“Security’s a troubling issue,” says Dug Song, the enigmatic co-founder, chairman and CEO of Duo Security, as he sits down with Eleanor Dallaway in San Francisco. “If you look at the structure of the industry, it’s basically a ‘lemon market,’ which is to say that people don’t know whether the products they buy work or not, and the only folks that benefit are the vendors.
“What happens is, they [vendors] come in, they give you this box that you plug in, it sits there, it does nothing and the vendor says, ‘see you’re more secure!’...but nothing’s actually happening.”
Perhaps not words you would expect to hear from someone who created his own successful security vendor, but as Dug divulges more, the reasoning behind his point of view not only becomes clearer, but rings truer.
“I feel like sometimes the tone and pace that’s set from the top of this industry in terms of what people expect, is not sane,” he adds. “People are [too often] expected to burn it at both ends and not have lives…but families and relationships fall apart because of that. A lot of what happens [in security] is pretty unhealthy.”
Dug’s both honest and resolute in his opinion; he knows it might be deemed controversial, but it’s clear that an unbalanced focus on money-making over customer and employee wellbeing in information security is something that has irked him for some time. In fact, it’s something that, at one point, almost led him to escape the industry altogether.
“A lot of my intention [therefore] in building Duo was not just to build a better kind of security company, but to build a better company in general,” he says.
Duo Security was founded by Dug and Jon Oberheide in 2010, headquartered in Ann Arbor, Michigan. The company developed quickly, opening offices across the US and in the UK within a few years, tripling its size between 2016-18 before being acquired by Cisco in 2018 for a staggering figure of $2.35bn in cash and assumed equity awards.
That merger was a clear reflection of the work that Duo has done over the last eight years in building the kind of workplace that empowers its people to design security products and services with the customer, and not profit, at the heart of its efforts.
“My early career was basically being a software communist”
Liquor Stores and Software Communism
As Dug harks back to his childhood years, he recalls that it was through his father that he first developed a love for technology and software.
Dug was born near Washington, D.C., the son of immigrants from Korea. He describes his father as “always a gadget guy” and Dug’s family home was brimming with “every possible kitchen gadget you can imagine, from food dehydrators to early bread makers.” He was put to work from a young age in his father’s liquor store where, taking responsibility for invoicing, he learned some vital skills in business management. He also had the opportunity to get his hands on new and evolving software platforms that not only sped up mundane tasks, but allowed him to hone and master his computing skills, from data entry to system hacking.
Fast forward a few years, and Dug was a student at the University of Michigan studying Computer Science before taking his first steps in the information security profession. He explains that it was his early experiences working as a software builder that molded his desire to create a security company that did things differently.
“My early career was basically being a software communist, developing all the open source software, things like OpenBSD and OpenSSH,” he explains.
Those early days included stints at the University of Michigan’s Information Technology Division managing security in the world’s largest production Kerberos environment (1994-1997 before graduating from the institution in 1998), and Anzen Computing, where he worked between 1997-1999 as a security architect and built the first commercial network anomaly detection system (later acquired by Check Point). After that, Dug, along with a handful of fellow ‘geeks’ and hackers, founded Arbor Networks in 2000.
“For many years, I built a bunch of products that really did make a difference, but only for the 1%,” he explains.
Dug says this was when it was “very clear that the internet was not safe for business at a really crucial time, when e-commerce was becoming a much bigger thing.”
In those days, he adds, giant organizations like eBay and Yahoo were having their entire online operations disrupted for fun by “15-year-old kids like Mafiaboy.”
Based in Michigan, Dug and his Arbor colleagues set out to solve that problem. “We found the way we had to do that was to sell security to people that had never bought it before, like the global carriers: AT&T, British Telecom, France Telecom, China Netcom, China Telecom,” he explains.
Ultimately, Dug was successful in his first taste of “venture-backed business” and also the challenge of building the kind of mission-driven organization that could address emerging global concerns.
