Dug Song: Values over valuation—reflections on building Duo Security and leading with purpose

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Sid Trivedi (00:04):
Welcome to Inside the Network. I'm Sid Trivedi.

Ross Haleliuk (00:08):
I am Ross Haleliuk.

Mahendra Ramsinghani (00:10):
And I am Mahendra Ramsinghani. We have
spent decades building,investing, and researching
cybersecurity companies.

On this podcast, we invite you to join us inside the
network where we bring the bestfounders, operators, and
investors building the future ofcyber.

We will talk about the hard parts of the
founder journey, launchingcompanies, getting to product
market fit, raising capital, andscaling to an exit.

And, yes, we will also be talking about
epic failures.

But, Mahendra, we're here to make the founder
journey easier.

That is correct, Sid. But we cannot make

it too much easier because startups are
hard, And, of course, youalready knew that. Alright, you
two. Enough. Let's get startedwith this week's episode.

Our guest today is Dug Song. Dug is best
known as the cofounder andformer CEO of Duo Security, a
company that transformed the wayorganizations approach security
by making it simple, effective,and accessible. Under Dug's
leadership, Duo grew from asmall startup in Ann Arbor,

(01:28):
Michigan to a global powerhousewith over 50,000 customers. The
company was acquired by Cisco ineight years for over
$2,000,000,000. And here's thebest part.
Duo is probably the onlycybersecurity company that
consumed less than $20,000,000to reach a unicorn status. In a

(01:51):
day and age when the focus is onvaluations and hype, Dug's focus
continues to be on values andserving the customer. He is
actually the only unicorn CEO weknow who is embarrassed by that
term unicorn. Dug Zimpak goeswell beyond business success. A
self proclaimed softwarecommunist and a lifelong hacker,

(02:13):
he has spent his careerchallenging the status quo, be
it in security, company culture,or styles of leadership.
From his early working days onOpenBSD and OpenSSH to founding
Arbor Networks and now shapingthe next wave of innovation and
entrepreneurs, Dug's philosophyhas always been clear, or shall

(02:35):
we say Dug's dynasty, the Songdynasty has always been clear.
Put people first, solve realproblems, and challenge the
entire industry to do better. Intoday's conversation, we'll
explore his journey from agritty childhood in Baltimore
spent hacking to his approach ofbuilding a business, why he

(02:56):
believes security can be betterthan a used car lemon market,
and above all, how to build aculture that matters. Get ready
for an insightful, no nonsenseconversation with one of the
cybersecurity's most originalthinkers. Let us dive in.

Hi, Dug. Welcome to Inside the Network.

Dug Song (03:15):
Hey, Sid. Hey, Mahendra. Hey, Ross.

Let's get started with your early life way before
Duo, and let's talk about you asa kid. You started using
computers when you were aroundeight years old doing data entry
for your father's liquor store.I believe that was in West
Baltimore. You grew up as aKorean immigrant and, you know,
somebody who was working rightfrom the the early days. What

(03:40):
lessons did you learn duringthose early days that later
shaped your mindset as anentrepreneur?

Dug Song (03:46):
Yeah. Well, I guess part of that was realizing how
difficult entrepreneurship was.My dad, again, had had two
liquor stores. So the first wasin West Baltimore, the second
later was in Jessup, Maryland,about a mile from the state
penitentiary. And in both cases,these were not the best places
you'd wanna set that up.
And so so for a long time, Iprobably had a somewhat negative

(04:08):
impression, actually, of ofbuilding businesses and of of
all that. Although, I was proudproud of what my dad did as I
thought it was cool to go withhim to the store. I thought it
was not so cool that I workedfor so long for him for no
money, but, you know, that wasthe the price of having roof
over my head. But, yeah, I mean,I I saw my dad build it from
nothing. And and maybe moreimportantly, build it in
community with folks that, youknow, for me, formative in my

