Principal Security Specialist

At Disney, we’re storytellers. We make the impossible, possible. The Walt Disney Company (TWDC) is a world-class entertainment and technological leader. Walt’s passion was to continuously envision new ways to move audiences around the world—a passion that remains our touchstone in an enterprise that stretches from theme parks, resorts and a cruise line to sports, news, movies and a variety of other businesses. Uniting each endeavor is a commitment to creating and delivering unforgettable experiences — and we’re constantly looking for new ways to enhance these exciting experiences.

The Enterprise Technology mission is to deliver technology solutions that align to business strategies while enabling enterprise efficiency and promoting cross-company collaborative innovation. Our group drives competitive advantage by enhancing our consumer experiences, enabling business growth, and advancing operational excellence.

The Global Information Security (GIS) organization strives to secure the magic by employing best-in-class services to assess, prevent, detect, and respond to cyber threats that present risk to The Walt Disney Company. We enable the business by integrating enterprise and business segment-specific supported services to create a robust, efficient, and adaptable cybersecurity program. Our key objectives are to:

• Secure the Magic by protecting information systems and platforms.
• Reduce Risk by proactively assessing, preventing, and detecting to prevent harm to the Company and our Guests.
• Strengthen the business through optimizing execution, application, and technology used to protect the Company.
• Innovate by investing in core capabilities to enhance operational efficiency.

Team Description:

The Disney Entertainment (DE) Cyber Risk department consists of a global team of cast members, contingent workers, and contractors whose primary objective is to “Secure the Magic”. This objective is met by acting as a trusted partner with global technology teams and business partners to analyze, mitigate, and report upon security risks within their environments. We provide security advice and support to ensure security requirements are met and aligned with Disney Information Security Policies and Standards.  

Our span of control includes assessing the risk and control design associated with third-parties, internal applications, new product deployments, and infrastructure changes to ensure systems are within risk tolerance. The department also maintains strong partnerships with other technical security teams such as security architecture, product security, and content protection within DE and the larger GIS department.

Responsibilities of Role:

• Define, develop, implement, and execute key programs within the DE segment InfoSec team that include:
  • Control design, assessment, testing, and implementation of products and infrastructure
  • Vendor risk management
  • Application risk assessment
  • Risk Acceptance
  • Risk Reporting
• Expertise in understanding system / network design based on review of network and data flow diagrams, technical specification, and product design documents.
• Strong ability to scope product security reviews based on analysis of proposed system and network design and consults with system and data owners to understand business and technical risk.
• Scoping will require identification, and validation of control design in accordance with company policies, standards, and industry best practices.
• Collaborate with technical security teams to analyze and test pre-implementation controls or mitigating controls to remediate security gaps to provide security endorsement prior to product launch.
• Collaborate with key corporate stakeholders (e.g., Legal, privacy, sourcing) to ensure security services and procedures are understood and included into applicable programs and processes.
• Identify and drive implement of automation opportunities used to increase output and improve visibility into operational risk. Manage implemented automations to ensure modifications and break fixes are perform as they are required / identified.
• Build a strong understanding of the business environment, to identify, mitigate, and remediate risk.
• Drive continuous process maturity, improvement and assist in documenting risk management processes.
• Be a trusted advisor to our business partners and build strong relations.
• Monitor and report upon key TWDC technology security risks including documenting environment risk and providing regular risk and operational reporting on going initiatives.
• Independently prioritize high risk queries and tasks ensuring they go through required risk assessments and / or security services.
• Manage, prioritize, and proactively report on the status of assigned projects and/or deliverables to impacted stakeholders.
• Remain current with changes in policy, regulations, and technology to understand, communicate, and manage their associated risks to the Company.
• Support the initiatives and deliverables of the GIS department.
• Through example and behavior, strive to provide peer leadership to other team members with the goals of providing service excellence.

Must Haves:

• Minimum of 10 years of experience in Information Technology.
• Minimum of 5 years of experience in Risk Management, Information Security or Audit & Compliance.
• Experience interpreting and assessing risk based on information from numerous sources to form a practical and operational realistic solution.
• Working knowledge of information security related best practices and standards such as ISO 2700x, SOC 2, NIST, PCI requirements etc.
• Working knowledge of cloud infrastructure engineering / architecture principles.
• Knowledge of conducting risk assessments using industry recognized risk management methodologies

Nice To Haves:

• Master’s in Computer Science, Information Security, or relevant technology field.
• Working towards one or more credentials - CISA, CISM, CRISC, ISO27001 CCSP, CISSP, Security+
• Understanding of security and vulnerability detection tools (e.g., Tenable, Qualys, CrowdStrike, Prisma).
• Experience with a large company and/or Big 4 accounting firm.
• Experience working with regulatory security frameworks such as ISO.

Education:

• BA/BS in Computer Science, Information Security, or relevant technology field, and/or equivalent work experience.

The hiring range for this position in Connecticut and California is $152,200 to $204,100 per year and in Washington and New York is $159,500 to $213,900 per year. The base pay actually offered will take into account internal equity and also may vary depending on the candidate’s geographic region, job-related knowledge, skills, and experience among other factors. A bonus and/or long-term incentive units may be provided as part of the compensation package, in addition to the full range of medical, financial, and/or other benefits, dependent on the level and position offered.