Reflections on the RVASec 2025 Opening Keynote with Christofer Hoff
Cybersecurity conferences usually kick off with a bang—a thrilling case study, a headline-making exploit, or a bold prediction about the future. But this year at RVASec 14, the opening keynote took a different path.
Christofer Hoff, Chief Secure Technology Officer (CSTO) at LastPass—a hybrid CSO/CTO role—didn’t talk about tools, techniques, or emerging threats. Instead, he told a story. One that was raw, real, and deeply human.
Hoff joined LastPass just a few months before the August 2022 breach that sent shockwaves across the industry. At the time, the company was in the early stages of separating from its parent organization and just beginning to build its own security team. The biggest plot twist? Two of the team members were brand new on the very day the breach occurred.
While Hoff did touch on what they uncovered during the investigation, this wasn’t a technical postmortem. It was a personal one. And it carried a message we in the cyber community too often forget:
Every incident has a human cost.
The Emotional Whiplash of Incident Response
We talk a lot about playbooks, tabletop exercises, and dwell time. But what about the 2 a.m. Slack pings that spiral into 48-hour marathons? What about the death threats? The relentless questions from executives, media, and users?
“Why didn’t you stop this?”
“Why did it take so long to disclose?”
“Are you lying to us?”
Hoff didn’t shy away from these. He spoke openly about the toll the breach took on his team—the burnout, the guilt, the isolation—and the way our industry often turns on its own instead of addressing systemic failures.
One line stuck with me:
“At the end of the day, it’s all made of people — the threat actor, the responders, everyone. And it takes a toll.”
It’s easy to forget that behind every breached company, there are human beings doing their absolute best under impossible pressure.
Cybersecurity Eats Its Young
Our field prides itself on excellence, but when things go wrong, that pride can curdle into blame. Hoff reminded us that cybersecurity “eats its young” during a crisis—and nowhere is that more apparent than in the aftermath of a breach.
Incident response should be about more than logs and comms templates. It should include space for the emotional and psychological recovery of responders.
Because being resilient isn’t just about uptime—it’s about knowing when to rest, when to check in, when to say:
“You did your best.”
“Are you okay?”
We love to dunk on companies from a safe distance. Reddit and Twitter give voice to the armchair CISO in all of us. But real change starts inside our orgs. With leadership. With culture. With compassion.
What We Can Do Better
Hoff’s talk wasn’t just cathartic—it was a call to action.
Here are a few takeaways that stuck with me:
- 🧠 Normalize mental health support as part of incident response.
- 🕰️ Include recovery time for people, not just systems. That might mean actual time off to reset or reconnect with the family they’ve barely seen during triage mode.
- 🧱 Build cultures where psychological safety exists before the breach.
- 🙌 Respect the humans behind the dashboards.
Hoff also highlighted Cybermindz.org, a nonprofit working to address burnout and mental health challenges in our field. More of us should be paying attention to what they’re doing.
Final Thoughts: Every Threat Has a Tale
As much as we prepare for breaches, few of us are truly ready for what they take from us emotionally and mentally. Hoff’s story was a powerful reminder that resilience isn’t a buzzword—it’s a practice.
If we want stronger security, we need to protect the people doing the protecting.
Because behind every breach is a human story.
And those stories matter.
So check in on your teammates. Thank your responders. And if you’re one of them?
Take a breath.
You’re not alone.
