Skip to content

Information Security, Senior Executive (1 year contract)

    • Malaysia
  • Technology

Job description

About WhiteCoat

WhiteCoat (www.whitecoat.global) is a regional digital healthcare provider founded and headquartered in Singapore which has established itself as a trusted partner and leading provider in the digital healthcare space across Southeast Asia. WhiteCoat offers on-demand telemedicine services and other services through innovation and data-driven technology.

WhiteCoat’s core services include primary care tele-consultations, chronic disease management, health screening services and home-based medical services. As a digital healthcare leader, WhiteCoat partners insurance providers, conglomerates, and other private, government, and financial organisations to spearhead the way for wider access to affordable healthcare across the region.


What you will be doing

The Information Security Senior Executive is responsible for embedding security into the entire software development lifecycle (SDLC). This role owns the application and product security roadmap, from initial design to deployment and operation. 

You will safeguard our information systems by proactively identifying, assessing, and mitigating security risks in our software. This position acts as a critical bridge between development, operations, and security teams, ensuring our products are built on a foundation of security and trust. 

Your accountability spans secure development practices, automated security testing (SAST/DAST), penetration testing, and vulnerability management, with a clear mandate to drive down risk without impeding engineering velocity.

Key Responsibilities

  1. Security Governance & Operations

  • Develop, implement, and enforce security policies, standards, and guidelines aligned with industry best practices (e.g., ISO 27001, NIST, OWASP).

  • Own and manage the regulator reporting workflow for security incidents and data breaches (e.g., PDPC, MAS, MOH), ensuring timely and accurate submissions.

  • Prepare and present a quarterly board-level metrics pack detailing our security posture, vulnerability status, testing outcomes, and risk landscape.

  • Monitor, assess, and respond to security threats and incidents in close coordination with the Security Operations Center (SOC) and IT teams.

2. Secure Development & Testing (DevSecOps)

  • Integrate and automate security tooling into the CI/CD pipeline at key gates:

    • Static Application Security Testing (SAST) on every pull request.

    • Software Composition Analysis (SCA) for dependency scanning on every merge.

    • Dynamic Application Security Testing (DAST) in pre-production environments.

  • Lead threat-modeling workshops with engineering teams to proactively identify architectural flaws and teach them to "think like an attacker."

  • Work directly with development teams to remediate identified vulnerabilities, providing clear guidance and promoting secure coding practices.

3. Penetration Testing & Vulnerability Management

  • Plan and manage a continuous program of internal and external penetration testing for applications, APIs, networks, and cloud infrastructure.

  • Oversee the budget for third-party security assessments to ensure specialized testing can be procured without delay.

  • Enforce risk-stratified Service Level Agreements (SLAs) for remediation (e.g., Critical: 7 days, High: 14 days), tracked transparently in Jira.

  • Validate remediation efforts post-testing and ensure all identified risks are formally closed or accepted.

4. Incident Response & Threat Management

  • Lead application-focused incident response activities, including investigation, containment, eradication, and recovery.

  • Conduct blameless post-mortems and root cause analysis for security incidents, ensuring preventative measures are implemented.

  • Run regular table-top exercises and purple-team drills to test and improve our response capabilities.

  • Track emerging threats, vulnerabilities, and exploits relevant to the organization’s technology stack and software supply chain.

5. Awareness & Training

  • Establish and lead a Security Champions Guild, embedding a security-focused engineer in each squad to act as a first-line AppSec advocate.

  • Provide technical guidance and hands-on training to development, QA, and operations teams on security best practices and tooling.

  • Promote a security-first culture across the organization, making security a shared responsibility.

Our Benefits

  • Make a Real Impact: Opportunity to contribute to a leading digital health company's rapid growth.

  • Fast-paced Start-up Environment: Experience an environment where you get to own and make tangible impact without bureaucracy getting in the way of rapid decision-making.

  • Great Team: Collaborate with intelligent, friendly, and supportive professionals from diverse backgrounds.

  • Hands-on Learning & Growth: Gain hands-on experience in strategy, partnerships, operations, and product innovation within a growing industry.

  • Competitive Compensation & Benefits: Competitive compensation and performance-based bonus. 


How to apply

If you believe you have what it takes for this role, click ‘Apply’ and join us on our journey to make a positive impact on the lives of people through innovative healthcare solutions!


Job requirements

What we are looking for

Education & Certification:

  • Bachelor’s degree in Computer Science, Information Security, or a related field.

  • Relevant certifications strongly preferred (e.g., OSCP, GWAPT, GPEN, CSSLP, CISSP).

Technical Skills:

  • Deep expertise in application security concepts and frameworks (OWASP Top 10, SANS CWE 25).

  • Hands-on experience with SAST (e.g., SonarQube, Checkmarx), DAST (e.g., OWASP ZAP, Burp Suite), and SCA/SBOM tools (e.g., Syft, Grype, Snyk).

  • Practical experience conducting, managing, and interpreting penetration test results.

  • Proven ability to integrate security tools into CI/CD pipelines (e.g., Jenkins, GitLab CI, GitHub Actions).

  • Strong understanding of secure coding practices in languages like Java, Python, and JavaScript.

  • Proficiency in cloud security, with a priority on AWS (CIS Benchmarks, IAM), and familiarity with Azure/GCP.

  • Experience with Infrastructure as Code (IaC) security scanning (e.g., Terraform, CloudFormation).

Soft Skills:

  • Exceptional communication skills, with a proven ability to translate technical CVEs into business and product impact for executive stakeholders.

  • Strong analytical and problem-solving skills, with a proactive, detail-oriented mindset.

  • Demonstrated ability to influence roadmap trade-offs and collaborate effectively with Product, Legal, and Audit teams.

or