(04:32):
life in a different way.
Many folks later in my careerhelped me with, you know, access
to opportunity and so forth. Butin my dad's store, I saw a lot
of people who had basicallynone. And my my dad had hired
some homeless teens who lived inthe motel next door. He also
hired a a returned citizen fromthe the penitentiary who lived

(04:52):
in a abandoned milk truck in ourparking lot. And so I I saw
pretty early how business couldactually be a positive force for
good in creating kind ofopportunity for folks.
And, anyway, it has has somebearing on on how I thought
about building the companylater, but my company later. But
those early days, sort of seeingmy dad kind of make something

(05:14):
from nothing and and and bring alot of people with him along the
way was sort of the biggestimpression left of me that, you
know, business could be apositive force, right, in
society.

And was it your father who got you into to data
entry and tech and computers inthose early days, or was it just
yourself? You said, hey. Like,computers are a useful thing in
this case?

Dug Song (05:34):
No. No. No. Eight years old in the eighties. I've
no impression of of computingoutside of what my father had
brought home, but he was a hewas a gadget freak.
And so you you name kinda anypiece of consumer technology. We
had probably the earliestversion of it, the v one of
everything, of a of a breadmaker, first CD ROM sorry, CD

(05:54):
player, and early, you know, PC,XT, AT sort of days running a
liquor store off of softwarethat I don't know where he
found. It's called Retail Mate,but it was one of the first
piece of software, I think, forfor retail that I'd ever heard
of. But, yeah, it was it was itwas my access to a lot more
opportunity online pre Internetwith BBSs and all that kind of

(06:15):
things. So so I'm I'm very gladthat he was a gadget freak, you
know, that that definitelyrubbed off on me.

Dug, while at the University of Michigan, you
joined the hacker collectiveVooVoo alongside the future tech
leaders like WhatsApp's Yan Koomand Napster's Sean Fanning. Can
you share a story of how thegroup's culture impacted the way
you would eventually buildcompanies?

Dug Song (06:37):
Yeah. Yeah. I mean, you know, the group was never
intended to build companies. Youknow, we were just a bunch of
misfits on a misfit islandworking on, you know, computer
security really as a hobby, andand each of us coming for a
different place. Right?
We they led us there. Some of uscoming more from the kind of,
you know, legacy sort of BBSkind of world. Others of us I

(06:58):
think Matt Conover, who was thefounder of Boohoo, was I think
it was 14 years old, 14 year oldMormon kid in Salt Lake City.
And we never knew any of thisuntil we met at the first DEFCON
event that we all went to, andwe were shocked sort of seeing
what each other looked like and,you know, learning more about
each other's backgrounds. But itreally was sort of motley crew
of a bunch of folks who werejust just hacking for the fun of

(07:20):
it.
And the Wu ethos that I thinkwas really, I think, really
critical, right, to to all ofour kind of collect success
collective success was that itwas it was sort of a band of
brothers trying to work togetheron interesting projects,
learning from each other,building it's like you know, I
grew up skateboarding and doinggraffiti, punk rock, and

(07:42):
hacking. These were, like, youknow, my teenage hobbies were
all sort of transgression, Iguess, in some way or another.
But what's unique kind of aboutall of them is that they're
they're gift cultures. You know?They sort of really build upon
kind of the contributions oftheir members, people pushing
past and on top of kind of whatanyone else has ever done.
And so so, yeah, we validateeach other for the inspiration

(08:02):
that we had, right, for eachother in in creating new
technology. And a lot of thoseprojects were things that we
ended up working together on.Like like, Napster was a was a
project, right, that SeanFanning was working on because
he he didn't have access to allthe music, you know, that he
wanted. And so at a time wheremany of us were burning and
trading kind of, you know, CDRs,all this kind of stuff, sharing

(08:25):
music, pirate music that way.Nabs represent a way to do that
online that we just thoughtwould be cool for us and turned
out to be, well, verydisruptive, right, to the music
industry at large.
And so, anyway, so the otherthing that I think Wu also did
from a culture ethos perspectivewas everyone had really big
ideas. You know, we were alljust working on on projects that

(08:46):
ultimately just scratched ourown niches, but turns out there
are many, many more people thathad similar issues or concerns
that led to kind of bigopportunities from these these
things that we created. So so,yeah, there was there was a just
a a basic belief in our abilityto use technology to solve these
kind of interesting problems,and, again, a a very supportive

(09:07):
culture ethos of us all learningtogether how to do that.

