Executive Director, Info Security

The Walt Disney Company

Executive Director of InfoSec Governance, Risk & Compliance at Disney, transforming GRC programs for strategic business enablement and operational excellence.

Posted 5/30/2026full-timeSeattle • California, Florida, New York, Washington • 🇺🇸 United StatesLead💰 $197,500 - $291,500 per yearWebsite

Tech Stack

Tools & technologies

AWSAzureCloudCyber SecurityGoogle Cloud PlatformServiceNow

About the role

Key responsibilities & impact

Transform GRC at Disney
Drive continuous evolution of Disney’s InfoSec GRC program, replacing compliance-centric, checkbox-driven operations with a dynamic, risk-intelligence-led model that directly informs how Disney prioritizes investment, staffing, and remediation.
Define what “great” looks like, not by referencing existing standards but by advancing them.
Develop novel approaches to risk quantification, compliance automation, and governance integration.
Partner with GIS Leadership and Segment CTO teams to ensure the GRC program functions as a strategic business enabler, translating complex risk landscapes into executive- and board-ready insights that drive confident decision-making.
Champion a culture shift across all of GIS and the broader enterprise: risk awareness is everyone’s job, and GRC’s role is to make risk-informed thinking intuitive, not burdensome.
Oversee the development and ongoing operations of Disney’s comprehensive InfoSec Risk Management program, including the establishment, implementation, and continuous improvement of the enterprise Risk Management Framework.
Establish and operationalize risk tolerance frameworks in partnership with executive leadership, defining clear thresholds that translate business appetite into actionable security investment and prioritization decisions.
Build and mature a cybersecurity risk register that serves as the authoritative source of truth for Disney’s threat and control posture, dynamically integrated with threat intelligence, vulnerability management, and third-party risk inputs.
Drive risk-based prioritization across all InfoSec operational functions (engineering, red team, SOC, cloud security, etc.) - ensuring that every team’s roadmap is anchored in defensible risk reduction rationale, not reactive urgency.
Develop executive and board-level risk reporting that is clear, credible, and decision-ready; ensure Disney’s risk narrative is consistent from the CISO to the Audit Committee.
Lead efforts to quantify InfoSec risk in financial terms (FAIR or equivalent), enabling direct comparison of security investment across Disney’s ubiquitous businesses and against measurable risk reduction outcomes.
Lead a third-party and supply chain risk intelligence capability that goes beyond questionnaire-based assessments by integrating continuous external attack surface monitoring, threat intelligence on vendor compromise activity, and contractual control requirements into a unified third-party risk posture.
Oversee the development, maintenance, and lifecycle management of enterprise-wide Information Security policies, standards, and guidelines, ensuring they are risk-based, clear, and aligned to business realities (not just regulatory checklists).

Requirements

What you’ll need

12+ years of progressive experience in cybersecurity, technology risk, or technology compliance, with a minimum of 3 years in leadership roles overseeing GRC functions at enterprise scale.
Demonstrated track record of building and transforming GRC programs, moving organizations to risk-driven operating models.
Deep expertise across the full GRC spectrum: risk management (frameworks, quantification, reporting), governance (policy lifecycle, automated enforcement, metrics), and compliance (regulatory audit management, controls assurance, overall audit alignment).
Extensive knowledge of information security risk, governance, and control frameworks: NIST CSF, NIST 800-53, ISO/IEC 27001, PCI DSS 4.0, SOX ITGC, GDPR.
Proven executive presence: ability to command a room, build trust with senior leadership, and translate highly technical risk concepts into clear business language.
Strong experience in risk quantification methodologies (FAIR or equivalent) and experience driving financial-terms risk reporting for executive audiences.
Expert-level understanding of security audit methodologies, controls testing, and assurance processes across both IT general controls (ITGCs) and automated application controls.
Hands-on familiarity with implementing and operating GRC tooling and platforms (Archer, SailPoint, ServiceNow GRC, or equivalent).
Solid understanding of cloud security architecture and the compliance implications of cloud-native environments (IaaS, PaaS, SaaS) across major providers (AWS, Azure, GCP).
Familiarity with DevSecOps practices and the integration of security governance and compliance controls into software development and infrastructure deployment pipelines.

Benefits

Comp & perks

A bonus and/or long-term incentive units may be provided as part of the compensation package, in addition to the full range of medical, financial, and/or other benefits, dependent on the level and position offered.

ATS Keywords

✓ Tailor your resume

Applicant Tracking System Keywords

Tip: use these terms in your resume and cover letter to boost ATS matches.

Hard Skills & Tools

cybersecuritytechnology risktechnology compliancerisk managementgovernancecompliancerisk quantificationsecurity audit methodologiescontrols testingcloud security architecture

Soft Skills

leadershipexecutive presencecommunicationtrust buildingrisk awarenessdecision-makingculture shift advocacystrategic thinkingcollaborationtranslating technical concepts

Certifications

NIST CSFNIST 800-53ISO/IEC 27001PCI DSS 4.0SOX ITGCGDPR