Risk & Compliance Engineer
Job ID 2026-1824
Description
WebMD is the most recognized and trusted brand of health information and the leading provider of health information services, serving consumers, physicians, healthcare professionals, employers and health plans through our public and private online portals and WebMD the Magazine. The WebMD Health Network includes WebMD, Medscape, MedicineNet, eMedicine, RxList, theheart.org and Medscape Education. Our consumer portals and mobile health applications provide engaging, relevant and credible health and wellness information, personalized health assessment tools and access to online communities.
WebMD is an Equal Opportunity/Affirmative Action employer and does not discriminate on the basis of race, ancestry, color, religion, sex, gender, age, marital status, sexual orientation, gender identity, national origin, medical condition, disability, veterans status, or any other basis protected by law.
About the role:
As a Vendor Risk & Compliance Engineer, you will be uniquely positioned to enhance Vendor risk program using AI that keeps our vendors and products aligned to frameworks such as NIST, HIPAA, and SOC2. You'll lead and conduct vendor security risk assessments end to end — integrate AI to improve accuracy, evaluate control effectiveness, quantify risk to the business, and partner with risk owners to drive it down.
Working under the Sr. Director of Privacy and Compliance, you will also own risk reporting for the team in OneTrust: keeping risk managers accountable for remediation and building the KRIs and KPIs that show leadership how we're trending. Beyond the day-to-day, you'll improve our assessment methodology and questionnaires and maintain them in OneTrust.
The ideal candidate demonstrates the ability to continuously identify & integrate AI to improve all aspects of the program, strong and practical GRC fundamentals and the judgment to prioritize real risk reduction over check-the-box control work.
What you'll do:
- Continuous improvement using AI into all aspects of vendor risk management
- Lead and independently prioritize a range of vendor security risk assessments — scoped by service type and integration profile (HIPAA, infrastructure, application, etc.) — to verify compliance with contracts and internal security policies and standards.
- Coordinate vendor information risk activities across procurement, legal, and the business, including assessment criteria and re-assessments, with a focus on SOC 2-dependent vendors.
- Partner with risk owners to design and negotiate risk treatment plans that prioritize genuine risk reduction over check-the-box control enhancements, and track them to closure.
- Lead vendor risk reviews in bi-weekly management meetings to drive accountability for remediation.
- Own risk reporting in OneTrust: ensure risk managers are tracking remediations, and develop and maintain KRIs and KPIs.
- Build, maintain, and improve assessment methodology and questionnaires based on NIST 800-53r5 and the NIST RMF.
- Embed security-by-design into projects and products to mitigate risk before it materializes.
- Support internal assessments and external audits.
What you'll bring:
- AI Proficiency aiming to improve accuracy and accelerate process improvement
- 4 –6 years leading vendor and third-party risk assessments (security, vendor, HIPAA, etc.) and managing identified risks to resolution. Security Assurance / Assessments experience is also acceptable
- Strong, practical command of risk and control concepts and GRC frameworks — NIST RMF, NIST 800-53r5, and related standards.
- Experience leading discussions with risk owners to develop, negotiate, and close out risk treatment plans.
- Hands-on experience with GRC / risk / compliance tooling (e.g., OneTrust, Archer).
- Experience building and maintaining organizational security risk metrics.
- Strong written and verbal communication and the organizational skills to manage competing deadlines with limited oversight.
- Ability to work independently while fostering cross-functional collaboration, with a consistent customer-first mindset and solid business acumen.
- Bachelor's or advanced degree in a Science, Engineering, Information Systems, or Cybersecurity field (preferred, not required).
Nice to have:
- Familiarity with AI/agentic systems and emerging AI governance frameworks (e.g., NIST AI RMF, ISO/IEC 42001) — helpful for assessing AI vendors, but not required.
- Relevant certifications (e.g., CISA, CRISC, CISSP, CCSP).
Salary range: $82,000 - $97,000
Bonus Eligible: This position is also eligible for a discretionary company bonus, based upon business results.
Benefits:
- Employees in this position are eligible to participate in the company sponsored benefit programs, including the following within the first 12 months of employment:
- Health Insurance (medical, dental, and vision coverage)
- Paid Time Off (including vacation, sick leave, and flexible holiday days)
- 401(k) Retirement Plan with employer matching
- Life and Disability Insurance
- Employee Assistance Program (EAP)
- Commuter and/or Transit Benefits (if applicable)
Eligibility for specific benefits may vary based on job classification, schedule (e.g., full-time vs. part-time), work location and length of employment.