Director, Cybersecurity & GRC
Form Energy · Somerville, MA · 2 wk ago
HybridInformation Technology$200k–$294k/yrFull-time
Role Description
As Form Energy matures and scales, the Director of Cybersecurity & GRC builds and leads our cybersecurity and IT governance, risk, and compliance programs. This is a CISO-track leadership role: you will set strategy and lead a team — a GRC Manager who owns IT general controls end-to-end, a Staff Security Engineer, and a Senior Security Engineer — while owning the security program, the policy and standards lifecycle, enterprise IT risk, and the external-audit relationship.
- Mature an ISO 27001-aligned information security management system and the controls a maturing, compliance-intensive company depends on, backstopped by an external advisor.
- Lead the cybersecurity program: endpoint detection and response / managed detection and response, email and web security, identity and access management, vulnerability management, threat detection, and incident response; manage security vendors and the managed SOC.
- Own IT governance, risk, and compliance — directing a GRC Manager who owns ITGC design, operation, and evidence end-to-end; the policy and standards lifecycle within an ISO 27001-aligned ISMS; the enterprise IT risk register; control mapping; and exception/issue tracking.
- Design a control framework synergistic across ITGC, SOC 2, ISO 27001, and NIST 800-171 / CMMC scopes as required by the business and customer contracts.
- Serve as the primary IT liaison to external auditors and readiness advisors — driving audit readiness, supporting fieldwork, and tracking remediation to closure; direct the external advisor backstop.
- Mature incident response and disclosure governance: incident response plan and tabletop exercises, and the cyber incident-disclosure and materiality-determination process in partnership with Legal, Finance, and IT, aligned to applicable regulatory and disclosure obligations.
- Establish data classification, retention, and encryption standards, and a vendor / third-party security risk program.
- Partner on the IT/OT security boundary and with product security, without owning operational technology or on-product (battery) cybersecurity.
- Report cybersecurity and compliance posture to leadership and governance bodies in clear, decision-ready terms.
- Lead, coach, and develop the cybersecurity and GRC team; hire selectively against clear capability gaps.
What You'll Bring
- 10+ years in cybersecurity and/or IT GRC, including 5+ years in leadership (CISO-track).
- Deep ITGC experience — control design, operation, and audit — in a compliance-intensive or scaling-company setting, with the judgment to direct a GRC Manager and external advisors.
- Breadth across the security program: IAM, EDR/MDR, vulnerability management, and incident response, with fluency in recognized frameworks (ISO 27001, SOC 2, NIST CSF / 800-53; NIST 800-171 / CMMC a plus).
- Experience as an external-audit liaison, plus policy authorship and lifecycle ownership.
- Strong people leadership and executive-grade communication, including board-quality reporting.
Preferred Qualifications
- Experience in manufacturing, energy, or critical-infrastructure sectors.
- Experience standing up a first-time formal IT controls environment in a scaling company.
- Certifications such as CISSP, CISA, CISM, or CRISC.
- Familiarity with privacy regimes (GDPR / CCPA) and AI governance frameworks (Form Energy’s AI governance is led separately within the Chief Digital Officer organization; this role collaborates rather than owns it).
Compensation Range
$199,950 - $293,835