The Future of Security Operations podcast has officially returned for its sixth season and I can't think of a better guest to kick things off than Christofer Hoff. Christofer has over 30 years of experience in network and information security architecture, development, engineering, operations, and management, including security leadership roles at Bank of America, Citadel, and Juniper Networks. He’s currently Chief Secure Technology Officer at LastPass, a unique role that combines the duties of CSO and CTO, while also serving on the board at FIDO Alliance.
In this episode, Christofer and I discuss:
How blogging helped launch his security career
Merging the CTO and CSO roles at LastPass
Rebuilding LastPass’s 60-person security org from the ground up
Navigating tech debt and major incidents during an org-wide restructure
Communicating with customers and the broader community during incidents
The biggest AI-driven challenges facing his team — and how they’re tackling them
Passkeys, passwords, and the future of secure authentication
Using automation to drive efficiency
Where to find Christofer Hoff:
Where to find Thomas Kinsella:
Resources mentioned:
In this episode:
[02:00] How blogging landed Christofer his first couple of jobs in security
[06:50] Taking a more holistic approach to security through collaboration
[09:40] Rebuilding LastPass's security org from scratch
[12:03] Reflecting on incidents - what LastPass did right
[16:12] Communicating with customers and the broader community during incidents
[20:15] Navigating tech debt as a security leader
[23:55] The biggest challenges AI has produced for his team
[25:16] How LastPass uses an AI working group for decision-making
[29:00] The evolving challenges of browser security
[35:05] Passkeys, passwords and the future of secure authentication
[41:40] Tips on hiring and structuring effective security teams
[46:47] How LastPass creates efficiency through automation
[50:38] The biggest changes he'd like to see in security
[54:44] Connect with Chris
TL;DL? Read Christofer’s take on:
The appeal of the security industry
"I think it's the combination of the pace - it sort of it just never stops - and I have really bad ADHD so being able to be distracted if you could call it that, but also focused at the same time, was fascinating... And security has become such a diverse field or fields - you mentioned AppSec, there's infrastructure stuff, there's networking, there's identity, human behavior. There's an ability to gain so much experience across such a broad set of pathways. It's an amazing opportunity, if you can be comfortable being uncomfortable."
I love the challenge. I love the human element. I love the creativity, science, and artistry.
Leveraging cross-functional collaboration for a more holistic approach to security
“Security is The Department of No - and it shouldn’t be. We should say yes, we should enable the business. If you’re developing technology of any kind, you need to understand the environment you’re in, and bring in people who can help make things as secure as you can. We took the opportunity to really embed security not just within our engineering teams, but across the entire organization - sales, marketing, customer care, finance, you name it.”
Building a new security team during major cyber incidents
“I had been in the role for two months. My CEO and I had brought on a few executives, and we were preparing to separate the company. So the most obvious and important thing we had to do was build a secure, dedicated security team. Then in August 2022, there were two separate events... Everything was brand new - the SaaS apps, identity tenants, endpoints, controls, the 60-person security team has been created from scratch, every function within the security team is new, every process is new, we moved from the parent company's data centre to the cloud... It actually was pretty extreme. We did that within about 9 to 12 months, while by the way, having no additional downtime and dealing with the security incident and the outcomes of that a brand new company, basically, all at the same time."
It was the equivalent of the analogy of running into a burning building.
His team’s response to high-profile attacks
"There's a lot of lessons learned and things that, given the constraints and the circumstances, we absolutely could have done better... what I think we did right was we responded very quickly... from a technical perspective, I think the response itself was good... As well as what we did to mitigate the first stage of the attack - we basically took down development.”
We didn’t just take it down and patch things - we literally rm -rf'ed the entire thing, nuked it and rebuilt it.
Customer communication around the incidents
“The second phase of the attacks involved everything from malware exploiting vulnerabilities to third-party software attacking an employee’s home computer - you name it. There were gaps in what we knew and we had to get to a point where we understood whether there was impact to customer data or not, and it wasn’t clear at that point... I can't commend my team enough - as well as the dev team, sales, marketing, and executives. The entire company got behind making sure our customers as informed as they could be, based on what we knew.”
My team and I were averaging about 20-hour days for about a year... When we got confirmation, the timing sucked, because it was like December 22nd. And it wasn't an issue of burying the news, literally six minutes after we got confirmation from the cloud provider about the files being accessed that we were interested in, we hit the “go” button, and we notified.
The added pressure of AI for security teams
"All of the lines of business - sales, marketing, finance, HR, you name it - are desirous to run headlong into the efficiencies and wondrous outcomes and beneficial value creation that AI is currently espoused to produce. We're owned by a private equity company, and and obviously, when you're talking about valuation and growth, they are especially attuned to how you can be more efficient, and spend capital well and deliver profit... but the tone, even in that industry, went from, 'Oh, my God! It's the greatest value-creation thing! Hurry up and deploy!' to 'Ooh, it's changing literally every eight and a half seconds!' and the notion of what this means to security and privacy and and operational integrity. And just the ability for you to understand and control your environment is a challenge."
Ensuring a thoughtful approach to AI
"These days you can't swing a dead cat without somebody rebranding their product is saying it does AI... but everything from a grammar checker that is literally transmitting everything you type to some 3rd party needs to be inspected the same as a code completion technology and something from GitLab, or, for example, GitLab Duo. So we have implemented a ton of machine learning on the back end for stuff that we do internally within the product. But we are being very, very cautious and thoughtful about privacy frameworks, especially since we're a global company, and we have to deal with everything from GDPR to EU rules on AI usage and the usage of that data and the right to be forgotten, and all that stuff.
I've got local instances of Ollama and I build stuff in my spare time, and I understand how the technology is useful, but it's also pretty damn scary.
How LastPass uses automation
"It's really around harmonization and leveraging fewer tools with better fidelity to enable better velocity both for development but also for detecting things quicker and dispatching them, so not an uncommon story.... People may have heard me on Anton Chuvakin's podcast, the Google Cloud Security Podcast, where I talked about Tines and how invaluable it is to us. It just allows and democratizes the ability to quickly stitch together disparate systems and things that we would not have the opportunity to do otherwise. And we'll be investing more in enabling that capability, because the more people can take what would be potentially unrelated things, leverage AI, leverage the capabilities that exist in platforms like yours, the better we all become."
We have an automation team that is 100% all-in on making use of (Tines). It ultimately allows us to tie together disparate systems that would not be able to be integrated without a massively larger team.