Executive Director, Info Security

About The Position

Requirements

• 12+ years of progressive experience in cybersecurity, technology risk, or technology compliance, with a minimum of 3 years in leadership roles overseeing GRC functions at enterprise scale.
• Demonstrated track record of building and transforming GRC programs, moving organizations to risk-driven operating models.
• Deep expertise across the full GRC spectrum: risk management (frameworks, quantification, reporting), governance (policy lifecycle, automated enforcement, metrics), and compliance (regulatory audit management, controls assurance, overall audit alignment).
• Extensive knowledge of information security risk, governance, and control frameworks: NIST CSF, NIST 800-53, ISO/IEC 27001, PCI DSS 4.0, SOX ITGC, GDPR.
• Proven executive presence: ability to command a room, build trust with senior leadership, and translate highly technical risk concepts into clear business language.
• Strong experience in risk quantification methodologies (FAIR or equivalent) and experience driving financial-terms risk reporting for executive audiences.
• Expert-level understanding of security audit methodologies, controls testing, and assurance processes across both IT general controls (ITGCs) and automated application controls.
• Hands-on familiarity with implementing and operating GRC tooling and platforms (Archer, SailPoint, ServiceNow GRC, or equivalent).
• Solid understanding of cloud security architecture and the compliance implications of cloud-native environments (IaaS, PaaS, SaaS) across major providers (AWS, Azure, GCP).
• Familiarity with DevSecOps practices and the integration of security governance and compliance controls into software development and infrastructure deployment pipelines.
• Bachelor’s degree in Computer Science, Information Systems, Software, Electrical or Electronics Engineering, or comparable field of study, and/or equivalent work experience.
• One or more of the following certifications required: CISSP, CISM, CISA, CRISC.

Nice To Haves

• Experience in the Media & Entertainment, Sports, Hospitality, and/or Retail industries.
• An understanding of the unique regulatory, content protection, and consumer-facing risks and compliance requirements of a global entertainment brand.
• Big 4 accounting firm experience (audit or advisory) with direct exposure to Fortune 100 technology and security compliance programs.
• CPA certification (active or expired).
• Experience operating in a large, complex, matrixed enterprise with multiple business segments, regulatory regimes, and stakeholder groups.

Responsibilities

• Transform GRC at Disney: Drive continuous evolution of Disney’s InfoSec GRC program, replacing compliance-centric, checkbox-driven operations with a dynamic, risk-intelligence-led model that directly informs how Disney prioritizes investment, staffing, and remediation. Define what “great” looks like, not by referencing existing standards but by advancing them. Develop novel approaches to risk quantification, compliance automation, and governance integration. Partner with GIS Leadership and Segment CTO teams to ensure the GRC program functions as a strategic business enabler, translating complex risk landscapes into executive- and board-ready insights that drive confident decision-making. Champion a culture shift across all of GIS and the broader enterprise: risk awareness is everyone’s job, and GRC’s role is to make risk-informed thinking intuitive, not burdensome.
• Risk Management Leadership: Oversee the development and ongoing operations of Disney’s comprehensive InfoSec Risk Management program, including the establishment, implementation, and continuous improvement of the enterprise Risk Management Framework. Establish and operationalize risk tolerance frameworks in partnership with executive leadership, defining clear thresholds that translate business appetite into actionable security investment and prioritization decisions. Build and mature a cybersecurity risk register that serves as the authoritative source of truth for Disney’s threat and control posture, dynamically integrated with threat intelligence, vulnerability management, and third-party risk inputs. Drive risk-based prioritization across all InfoSec operational functions (engineering, red team, SOC, cloud security, etc.) - ensuring that every team’s roadmap is anchored in defensible risk reduction rationale, not reactive urgency. Develop executive and board-level risk reporting that is clear, credible, and decision-ready; ensure Disney’s risk narrative is consistent from the CISO to the Audit Committee. Lead efforts to quantify InfoSec risk in financial terms (FAIR or equivalent), enabling direct comparison of security investment across Disney’s ubiquitous businesses and against measurable risk reduction outcomes. Lead a third-party and supply chain risk intelligence capability that goes beyond questionnaire-based assessments by integrating continuous external attack surface monitoring, threat intelligence on vendor compromise activity, and contractual control requirements into a unified third-party risk posture.
• Governance Program Leadership: Oversee the development, maintenance, and lifecycle management of enterprise-wide Information Security policies, standards, and guidelines, ensuring they are risk-based, clear, and aligned to business realities (not just regulatory checklists). Drive automated policy enforcement and integration of governance requirements into the technology design lifecycle (DevSecOps, cloud provisioning, infrastructure-as-code, etc.), reducing reliance on manual control operations and attestation. Lead the development of a policy effectiveness measurement framework that moves beyond “is the policy published and attested to?” toward “is the policy actually changing behavior and reducing risk?” (tracked via control telemetry, exception rates, and risk outcome data). Pioneer a forward-looking policy architecture that anticipates emerging technology risk domains (AI/ML model governance, quantum-safe cryptography transition, agentic automation). Oversee annual NIST CSF assessments and provide rigorous, actionable reporting to the CISO and senior leadership on program maturity and investment gaps. In partnership with ISO teams, lead the Governance team in providing consultation to segments and business units, ensuring security requirements are understood, contextualized, and achievable - not perceived as obstacles.
• Compliance Program Leadership: Provide oversight across all regulatory, contractual, and policy compliance programs, including SOX 404, PCI DSS, K-ISMS, GDPR, COPPA, ISO 27001, and more. Build compliance-as-a-service capabilities for technology teams: engineers and product owners access a self-service portal to understand what compliance requirements apply to their system, what controls are already satisfied by platform-level implementations they inherit, what evidence is auto-collected on their behalf, and what residual actions remain — compliance burden on tech teams is measured and systematically driven toward zero. Proactively monitor the regulatory horizon: identify emerging requirements before they become mandates, and position Disney to comply with confidence rather than scrambling.
• Organizational Leadership: Lead, develop, and inspire a high-performing organization of ~40+ professionals across Governance, Compliance, and Risk Management. Model and demand intellectual rigor, ownership, and a continuous improvement mindset - leading a team that challenges assumptions, identifies root causes, and delivers scalable and dynamic solutions.

Benefits

• A bonus and/or long-term incentive units may be provided as part of the compensation package, in addition to the full range of medical, financial, and/or other benefits, dependent on the level and position offered.