David Bostrom
CISO, Americas
Boehringer Ingelheim
David Bostrom currently serves as the CISO, Americas at Boehringer Ingelheim, a leading pharmaceutical company focused on human and animal health. He has over 25 years of IT experience encompassing technical application support, engineering, quality assurance and testing, compliance, and security. He holds a Bachelor’s degree in Political Science from Southern Connecticut State University and a number of technical certifications in systems engineering and systems and network auditing.
A fun fact about Dave: He enjoys playing soccer, woodworking, and reading in his spare time.
Learn more about the New York CISO community here.
Give us a brief overview of the path that led to your current role.
While my formal education was mainly focused on social science, I always had an interest in computers as a hobby. When I started my career in the telecommunications industry, I was able to rotate through a variety of technical and IT roles, including application support, software implementations, software development, and infrastructure.
I left the telecom industry for the life sciences industry and joined Boehringer Ingelheim as a systems engineer, where I had the opportunity to further develop my technical skills and advance to more senior roles within the organization, eventually joining a team that managed our global security infrastructure. This was my first real exposure to a dedicated security role, and I thoroughly enjoyed the work.
Through some organizational restructuring I had the opportunity to join our information protection and security team as a security analyst, where I was able to drive and implement security solutions, advance our supplier risk management program, lead our awareness program, and build a team. Recognizing the need to continually learn and stay current with security trends, I pursued and obtained relevant cybersecurity certifications and strengthened my cyber competencies, which led me to my current role as a CISO.
What is one of your guiding leadership principles?
For me, it is about being authentic and transparent. It is absolutely essential for building trust in working relationships whether with my team or with colleagues and business leaders across the enterprise.
What is the greatest challenge your particular C-level role is facing today, and how are you addressing it?
CISOs are currently faced with a number of significant challenges, ranging from the current geopolitical climate, the explosion and adoption of AI, the ubiquity of cloud solutions, compliance with external regulations and laws, and persistent threat actors to name just a few.
Additionally, attack surfaces continue to grow, making it increasingly difficult to defend the enterprise estate. Vulnerabilities and legacy technology further compound the already difficult task of protecting critical business assets.
Like many other organizations, our approach has been to adopt and drive a zero-trust model, while also continuing to evaluate and adopt new security solutions. Maintaining a high level of user awareness and a security conscious culture is also critically important for us as we have over 53K employees around the world.
I continually look for ways to build security into our processes and keep our user base informed on current security issues. Lastly, I am also periodically updating our executive committee on our security posture and other risk mitigation activities to ensure leadership understands the value that cybersecurity brings to the organization.
What is the key to success for someone just starting out as a CISO?
Be a good listener and make a concerted effort to understand the perspectives and objectives of your business stakeholders. Gaining the trust and respect of your business partners is crucial for success in the CISO role. Demonstrating that you understand the importance of business outcomes and wish to be an enabler for those outcomes is a more effective strategy for driving security into the organization than simply preaching the technical benefits, which can be counterproductive at times.
How do you measure success as a leader?
I tend to measure success as a security leader by looking at aspects that are hard to quantify. A key measure for me as a security leader is whether people are proactively approaching the security team to discuss and evaluate their business initiatives because they don’t fear a ‘no’ answer or see security as a barrier. Another is whether I observe the security conscious behaviors I wish to see in our organization.
Perhaps most importantly, does senior leadership value updates on cybersecurity and continue to seek updates because there is recognition that cyber risk is a business risk? If I reach affirmative answers on these points, then I think I have achieved a measure of success as a security leader.
What is the value of being a member of Gartner C-level Communities?
For me personally, the value of being a member of Gartner C-level Communities is the ability to discuss and exchange shared experiences. The topics covered in town halls, in-person conferences, and the discussions we have together help to validate that I am on the right path as a security leader. The cybersecurity world is fraught with challenges and working together with other amazing CISOs and security professionals to keep the world safe is a truly rewarding experience.
Gartner C-level Communities Governing Body members share their insights and leadership perspectives to shape the agendas and topics that address the top priorities impacting business leaders today.
By CISOs, For CISOs®
Join the conversation with peers in your local CISO community.