LastPass Logo Under Magnifying Glass

Episode 243: The CSTO is a thing- a conversation with Chris Hoff of LastPass

In our latest podcast, Paul caught up with Chris Hoff (@Beaker) on the sidelines of the Black Hat Briefings to talk about his new role as Chief Secure Technology Officer (CSTO?) at the password management firm LastPass, what the CSTO role entails and how companies need to do more to confront the security implications of “software eating the world.” You can listen to our podcast using the player below, or check it out on iTunesSpotifyStitcherRadio Public and [name your favorite podcast platform].


“Software is eating the world” was the now-famous observation made by legendary Silicon Valley venture capitalist Marc Andreessen. The phrase was intended to capture the trend of formerly brick and mortar businesses – indeed, entire industries- shifting to a software and services model. It’s how Amazon dethroned retail giants like Sears and Toys R Us, and Netflix transformed movie-watching. Writing in 2011 in the Wall Street Journal, Andreessen predicted that, in the next 10 years, he expected many more industries to be disrupted by software. 

Software is eating security, too!

The last decade certainly proved him right. But what Andreessen failed to mention in this Op-Ed, and what escaped the attention of industry for years – were the unique, new challenges and struggles that running an online, software driven business presents. At the top of that list is cybersecurity. As we have seen: the rapid embrace of software as a service and shift from on -premises to cloud based infrastructure has amplified cyber risk and also spread it around in ways that are difficult to counter. 

Photo of Christopher Hoff, Chief Secure Technology Officer at LastPass
Christopher Hoff is the Chief Secure Technology Officer at LastPass

Enter the CSTO…

So what’s the solution? Alas there’s no easy fix or silver bullet here, according to our guest this week, Chris Hoff, (@beaker) who stepped into the role of  Chief Secure Technology Officer at the firm LastPass, the cloud-based password management providers, in May. Prior to that, Chris was the head of BoA’s “Never Down” Critical Business Services group and a former CISO at Citadel

In this conversation, which was recorded on the sidelines of the Black Hat Briefings, Hoff talks about his new role and new title. We talk about how the notion of a CSTO – something like a mix of CISO and CTO – is a response to the challenges of securing large scale, highly sensitive cloud based services in an age of stealthy supply chain compromises. 

One note: this conversation took place before news of a security compromise at LastPass broke on August 25, and that involved a breach of LastPass’s development environment. So, we don’t talk about that. Sorry.

Nevertheless, Chris and I do talk about the challenge of securing development environment and developers, and how security needs to be baked into each phase of the software engineering process and software development pipeline.  To start off I asked Chris about his funky title: Chief Secure Technology Officer and what his mandate was when he came on board at LastPass. 

You can listen to our conversation using the player above, or download the MP3 using the button (below).


As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SpotifyStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.