It is interesting because the hacker collective
culture has essentially createdand shaped what we know today as
the cybersecurity industry. Butthen if we look at the present
day, there is no like, there isno longer that culture. So what
replaced it?

Dug Song (09:25):
Yeah.

What is the new incarnation of the of the hacker
collective?

Dug Song (09:29):
You know, I don't I don't I don't like to think that
that's really true. I think thatthere are probably still folks
out there that are kind ofbuilding things. Well, here's
what I'll say. I think there'sstill very strong hacker culture
at large writ large in the opensource community. Right?
We're open source. You know? I'mhere in Ann Arbor, which is an
old hippie town, you know, thebirthplace of the pseudo anti

(09:50):
war movement and birthplace ofpunk rock, know, icky pop, and
all these bands and stuff. And Isort of feel like open source
folks are, like, softwarecommunists or software hippies.
Right?
Like, you know, sort of havestill carry that kind of belief
and ethos and kind of workingtogether, right, on on on on a
shared sort of comments. And I Ithink that does exist in some

(10:12):
way. It's just that when moneycame into the security community
in the way of a securityindustry being born, right, of
our efforts, it made peoplesomewhat less less interested to
share or that some of this wentinto much smaller sort of groups
and forums in which that sharingwas sharing was happening in a
different way. So I I know thatthere are still groups out there

(10:33):
kind of, you know, working onprojects and doing things
together, but but it is weird. Istill hang out with a there's a
private group I have of a bunchof us old hackers from that era
of WooWoo and Teso and ADM andall these kind of elite hacker
groups or whatever, mostlyEuropean.
And it's it is interesting. Youknow, a lot of Zulu meant, like,

(10:54):
I don't even know where thisstuff happens anymore, but it
does. You know? I mean, inplaces like China or, you know,
places like Iceland or there'salways gonna be kids with
technology who are doing things,but if they're not supposed to.
So

One more question on W00tW00t, Dug. Did you and
the did did you and the the restof the hacker collective know
that you would go on and dothese amazing things? I mean,
it's just pretty incredible tosee that the quality of
companies that have come out ofa relatively small hacker
collective.

Dug Song (11:24):
No. I don't think no. Safe to say none of us had
inclination that, you know, wewe we've kinda build, you know,
successful businesses, right,from what we were doing. I mean,
some cases, you know, we hadinterest. You know?
Certainly, was a tech scenehappening, and there was, you
know, the rise of the Internetbubble and all those kind of
things. But most of us feltlike, in some respects, we had
missed some of that. You know?And so we were just screwing

(11:46):
around with stuff, exploringthings for for the sake of sort
of a better understanding howthis stuff works. We're finding
ways to sort of, you know, ifnot one up each other, you know,
sort of beat those systems.
You know? And so, you know, alot of I think what leads
particularly young adolescentmen to this sort of space is,
you know, it it's a it's alittle bit of bravado. It's a

(12:09):
little bit of male ego sort oflooking to take on these sort of
challenges, and and and there'sa whole socialization around
sort of hack the hackercommunity that's it's also
pretty toxic as actually as aresult of that. But I do think
the the positive angles on thatare that people figure out how
to sort of it is adversarial.Right?

