Third Party Risk Manager Jobs in Bothell, WA (NOW HIRING)

At Disney,we'restorytellers. We make theimpossible,possible. The Walt Disney Company (TWDC) is a world-class entertainment and technological leader. Walt's passion was to continuously envision new ways to move audiences around the world-a passion thatremainsour touchstone in an enterprise that stretches from theme parks, resorts and a cruise line to sports, news,moviesand a variety of other businesses. Uniting each endeavor is a commitment to creating and delivering unforgettable experiences - andwe'reconstantly looking for new ways to enhance these exciting experiences.

The Enterprise Technology mission is to deliver technology solutions that align to business strategies while enabling enterprise efficiency and promoting cross-company collaborative innovation. Our group drives competitive advantage by enhancing our consumer experiences, enabling business growth, and advancing operational excellence.

Team Description:

The Global Information Security (GIS)group provides services to protect the value and use of Disney's information through collaboration, standardization, enforcement, and education across The Walt Disney Company. Themain focusareas of this group are: Reduce the risk of both accidental and malicious data disclosure; Identify, monitor, engage with complete inventory of information;Establish appropriate policiesand procedures to be followed; Educate user community to minimize risk.

Disney's InfoSec GRC team is seeking a transformational leader to drive the next evolution of Governance, Risk, and Compliance across the enterprise. Reporting to the VP of Information Security, this role will lead the shift from a traditional compliance-driven approach to a modern, risk-intelligence-led model that enables better business decisions, strengthens security posture, and scales with Disney's global technology and content ecosystem. This leader will partner closely with GIS and business leadership to embed risk awareness into daily operations, ensuring GRC is a strategic enabler of innovation-not a barrier.

What You'll Do

Transform GRC at Disney

• Drive the evolution of Disney's InfoSec GRC program from a compliance-centric model to a dynamic, risk-intelligence-led capability that informs enterprise investment and prioritization decisions

• Define and elevate GRC standards by introducing innovative approaches to risk quantification, compliance automation, and integrated governance

• Partner with GIS and segment technology leadership to position GRC as a strategic business enabler, translating complex risks into actionable, executive-ready insights

• Champion a culture where risk awareness is embedded into daily decision-making, enabling intuitive and scalable risk-informed behaviors across the enterprise

Risk Management Leadership

• Lead the design, implementation, and continuous improvement of Disney's enterprise InfoSec Risk Management Framework

• Establish and operationalize risk tolerance models, translating businessobjectivesinto clear prioritization, investment, and remediation decisions

• Build and mature a centralized cybersecurity risk register integrating threat intelligence, vulnerabilities, and third-party risk data

• Drive risk-based prioritization across InfoSec functions to ensure measurable risk reduction and alignment to enterprise objectives

• Deliver clear, credible, and decision-ready risk reporting to executive leadership and the Board, including financial risk quantification (e.g., FAIR)

Governance Program Leadership

• Oversee the full lifecycle of InfoSec policies, standards, and guidelines, ensuring they are risk-based, actionable, and aligned with business needs

• Embed governance controls into the technology lifecycle (e.g.,DevSecOps, cloud, infrastructure-as-code), reducing reliance on manual processes through automation

• Establish a policy effectiveness framework focused on behavioral change and measurable risk reduction

• Define and advance governance strategies for emerging technologies, including AI/ML, quantum security, and autonomous systems

• Lead enterprise maturity assessments (e.g., NIST CSF) toidentifygaps and inform strategic investment decisions

Compliance Program Leadership

• Provide oversight of global regulatory and contractual compliance programs (e.g., SOX, PCI, GDPR, ISO), ensuring consistency and scalability

• Build and operationalize a "compliance-as-a-service" model that enables self-service, automates evidence collection, and minimizes burden on engineering teams

• Monitor andanticipatechanges in the regulatory landscape, proactively positioning Disney to meet evolving requirements

Organizational Leadership

• Lead, develop, and scale a high-performing global GRC organization, fostering a culture of accountability, innovation, and continuous improvement

• Drive organizational excellence through strong leadership, talent development, and a focus on delivering scalable, forward-looking solutions

WhatYou'llBring

Must-Have Qualifications

• You will have12+ years of progressive experience in cybersecurity, technology risk, or compliance, including 3+ years leading enterprise-scale GRC functions

• You will bringstructured problem-solving, audit rigor, and enterprise advisory experience

• You will haveindustry experience within large, complex organizations, with the ability tooperateeffectively in highly matrixed environments

• You will havea proventrack recordof transforming GRC programs into risk-driven operating models that influence enterprise decision-making

• You will havedeepexpertiseacross risk management, governance, and compliance, including frameworks, policy lifecycle, automation, audit, and controls assurance)

• You will havestrong working knowledge of industry frameworks and regulations, including NIST CSF, NIST 800-53, ISO 27001, PCI DSS 4.0, SOX ITGC, and GDPR

• You will havedemonstratedexecutive presence and exceptional influence skills, with the ability tooperateas a trusted advisor to senior leadership and translate complex technical risk into clear business insights

• You will haveexperience applying financial risk quantification methodologies (e.g., FAIR) to support investment and prioritization decisions

• You will havea strong customer-focused mindset, ensuring GRC solutions enable the business and enhance-not hinder-user and product experiences

• You will haveexperience leading in highly matrixed, global environments, driving alignment across engineering, security, and business stakeholders

Leadership & Transformation Profile (Critical for Success)

• You will havea mindset of a thought partner-not just an operator-bringing a strategic, forward-looking perspective to GRC

• You will havea track recordof askinghard questions, challenging legacy ways of working, and driving meaningful change across organizations

• You will havethe ability to connect cost, customer experience, and operational efficiency into a cohesive, risk-informed strategy

• You will havedemonstratedsuccess leading large-scale transformation initiatives, influencing without authority, and driving adoption across complex organizations

Technical Expertise

• You will haveadvancedexpertisein audit methodologies, controls testing, and assurance processes, including ITGCs and automated control environments(must have qualification)

• You will havehands-on experience with leading GRC platforms (e.g., Archer, ServiceNow GRC, SailPoint)

• You will havea strong understanding of cloud security and compliance across AWS, Azure, and GCP environments

• You will havefamiliarity withDevSecOpspractices and integrating security and governance into software development and infrastructure pipelines

Nice-to-Have Qualifications

• You may haveexperience within media, entertainment, or similarly complex, consumer-facing industries

• You may haveexperience from a Big 4 consulting firm.

• You may haveexperience advancing emerging risk domains such as AI/ML governance, third-party risk, or next-generation compliance capabilities

Education

• You will havea bachelor's degree in computer science, information security, or a related field-or equivalent practical experience

• You may haveadvanced degrees or relevant certifications (e.g., CISSP, CISM, CRISC)