Executive Director, Info Security

Department Description

At Disney, we’re storytellers. We make the impossible, possible. The Walt Disney Company is a world-class entertainment and technological leader. Walt’s passion was to continuously envision new ways to move audiences around the world - a passion that remains our touchstone in an enterprise that stretches from theme parks, resorts and a cruise line to sports, TV, movies and a variety of other businesses. Uniting each endeavor is a commitment to creating and delivering unforgettable experiences - and we’re constantly looking for new ways to enhance these exciting experiences.

The Enterprise Technology & Data mission is to deliver technology solutions that align to business strategies while enabling enterprise efficiency and promoting cross-company collaborative innovation. Our group drives competitive advantage by enhancing our consumer experiences, enabling business growth, and advancing operational excellence. Global Information Security (GIS) provides services to protect the value and use of Disney’s information through collaboration, empowerment, and education across The Walt Disney Company.

Team Description:

At Disney, innovation and imagination fuel everything we do. The InfoSec Governance, Risk & Compliance (GRC) team is not just a guardian of standards - we are leaders who drive the evolution of information security. As a strategic powerhouse in the GIS organization, our mission transcends compliance, setting new benchmarks for risk intelligence, automation, and integrated governance. We aim to redefine what “great” looks like, pioneering visionary approaches that shape how Disney (and the industry) understands and manages security risk.

The GRC team is the pulse of Disney’s enterprise technology ecosystem. We don’t just follow regulatory mandates; we leap ahead, leveraging data-driven insights, advanced risk quantification, and automated control frameworks to empower business leaders and technologists. Our collaborative culture ensures that every corner of GIS speaks a unified risk language, propelling risk-aware thinking to the forefront of daily business decisions and fueling cross-company innovation.

By joining this team, you become a change agent, transforming GRC from a “checkbox” function to a dynamic, strategic enabler. You will lead and inspire a diverse, high-performing group that anticipates emerging risk domains, shapes industry-leading policy design, and drives measurable, business-aligned security outcomes. If your passion is to advance, not just meet, industry standards, and to make a lasting impact on a legendary brand’s global footprint, the InfoSec GRC team at Disney is your stage.

Responsibilities of Role (List in order of priority, first few bullets should be the most important):

• Transform GRC at Disney
  • Drive continous evolution of Disney’s InfoSec GRC program, replacing compliance-centric, checkbox-driven operations with a dynamic, risk-intelligence-led model that directly informs how Disney prioritizes investment, staffing, and remediation.
  • Define what “great” looks like, not by referencing existing standards but by advancing them. Develop novel approaches to risk quantification, compliance automation, and governance integration.
  • Partner with GIS Leadership and Segment CTO teams to ensure the GRC program functions as a strategic business enabler, translating complex risk landscapes into executive- and board-ready insights that drive confident decision-making.
  • Champion a culture shift across all of GIS and the broader enterprise: risk awareness is everyone’s job, and GRC’s role is to make risk-informed thinking intuitive, not burdensome.

• Risk Management Leadership
  • Oversee the development and ongoing operations of Disney’s comprehensive InfoSec Risk Management program, including the establishment, implementation, and continuous improvement of the enterprise Risk Management Framework.
  • Establish and operationalize risk tolerance frameworks in partnership with executive leadership, defining clear thresholds that translate business appetite into actionable security investment and prioritization decisions.
  • Build and mature a cybersecurity risk register that serves as the authoritative source of truth for Disney’s threat and control posture, dynamically integrated with threat intelligence, vulnerability management, and third-party risk inputs.
  • Drive risk-based prioritization across all InfoSec operational functions (engineering, red team, SOC, cloud security, etc.) - ensuring that every team’s roadmap is anchored in defensible risk reduction rationale, not reactive urgency.
  • Develop executive and board-level risk reporting that is clear, credible, and decision-ready; ensure Disney’s risk narrative is consistent from the CISO to the Audit Committee.
  • Lead efforts to quantify InfoSec risk in financial terms (FAIR or equivalent), enabling direct comparison of security investment across Disney’s ubiquitous businesses and against measurable risk reduction outcomes.
  • Lead a third-party and supply chain risk intelligence capability that goes beyond questionnaire-based assessments by integrating continuous external attack surface monitoring, threat intelligence on vendor compromise activity, and contractual control requirements into a unified third-party risk posture.

