Lessons From (Re)Building A Security Company From Scratch

Forbes

21-04-2025

Christofer Hoff is the Chief Secure Technology Officer of LastPass.
getty
I've always admired the Roman architect Vitruvius, who once said that if you're going to build something, it ought to be beautiful, strong and useful. After spending the past two and a half years building the software and platform engineering teams, as well as a new security organization, at LastPass, I've come to truly understand how right he was.
I joined LastPass in 2022 as its chief secure technology officer (CSTO)—combining security and technology into one role—an opportunity I couldn't resist.
The business was taking the first of many steps to spin out from its parent company and form a stand-alone company. A whole new executive team of industry veterans was at the helm, setting out to deliver on the promise of tackling the decades-long, ever-complex challenge of passwords—making them more secure and more convenient for people and organizations.
This was my opportunity to integrate security by design, not just into the company's operations but throughout the entire product development life cycle. I would work alongside the leaders we had assembled to build something beautiful, strong and useful from the ground up.
Three months after I joined LastPass, the company was the target of a sequenced set of two security attacks that spanned multiple months and threatened to derail everything we were working toward. But in the end, it didn't. In fact, the security incident acted as an accelerant for the people, process, technology, controls and infrastructure initiatives we already had planned to build while establishing a new company from scratch.
In reflecting on this experience, I hope to offer something relatable in its honesty, strong in its lessons and useful to anyone tasked with rebuilding—not just systems, but trust. Here is how you can do it.
From day one, I knew that security couldn't be a checklist—it had to be a blueprint. If you want to drive innovation while keeping trust intact, security, privacy and engineering must be tightly coupled.
It's important to consciously embed security into every phase of decision-making and build the right teams around it—architecture, threat intel, governance, detection and response. We did it intentionally and with buy-in from across the company, leveraging the outcomes of decades of experience to understand where security can be a differentiator and become a business-enabler.
As an example, and something unique among password manager providers, we built a dedicated threat intelligence team. With backgrounds in counterterrorism and financial services, this team monitors threats, delivers actionable insights and automates threat response to help protect our customers, data and company. It's not just a line of defense—it's a proactive, strategic asset that keeps us a step ahead. That's what it means to design with security at the core.
Security and engineering won't click together on their own. You need to define how they'll collaborate—and then back it up with process, structure and, most importantly, the right people. We hired brilliant engineers from world-class companies and combined them with our existing team. The mix gave us a rare advantage: experience, new ways of working and belief in the mission.
Hiring great people is step one. Step two is giving them the space, clarity and support to do their best work—especially under pressure. As a leader, your job is to make sure they know you trust them and to give them the resources they need to succeed.
We built an entirely new development infrastructure in months because the team believed they could. And they were right. Transparency was our prerogative, and that's why we documented how we made LastPass secure. We have a trust center where we reflect, and we've also created a publicly available compliance center for close to real-time monitoring of LastPass systems and access to the latest certifications.
We didn't just rebuild the platform; we reimagined it through the lens of the customer's experience. What did users need? Where were the friction points? What would make them feel safe, confident and in control?
That's what drives decisions—from introducing stronger password recovery options and implementing secure sharing to strengthening master password protections and encrypting sensitive data fields. Through hackathons, we've started to integrate new features and functions like AI into our platforms.
Under pressure, perfection is a luxury. Progress is a necessity. There were days when we moved fast because we had no other choice. But every sprint, every decision, every hard call got us closer. You need to be flexible, decisive and focused on what matters most—especially when time and attention are scarce resources.
I'll never forget the conversations I had with dozens of CISOs from our customer base—internalizing their concerns and their wishes for the new LastPass. The first time a CISO asked me, 'How are you doing?', I was moved to tears. Imagine possessing such empathy and grace.
This—the security and experience of the people behind our product—was our raison d'être, fueling us through every 20-hour workday. So here is my advice: Talk to your customers. Listen. Internalize what they're worried about. Let it shape your work. Then build something worthy of their trust.
That's what we did. We started with a mission, built a blueprint for success and responded to adversity with momentum through our people, empowered and enabled by the support of our leadership. We've seized a once-in-a-lifetime opportunity. We have built something beautiful, strong and useful—and so can you.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?