Sr. Director, Governance, Risk & Compliance

Alnylam Pharmaceuticals•Cambridge, MA

14h•$229,500 - $310,500•Hybrid

About The Position

Alnylam is pioneering RNA interference (RNAi) therapeutics and scaling for impact to millions of patients. Our Cybersecurity organization is evolving to match that ambition, and we are seeking a Senior Director of Governance, Risk & Compliance (GRC) to define, lead, and mature the governance, risk management, and compliance capabilities that protect our science, enable our business, and meet global regulatory obligations. Reporting directly to the VP/CISO, this leader will own Alnylam’s enterprise cyber risk management, regulatory compliance, and security governance programs. The Senior Director will be accountable for establishing a scalable, risk‑driven GRC operating model aligned with NIST CSF v2.0, Alnylam’ enterprise risk management (ERM) program and applicable biotech and pharmaceutical regulations. This role balances strategic leadership with hands‑on execution, partnering across the business and IT functions. This is a hybrid role primarily based in our Cambridge, MA office.

Requirements

Bachelor’s degree in a relevant field; advanced degree (MBA, Master’s, JD) preferred.
15+ years of progressive experience in cybersecurity, risk management, compliance, or audit.
10+ years of leadership experience building and leading GRC, risk, or compliance teams.
Deep knowledge of NIST CSF, NIST 800-53, ISO 27001, and ERM frameworks.
Experience operating GRC programs in regulated environments such as biotech, pharma, healthcare, or life sciences.
Strong ability to translate complex risk topics for executive and board-level audiences.
Industry certifications such as CISSP, CISM, CRISC, or CISA strongly preferred.
Proven ability to influence across Security, IT, Legal, Audit, and business stakeholders.

Responsibilities

Lead and evolve Alnylam’s enterprise GRC program.
Define and execute a multi-year cyber risk and compliance maturity roadmap aligned to NIST CSF v2.0, enterprise risk management (ERM), regulatory requirements, and business priorities.
Own the cyber risk management lifecycle, including risk identification, assessment, prioritization, treatment, and executive-level reporting.
Establish and maintain security governance frameworks, policies, standards, and exception management processes.
Provide cybersecurity governance and risk oversight for GxP-regulated systems, ensuring alignment with data integrity, validation expectations, IT SDLC practices, and quality requirements across research, clinical, manufacturing, and quality operations.
Ensure security policies, standards, and risk decisions appropriately account for validated system constraints, change control requirements, and inspection readiness.
Oversee regulatory and compliance activities related to HIPAA, SOX, FDA-adjacent biotech regulations, computer system validation (CSV), privacy requirements, and emerging regulations (e.g., NIS2).
Lead internal and external audits, inspections, and assurance activities, including management of findings, remediation plans, and executive reporting.
Own and mature the third-party risk management (TPRM) program.
Embed cybersecurity risk considerations into system lifecycle and validation activities.
Define and track risk-based metrics and key risk indicators (KRIs) focused on outcomes, maturity, and remediation effectiveness rather than control volume.
Build and lead a high-performing GRC organization, fostering a culture of accountability, rigor, and strong cross-functional partnership.
Deliver clear, actionable executive- and board-level reporting