Information Security, Senior Executive (1 year contract)

About WhiteCoat

WhiteCoat is a Singapore-headquartered omnichannel provider of integrated health and wellness services that serves as the first and single touchpoint for all care needs in Southeast Asia.

Since launching in 2018, WhiteCoat’s digital platform powers a wide range of services including tele- and in-person consultations, as well as medication fulfilment and diagnostic testing, across primary, specialist and allied care. With a focus on the B2B space, WhiteCoat has forged strategic partnerships with the region’s leading insurers, corporates and care providers, to provide accessible and affordable high-quality care to its users.

The Group currently has offices in Singapore, Indonesia, Malaysia and Vietnam. For more information on WhiteCoat, please visit https : / / whitecoat.global .

What you will be doing

The Information Security Senior Executive is responsible for embedding security into the entire software development lifecycle (SDLC). This role owns the application and product security roadmap, from initial design to deployment and operation.

You will safeguard our information systems by proactively identifying, assessing, and mitigating security risks in our software. This position acts as a critical bridge between development, operations, and security teams, ensuring our products are built on a foundation of security and trust.

Your accountability spans secure development practices, automated security testing (SAST / DAST), penetration testing, and vulnerability management, with a clear mandate to drive down risk without impeding engineering velocity.

Key Responsibilities :

1. Security Governance & Operations

Develop, implement, and enforce security policies, standards, and guidelines aligned with industry best practices (e.g., ISO 27001, NIST, OWASP).

Own and manage the regulator reporting workflow for security incidents and data breaches (e.g., PDPC, MAS, MOH), ensuring timely and accurate submissions.

Prepare and present a quarterly board-level metrics pack detailing our security posture, vulnerability status, testing outcomes, and risk landscape.

Monitor, assess, and respond to security threats and incidents in close coordination with the Security Operations Center (SOC) and IT teams.

2. Secure Development & Testing (DevSecOps)

Integrate and automate security tooling into the CI / CD pipeline at key gates :

Static Application Security Testing (SAST) on every pull request.

Software Composition Analysis (SCA) for dependency scanning on every merge.

Dynamic Application Security Testing (DAST) in pre-production environments.

Lead threat-modeling workshops with engineering teams to proactively identify architectural flaws and teach them to "think like an attacker."

Work directly with development teams to remediate identified vulnerabilities, providing clear guidance and promoting secure coding practices.

3. Penetration Testing & Vulnerability Management

Plan and manage a continuous program of internal and external penetration testing for applications, APIs, networks, and cloud infrastructure.

Oversee the budget for third-party security assessments to ensure specialized testing can be procured without delay.

Enforce risk-stratified Service Level Agreements (SLAs) for remediation (e.g., Critical : 7 days, High : 14 days), tracked transparently in Jira.

Validate remediation efforts post-testing and ensure all identified risks are formally closed or accepted.

4. Incident Response & Threat Management

Lead application-focused incident response activities, including investigation, containment, eradication, and recovery.

Conduct blameless post-mortems and root cause analysis for security incidents, ensuring preventative measures are implemented.

Run regular table-top exercises and purple-team drills to test and improve our response capabilities.

Track emerging threats, vulnerabilities, and exploits relevant to the organization’s technology stack and software supply chain.

5. Awareness & Training

Establish and lead a Security Champions Guild, embedding a security-focused engineer in each squad to act as a first-line AppSec advocate.

Provide technical guidance and hands-on training to development, QA, and operations teams on security best practices and tooling.

Promote a security-first culture across the organization, making security a shared responsibility.

Our Benefits

Make a Real Impact : Opportunity to contribute to a leading digital health company's rapid growth.

Fast-paced Start-up Environment : Experience an environment where you get to own and make tangible impact without bureaucracy getting in the way of rapid decision-making.

Great Team : Collaborate with intelligent, friendly, and supportive professionals from diverse backgrounds.

Hands-on Learning & Growth : Gain hands-on experience in strategy, partnerships, operations, and product innovation within a growing industry.

Competitive Compensation & Benefits : Competitive compensation and performance-based bonus.

How to apply

If you believe you have what it takes for this role, click ‘Apply’ and join us on our journey to make a positive impact on the lives of people through innovative healthcare solutions!

What we are looking for

Education & Certification :

Bachelor’s degree in Computer Science, Information Security, or a related field.

Relevant certifications strongly preferred (e.g., OSCP, GWAPT, GPEN, CSSLP, CISSP).

Technical Skills :

Deep expertise in application security concepts and frameworks (OWASP Top 10, SANS CWE 25).

Hands-on experience with SAST (e.g., SonarQube, Checkmarx), DAST (e.g., OWASP ZAP, Burp Suite), and SCA / SBOM tools (e.g., Syft, Grype, Snyk).

Practical experience conducting, managing, and interpreting penetration test results.

Proven ability to integrate security tools into CI / CD pipelines (e.g., Jenkins, GitLab CI, GitHub Actions).

Strong understanding of secure coding practices in languages like Java, Python, and JavaScript.

Proficiency in cloud security, with a priority on AWS (CIS Benchmarks, IAM), and familiarity with Azure / GCP.

Experience with Infrastructure as Code (IaC) security scanning (e.g., Terraform, CloudFormation).

Soft Skills :

Exceptional communication skills, with a proven ability to translate technical CVEs into business and product impact for executive stakeholders.

Strong analytical and problem-solving skills, with a proactive, detail-oriented mindset.

Demonstrated ability to influence roadmap trade-offs and collaborate effectively with Product, Legal, and Audit teams.