(12:29):
You sort of beat each other atthese things. And I'm not a team
sports guy in any respect, but Ido think that hacking is one of
those things that comes close.Right? Because you sort of work
as a group to kinda figure outhow to go after something, a
piece of software, a group,another group, another
institution, organization. Andand, again, there's a there's a

(12:50):
real sense of accomplishment.
Right? And when and when you'veaccomplished those goals you're
after, right, going after it. Sobut, yeah, I I I think that kind
of ethos applied to tech meansthat you'll have founders who
will be successful almost nomatter what. You know you know,
Israel is a classic example,right, where, you know, you have
all these young 20 in Unit 8200,and, you know, they they're

(13:12):
given sort of the budget if notthe budget, at least the the the
scope of responsibility of,like, an NSA and all this. And
so they're they're driven bymission.
They're given all the resources.They have a bunch of training
and a short amount of time,which is to go and accomplish
some pretty outsized goals, tonof responsibility, It sets a
purpose. And so what do they doafter, you know, a couple years
and they're they no longer sortof have to do that as part of

(13:33):
the military? Well, they go intocompanies. And so, you know, so,
you know, for me, sort of thethat that Israeli program is is,
like, a natural kind of breedingground for the kind of
entrepreneurial mindset andproblem solving and, you know,
hacker ethos, right, that leadsto all these kind of which is
why we've seen so much successout of that that market.

(13:54):
So

You know, Dug, continuing on that cultural
national ethos of when you lookat Israel and 8200, you once
gave a keynote titled BadKoreans Do Good. Now, you know,
there is, of course,expectations of certain
stereotypes. You talked aboutthe male ego. You talked about
toxicity. You talked about howthe collective cybersecurity

(14:17):
world looks at Israeli founders.
Talk to us about the theKoreans. You know? There is not
much that has been celebratedabout Koreans. You're clearly a
leader in the community. Andtell us about the culture.
What were some positives? Whatwere some pressures on you
growing up in a Korean family?

Dug Song (14:33):
Yeah. Well, I think, you know, East Asian, South
Asian, actually, most immigrantcultures, you know, especially,
you know, for for transplantshere at The US. You know, it's
it's after you're a doctor,lawyer, engineer. Right? Sort
of, you know, you take yourpick, but you you have three
choices.
And, you know, that wasn'tnecessarily that different for
me, you know, the sort of set ofhigh expectations. But but to be

(14:54):
frank, you know, my both myparents were busy working. So I
was a latchkey kid. Like, manykids were in the eighties. I
didn't see my parents typicaluntil 9PM when they came home
from work.
And so from the 3PM when I cameback from school and then fed
myself and my sister some cansof Denny Moore beef stew and or
ho Hormel chili out of some somecans and microwave. You know, I

(15:16):
was kind of on my own. And soso, you know, the expectations
for me were just get the grades,do well in school, learn to
learn, and then the rest will beokay. I think it's true for a
lot of immigrant families.Right?
There's a the heavy focus oneducation and and academic
achievement leading to, again,sort of a natural sort of arc to
success in some way. In my case,you know, it I'm gonna say it

(15:40):
came naturally, but I was I wasfortunate that, you know, the
the the grades were prettystraightforward for me to to
get. And the rest of the time, Icould go screw around and, you
know, skateboard, spend all mytime in the streets or online
hacking or, you know, gettinginto other trouble. And it was
fortunate that, again, my my myparents were unlike many other
sort of Korean American parentsin that they were they were very

(16:02):
flexible in terms of what theysaw me do and success. I also
lost my father when I was 18.
So, you know, he was, you know,carjacked, stabbed 11 times, all
this, and I you know,occupational hazard in in kind
of running liquor stores, right,in in bad places. And so from
from college onward, I basicallyhad to kind of make it work on

(16:22):
my own. So I worked three jobsand kind of do all this stuff,
and and so I I think my mom wasjust happy that I was productive
and not not getting into toomuch trouble. I did have some
bit of issue as a freshman. Igot some I got caught hacking at
the university, but, you know,that's how I ended up with a job
working for university for fouryears doing security and
protecting them from people likeme.

