Executive Director, Info Security

Role Overview

• Transform GRC at Disney
• Drive continuous evolution of Disney’s InfoSec GRC program, replacing compliance-centric, checkbox-driven operations with a dynamic, risk-intelligence-led model that directly informs how Disney prioritizes investment, staffing, and remediation.
• Define what “great” looks like, not by referencing existing standards but by advancing them.
• Develop novel approaches to risk quantification, compliance automation, and governance integration.
• Partner with GIS Leadership and Segment CTO teams to ensure the GRC program functions as a strategic business enabler, translating complex risk landscapes into executive
• and board-ready insights that drive confident decision-making.
• Champion a culture shift across all of GIS and the broader enterprise: risk awareness is everyone’s job, and GRC’s role is to make risk-informed thinking intuitive, not burdensome.
• Oversee the development and ongoing operations of Disney’s comprehensive InfoSec Risk Management program, including the establishment, implementation, and continuous improvement of the enterprise Risk Management Framework.
• Establish and operationalize risk tolerance frameworks in partnership with executive leadership, defining clear thresholds that translate business appetite into actionable security investment and prioritization decisions.
• Build and mature a cybersecurity risk register that serves as the authoritative source of truth for Disney’s threat and control posture, dynamically integrated with threat intelligence, vulnerability management, and third-party risk inputs.
• Drive risk-based prioritization across all InfoSec operational functions (engineering, red team, SOC, cloud security, etc.)
• ensuring that every team’s roadmap is anchored in defensible risk reduction rationale, not reactive urgency.
• Develop executive and board-level risk reporting that is clear, credible, and decision-ready; ensure Disney’s risk narrative is consistent from the CISO to the Audit Committee.
• Lead efforts to quantify InfoSec risk in financial terms (FAIR or equivalent), enabling direct comparison of security investment across Disney’s ubiquitous businesses and against measurable risk reduction outcomes.
• Lead a third-party and supply chain risk intelligence capability that goes beyond questionnaire-based assessments by integrating continuous external attack surface monitoring, threat intelligence on vendor compromise activity, and contractual control requirements into a unified third-party risk posture.
• Oversee the development, maintenance, and lifecycle management of enterprise-wide Information Security policies, standards, and guidelines, ensuring they are risk-based, clear, and aligned to business realities (not just regulatory checklists).

Requirements

• 12+ years of progressive experience in cybersecurity, technology risk, or technology compliance, with a minimum of 3 years in leadership roles overseeing GRC functions at enterprise scale.
• Demonstrated track record of building and transforming GRC programs, moving organizations to risk-driven operating models.
• Deep expertise across the full GRC spectrum: risk management (frameworks, quantification, reporting), governance (policy lifecycle, automated enforcement, metrics), and compliance (regulatory audit management, controls assurance, overall audit alignment).
• Extensive knowledge of information security risk, governance, and control frameworks: NIST CSF, NIST 800-53, ISO/IEC 27001, PCI DSS 4.0, SOX ITGC, GDPR.
• Proven executive presence: ability to command a room, build trust with senior leadership, and translate highly technical risk concepts into clear business language.
• Strong experience in risk quantification methodologies (FAIR or equivalent) and experience driving financial-terms risk reporting for executive audiences.
• Expert-level understanding of security audit methodologies, controls testing, and assurance processes across both IT general controls (ITGCs) and automated application controls.
• Hands-on familiarity with implementing and operating GRC tooling and platforms (Archer, SailPoint, ServiceNow GRC, or equivalent).
• Solid understanding of cloud security architecture and the compliance implications of cloud-native environments (IaaS, PaaS, SaaS) across major providers (AWS, Azure, GCP).
• Familiarity with DevSecOps practices and the integration of security governance and compliance controls into software development and infrastructure deployment pipelines.

Tech Stack

• AWS
• Azure
• Cloud
• Cyber Security
• Google Cloud Platform
• ServiceNow

Benefits

• A bonus and/or long-term incentive units may be provided as part of the compensation package, in addition to the full range of medical, financial, and/or other benefits, dependent on the level and position offered.