“During those early years of Arbor there were the biggest bankruptcies in the history of global capitalism,” he explains. “We had customers like World Com and Global Crossing, who had executives facing jail, as we were trying to help ensure that the internet could be made safe for business, and for anything else. So that was the challenge, and we ended up being very successful with that – making a safer security backbone for the internet.”
Dug served as the chief security architect at Arbor for seven years, but what brought that journey to an end? From what Dug says, it sounds like he and his team did their job a bit too well.
“We basically had kind of wrapped everything up,” he says. “Everything from route optimization, peering analysis, traffic engineering, capacity planning – the products ended up being useful for peace time, not just war time,” he explains. “There were bigger challenges to be found elsewhere.”
“I want to build a platform of opportunity for every person that joins us”
A Better Kind of Company
Dug’s career path then led him to brief roles at Zattoo, where he worked as VP of engineering, and Barracuda Networks, serving as chief architect en route to the company’s IPO.
Then, in 2010, Dug teamed up with Jon Oberheide to found Duo Security, and their vision for the company was clear from the start: “to build an organization that tries to do right by others and to do the right things
in security.
“I think our approach has always been slightly different,” Dug explains. “We sold our first customer in our first month and basically designed a product with them; we committed to actually solving the customer’s issues for them and they committed to buying the resulting product. We have always partnered very closely with customers, not just to understand their security priorities, but their point of view.
“Every decision starts with asking: what’s the right thing for the customer? Then, what’s the right thing for our company? Then, what’s the right thing for our community? If those things align, then we go and do it.”
Dug says that the problem with the security industry is that it tries to solve the problem at the wrong layer. “Where security fails most often is at the intersection of people and technology. At Duo, we’ve always talked about democratizing security by making it easy and effective – something the industry has never really cared about.”
Dug believes that to build or reshape a better industry “we must help folk understand what better security looks like. We have to deliver it more effectively to their needs and build better products, but to do that you have to build a better organization that operates differently and has different beliefs about what’s required.”
At Duo, that starts from the moment an employee walks through the door on their first day, with Dug personally leading the orientation for every new hire at the company so that they not only understand Duo’s philosophy from the ground up, but they have the opportunity to become a part of its story.
“There’s a story arc to everyone’s lives and careers, and if we can understand what people are trying to do and present the right opportunities to them, they can do their best and highest work,” Dug says.
“I want to build a platform of opportunity for every person that joins us. When I manage, it’s important to me that we understand what people are trying to accomplish in their careers. I think of everyone who comes to Duo as a volunteer – no one has to be here! So the most important thing is to let them innovate and grow.”
Duo’s people-centric focus may have been explicit from the outset, but when it came to picking a name for the business, things were not so clear-cut to begin with. “We called it Scio Security [originally], and it was a terrible name,” Dug laughs. “It’s because we are near Scio Township in Ann Arbor, and Scio in Latin means ‘I know.’ So that sounded kind of cool: ‘I Know Security,’ but people couldn’t pronounce, remember or spell it!”
Dug explains that the right name for the company came about because its ultimate goal was to marry security with usability – two things that have so often been considered opposing concepts. Dug knew that if they could get that right, if they could create usable security, it would be a recipe for success. “So Duo Security made sense,” he says.
Simplicity, Empathy and Integrity
There really is something very admirable about Dug’s determination to look beyond making money and focus on people’s wellbeing to improve lives through better security. When asked to define exactly what it takes for a company like Duo to do that, Dug explains it comes down to three key values: simplicity, empathy and integrity.
“Simplicity is about making things easy,” he explains. “Empathy is not just about caring for the people you serve. For us, empathy is also understanding our customers’ point of view. It’s not enough to just make assumptions; I find that too often in security, people make assumptions and it’s [almost] a colonialist attitude – not that I want to get too political, but I feel like security often functions in this kind of really weird, fascist way. Then you have integrity, which is about always doing the right thing even when nobody is looking, which I think security companies somehow really fail to do over and over again.”