• Governance Program Leadership
  • Oversee the development, maintenance, and lifecycle management of enterprise-wide Information Security policies, standards, and guidelines, ensuring they are risk-based, clear, and aligned to business realities (not just regulatory checklists).
  • Drive automated policy enforcement and integration of governance requirements into the technology design lifecycle (DevSecOps, cloud provisioning, infrastructure-as-code, etc.), reducing reliance on manual control operations and attestation.
  • Lead the development of a policy effectiveness measurement framework that moves beyond “is the policy published and attested to?” toward “is the policy actually changing behavior and reducing risk?” (tracked via control telemetry, exception rates, and risk outcome data).
  • Pioneer a forward-looking policy architecture that anticipates emerging technology risk domains (AI/ML model governance, quantum-safe cryptography transition, agentic automation).
  • Oversee annual NIST CSF assessments and provide rigorous, actionable reporting to the CISO and senior leadership on program maturity and investment gaps.
  • In partnership with ISO teams, lead the Governance team in providing consultation to segments and business units, ensuring security requirements are understood, contextualized, and achievable - not perceived as obstacles.

• Compliance Program Leadership
  • Provide oversight across all regulatory, contractual, and policy compliance programs, including SOX 404, PCI DSS, K-ISMS, GDPR, COPPA, ISO 27001, and more.
  • Build compliance-as-a-service capabilities for technology teams: engineers and product owners access a self-service portal to understand what compliance requirements apply to their system, what controls are already satisfied by platform-level implementations they inherit, what evidence is auto-collected on their behalf, and what residual actions remain — compliance burden on tech teams is measured and systematically driven toward zero.
  • Proactively monitor the regulatory horizon: identify emerging requirements before they become mandates, and position Disney to comply with confidence rather than scrambling.

• Organizational Leadership
  • Lead, develop, and inspire a high-performing organization of ~40+ professionals across Governance, Compliance, and Risk Management.
  • Model and demand intellectual rigor, ownership, and a continuous improvement mindset - leading a team that challenges assumptions, identifies root causes, and delivers scalable and dynamic solutions.

Must Haves (Years of Experience, languages, programs, tools, etc.):

• Experience & Expertise
  • 12+ years of progressive experience in cybersecurity, technology risk, or technology compliance, with a minimum of 3 years in leadership roles overseeing GRC functions at enterprise scale.
  • Demonstrated track record of building and transforming GRC programs, moving organizations to risk-driven operating models.
  • Deep expertise across the full GRC spectrum: risk management (frameworks, quantification, reporting), governance (policy lifecycle, automated enforcement, metrics), and compliance (regulatory audit management, controls assurance, overall audit alignment).
  • Extensive knowledge of information security risk, governance, and control frameworks: NIST CSF, NIST 800-53, ISO/IEC 27001, PCI DSS 4.0, SOX ITGC, GDPR.
  • Proven executive presence: ability to command a room, build trust with senior leadership, and translate highly technical risk concepts into clear business language.
  • Strong experience in risk quantification methodologies (FAIR or equivalent) and experience driving financial-terms risk reporting for executive audiences.

• Technical Knowledge
  • Expert-level understanding of security audit methodologies, controls testing, and assurance processes across both IT general controls (ITGCs) and automated application controls.
  • Hands-on familiarity with implementing and operating GRC tooling and platforms (Archer, SailPoint, ServiceNow GRC, or equivalent).
  • Solid understanding of cloud security architecture and the compliance implications of cloud-native environments (IaaS, PaaS, SaaS) across major providers (AWS, Azure, GCP).
  • Familiarity with DevSecOps practices and the integration of security governance and compliance controls into software development and infrastructure deployment pipelines.

Nice To Haves (see above):

• Experience in the Media & Entertainment, Sports, Hospitality, and/or Retail industries.
• An understanding of the unique regulatory, content protection, and consumer-facing risks and compliance requirements of a global entertainment brand.
• Big 4 accounting firm experience (audit or advisory) with direct exposure to Fortune 100 technology and security compliance programs.
• CPA certification (active or expired).
• Experience operating in a large, complex, matrixed enterprise with multiple business segments, regulatory regimes, and stakeholder groups.

Education:

• Bachelor’s degree in Computer Science, Information Systems, Software, Electrical or Electronics Engineering, or comparable field of study, and/or equivalent work experience.
• One or more of the following certifications required: CISSP, CISM, CISA, CRISC.

The hiring range for this position in Orlando, FL is $197,500 to $265,000 per year and in Glendale,CA is $207,400 to $278,200 per year. The hiring range for this position in Seattle, WA is $217,300 to $291,500 per year and in New York, NY is $217,300 to $291,500 per year. The base pay actually offered will take into account internal equity and also may vary depending on the candidate’s geographic region, job-related knowledge, skills, and experience among other factors. A bonus and/or long-term incentive units may be provided as part of the compensation package, in addition to the full range of medical, financial, and/or other benefits, dependent on the level and position offered.