Michelle Garcia

I am a cybersecurity and information security executive with over three decades of experience across the cruise and maritime industry, currently serving as Business Information Security Officer at Carnival Corporation & plc, a role I stepped into in December 2025. In this position, I develop and implement enterprise-wide information security strategies aligned with business objectives and regulatory requirements, establish governance frameworks and security policies, lead risk assessments and security audits to ensure compliance with frameworks including NIST and GDPR, collaborate with business unit executive leadership to integrate security into strategic planning and daily operations, oversee incident response and recovery plans, direct vendor risk management programs, monitor emerging threats and technologies, manage compliance reporting and audits for SOX, HIPAA, PCI-DSS, and other regulations, partner with IT and legal teams to ensure secure handling of sensitive data, lead penetration testing and vulnerability management programs, and present security metrics and risk dashboards to board-level stakeholders.

Prior to this role, I served as Head of IT Security and Compliance at Carnival Cruise Line for three years, where I was recruited to lead IT security and compliance, building and directing a fourteen-member team. I led a five-and-a-half-million-dollar PCI-DSS compliance program engaging over two hundred and fifty IT resources, implementing tokenization, secure APIs, and endpoint protections across enterprise and e-commerce, delivering under budget and achieving audit compliance. I reduced vulnerabilities by fifty percent through integrated assessments and automation, shortened mean time to resolution from over seven months to forty-five days by developing new workflows and improving escalation processes, automated user access reviews using SailPoint and ServiceNow eliminating over fifteen hundred unnecessary admin rights, and standardized corporate policies simplifying approval workflows.

Before joining Carnival, I spent over thirty years at Royal Caribbean Group in progressively responsible roles across information technology, security, and operations. I served as Head of Information Security Operations, Portfolio Management and Engineering for IT, OT, and SCADA, where I directed security operations and engineering across these environments, increased the Information Security program's CMMI score by more than one point in twelve months achieving four-point-one, secured multi-year funding exceeding forty million dollars, served as Incident Commander during security events, coordinated the organization's first cyberwar simulation involving both shipboard and shoreside executives, and provided architectural guidance for major projects ensuring compliance and operational safety. I also served as Manager of Cybersecurity Operations, where I secured twenty-five million dollars in funding for enterprise initiatives and delivered the cruise industry's first OT network segmentation solution. Earlier roles included Project Manager for Information Security, where I built the first maritime IT, OT, and SCADA information security program using a risk-based approach and directed projects exceeding fifteen million dollars delivering approximately two million dollars under budget.

Earlier in my career at Royal Caribbean, I held roles including Global Information Technology Manager, where I managed teams scaling up to forty-five resources, advanced guest safety by launching digital people-tracking systems reducing emergency response time by up to thirty percent, mobilized multi-fleet deployment of a fuel optimization application across forty-eight ships driving significant fuel cost savings, and supervised B2B revenue channel support responsible for fifty-five percent of annual bookings. I also served as Team Lead and Business Analyst, Supervisor of Air and Sea operations where I pioneered a program resulting in one million dollars in annual cost savings on air travel, Inventory Specialist, Customer Service Representative, and Reservations Specialist.

Alongside my corporate roles, I served as a Course Instructor in Cybersecurity at BrainStation on a contract basis, delivering content while sharing professional and industry experience to students enrolled in cybersecurity courses, supporting the goals of young professionals through skills development and active awareness of trends and opportunities.

Across my entire career in cybersecurity, information technology, and operations, my work has been driven by a commitment to protecting critical infrastructure, reducing risk, and building resilient security programs that enable business growth. Whether I am leading PCI remediation, securing OT environments on cruise ships, or presenting security metrics to the board, I bring strategic vision, operational rigor, and a deep understanding of how security enables business success.