Director, Information Security

Job ID 2021-3153

Technology Portland, Oregon United States


WebMD's Health Services business enables employers and health plans to provide their employees and plan members with access to personalized health and benefit information, decision support technology that helps them make informed benefit, provider and treatment choices and provides telephonic health coaching services.

WebMD is an Equal Opportunity/Affirmative Action employer and does not discriminate on the basis of race, ancestry, color, religion, sex, gender, age, marital status, sexual orientation, gender identity, national origin, medical condition, disability, veterans status, or any other basis protected by law. 

The Director, Information Security, as a member of WebMD’s Information Security Office will work closely with product, development, and operations teams toward the adoption and continued execution of security best practices.

What You Will Be Doing at WebMD Health Services

  • Performing security architecture reviews; providing guidance to engineers and developers
  • Assists/ makes recommendations in the creation of security policy
  • Researches/recommends tools/ processes/ technologies for ensuring the security of WebMD
  • Oversee internal/external vulnerability scans and coordinate related remediation activities
  • Manage the successful delivery of Information Security projects.
  • Driving implementation of security tools and platforms
  • Guide the monitoring and testing of web applications for vulnerabilities (including SQL Injection, Cross Site Scripting, etc.)
  • Promote secure development and coding methodologies
  • Conduct internal security assessments of platforms and sites
  • Leads the resolution of security incidents including root cause analysis

This position requires a strong technical background in development/systems with in-depth knowledge of Information Security principles.  Strong written and communication skills are a must, as the candidate will work closely with IT and Business stakeholders.  The ideal candidate is innovative, resourceful, and self-directed, and enjoys working in a rapidly changing technical environment. 


  • Solid understanding of OWASP related vulnerabilities and mitigation strategies
  • 10+ years of technical experience including architecture review, web application development with an eye to security, vulnerability management
  • BS/MS in Computer Science or Technology or a total of 14 years’ experience in information technology
  • Strong knowledge of threats, vulnerabilities, attack methods and countermeasures for web-based applications, including threat modelling, secure coding, and vulnerability testing
  • Strong knowledge of information security technologies such as IDS/IPS, malware prevention, end-point protection, multi-factor authentication, security information and event management (SIEM), web content filtering, encryption, network access control (NAC), data loss prevention (DLP), firewall configuration and vulnerability scanners
  • Expertise in enterprise architecture, IT operations and database technologies
  • Experience in performing log collection, correlation, and reviews of automated alerts for items such as malware alerts, change detection alerts, security system health alerts, exploit attempt alerts, etc.
  • In-depth understanding of a variety of network and application attacks
  • Expertise in risk management processes and principles
  • Experience with client and internal audit requests
  • Ability to read, analyze, and interpret general business documents, technical procedures, or governmental regulations
  • Ability to write reports, business correspondence, technical documentation, and procedure manuals
  • Ability to effectively present information and respond to questions from groups of managers, clients, customers, and the public
  • Periodic business travel is required
Preferred skills:
  • Familiarity with regulatory requirements such as HIPAA, HITECH, GINA, CCPA and GDPR
  • Familiarity with security frameworks such as SOC 2, NIST, ISO/IEC 27001/27002, HITRUST, and PCI-DSS
  • Industry certifications such as GIAC and CISSP are a strong plus
  • Experience in personnel management

As a member of WebMD Health Services, you may have access to confidential and sensitive information (including Protected Health Information) that will require you to follow additional protocols to ensure the security of our data. As a core requirement, you must implement and act in accordance with the organization’s information security policies; protect assets from unauthorized access, disclosure, modification, destruction or interference; execute security processes or activities; and report security events or potential events or other security risks to the appropriate parties within the organization.