • Vacation Time – All full-time employees at the manager and below level start with 14 days/year; director and above level start with 19 days/year.  Part-time with benefits employees receive time off based on the number of hours they work, with a minimum of 84 hours/year.  All employees gain additional vacation time with further tenure.
  • Sick Time – All full-time employees receive 80 hours of sick time each year.  Part-time with benefits employees receive time off based on the number of hours they work, with a minimum of 60 hours each year.  
• Other Benefits
  • Complementary stand-by cruises, employee discounts on confirmed cruises, plus special rates for family and friends
  • Personal and professional learning and development resources including tuition reimbursement 
  • On-site preschool program, wellness center, and health clinic at our Miami campus

About Us