On the one hand, Dug continues, the consumerization of IT has been a wonderful thing for the world, but it has also created a lot of challenges and pressures for all companies, including a rise in shadow IT and loss of enterprise control.
Dug contends that security vendors have a responsibility to be better at security than their customers. “If you think about security products, they are just software that run typically in a position of privilege. So they’re dangerous – security software on average is much more dangerous to get wrong than almost any other kind of software.”
Cybersecurity has become the biggest geopolitical issue of our time, he adds. “When governments can’t keep their secrets safe, what hope does anyone else have? We want to make sure we provide security that everyone can use.
“I’m proud of the team and culture that we’ve built and the impact that we seem to be having on an industry that has lost its way a bit,” Dug says. “Security companies often spend more time admiring the problem than solving it. Making customers more successful at protecting themselves, that’s the goal to aim for.”
Hacking and Half Pipes
It’s clear that tech has always been a passion of Dug’s, but growing up he also found himself drawn to hobbies he refers to as “ritualized violence or some kind of transgressive behavior.”
Hacking was one of those, but so too was skateboarding, and interestingly, he sees some similarities between being on a board and much of what he has achieved in his professional career.
“80% of skateboarding is falling on your face,” he says. “It takes a certain kind of dysfunction, I guess, to really enjoy doing that, but it forces you to get better. You learn quickly by trying things. Skateboarding and hacking have things in common; it’s building on the creative work of others and being inspired by their transgression, but the magic of skateboarding, or even hacking, is that it’s not impossible to do. It does require some degree of skill, but most of the advances in this stuff is all mental.”
He adds that when kids watch skateboarders they see them do “these crazy things that nobody’s ever done before, and it’s not that they’re actually learning how to do a trick, they’re learning that it can be done. I think that’s what I love about that stuff; it sort of explodes the limits of your thinking.”
Dug is the proud father of two children, a 12-year-old son and an eight-year-old daughter. So, having achieved so much in the tech sector himself, the obvious final question for Dug is, are his kids tech and computing enthusiasts like their dad?
“I’m keeping them from that,” he says honestly. “My wife and I have very stringent controls over their screen time. I was really lucky not to get into too much trouble as a kid, but I think it’s much easier to get into trouble online now.
“All things in moderation, ‘the middle way,’ as my Buddhist father would have said,” he says with a smile. That doesn’t sound like a bad plan at all, Dug!
Cisco Acquires Duo Security
In August 2018, Cisco announced its intent to acquire privately-held Duo Security, with co-founder, chairman and CEO Dug Song continuing to lead Duo as it joins with Cisco’s Networking and Security business.
“Duo was on track to become a public company, with no intention of looking sideways,” Dug explains. “Our goal has always been to make security easy and effective for all, and we have done so by building a very different kind of company, not just better products.”
He says that when Cisco, in the midst of their own journey to cloud and software-as-a service (SaaS), approached with a broader vision that mirrored Duo’s, the firm saw a unique opportunity to not just accelerate its own business, but to help transform the security industry.
“Duo and Cisco have a shared set of cultural values that define who we are and how we operate,” Dug says. “At a time when ethics are a concern at many technology companies, Cisco’s dedication to corporate social responsibility, diversity and inclusion, and conducting itself in an ethical manner, was central to our decision to join the Cisco team.”
So, post-acquisition, what does Dug think the future will have in store as Duo embarks on a new, exciting chapter alongside Cisco?
“Catalyzing the transformation of Cisco to cloud and subscription, but also to a simpler, zero-trust security architecture for many more customers around the world,” he says. “The security industry is littered with point products that are difficult to use and integrate, and are even harder to buy and manage. It ends up being a limited market of buyers willing to suffer all this cost and complexity, versus all the organizations that actually need security.
“We’re excited to work with many more customers, and provide even more integrated value to them through the combination of our technology and business model with Cisco’s,” Dug says. “We have one office outside the US, they have hundreds; we have 14,000 customers, they have over 800,000. Together, we can build trust and defend against threats so people and their organizations can do what they’re supposed to do.”