(16:42):
And I was very proud of the factthat I I could end up paying for
my my tuition and extra my mysisters later through school
with it. And so so I don't know.I mean, I think, you know,
people often think ofparticularly East Asians and
South Asians, right, as kind ofmodel minorities, all this kind
of thing, but forgetting that,actually, some of these
communities have the widestdisparity in terms of, you know,

(17:06):
income and wealth and and allthis. And so so I say, like,
there's good Koreans or there'sso called bad Koreans, quote,
unquote. I just mean to say,like, you know, I was sort of
the kind of Korean in group in ain a liquor store.
You know, sort of different sortof family or home life. And and
so, again, you know, I think badKoreans can

do pretty can do good too. So And then,
Dug, what advice would you havefor or how do you see the next
generation where there is thisconstant internal debate amongst
the immigrant community? We grewup with a certain set of values,
but then here is America, whichis all about entrepreneurship,
all about breaking tradition,all about forging a new path.

(17:46):
But how do you align those twowhen you look at the next
generation?

Dug Song (17:50):
What advice would you have for the next generation of
Koreans? Yeah. Well, you know,it's just where I I mean, the
the South Asian community hassort of demonstrated. I mean,
again, look at Silicon Valley,look at, like, Thai, and look
at, you know, look at all thethe CEOs now of all companies.
Right?
And how how much success therehas been, right, from the DESI
community in this. And you seehow sometimes that traditional

(18:10):
focus on things like educationcan be an amazing grounding for
the kind of uniquely Americankind of ambition to go and and
create companies, to break withtradition, to start things, and
not just be great at executing.We're getting have getting
things done, but in ininnovating. Right? Solving

(18:31):
problems that we don't fullyunderstand often by doing things
we've never done before.
And so that sort of risk takingambition, right, which is I
think a I'm a I'm a say it'suniquely American, but I think
that is the American dream.Like, people come to this
country, right, wanting to goand and forge their own path and
create success and all that kindof thing. And if you pair that
up with, again, the kind ofjust, you know, cultural sort of

(18:52):
focus and discipline on oneducation and the, you know,
value and hard work and and allthis kind of thing, you know,
it's just think it'sunstoppable. And, you know,
there's a there's a bit ofadvice I do give, Asian dad
advice, Not me, but actually, II I reference Jack Ma, you know,
the former CEO of Alibaba, on onwhat an entrepreneurial career
actually looks like. I tellkids, like, it's not it's not

(19:14):
what you think.
You know? You you you go toSilicon Valley, and it's like,
oh, you should be, like, SteveJobs or Bill Gates or no. Any of
these folks that have, you know,dropped out of Mark Zuckerberg,
gonna drop out of college, youknow, go start a company. And
what you see kids doing whenthey do that is, like, you have
a hundred and one sort of barcrawl apps right, looking for
the the closest, like, barspecial or something. This is

(19:34):
not this is not a real problemor a real business.
And so Jack's rubric on this isquite different. He says, like,
in your teens, learn to learn.Right? Very Asian,
stereotypically. In your in yourtwenties, follow a good leader,
not a good company, because youalways have the opportunity to
go do a good company.
Right? Why park yourself at aMicrosoft or a Google or

(19:55):
whatever if, you know, you cango and if you want to be an
entrepreneur, go follow a goodentrepreneur. Right? See how
they move. See how they executewith all all the resources
needed.
See how they recruit people intothat program, right, that are
well beyond kind of anythingthat they they deserve to be,
anyone they deserve to be hiringat the stage of their business,
because there's a magic to that,right, to assembling kind of

(20:16):
that and and and what that kindof entrepreneurial leadership
and the risk taking and decisionmaking look like. And it's not
even really risk taking. It'sabout how you abate risk, right,
which is what those those folksdo really remarkably. And then
in your thirties, figure outwhat you're good at. You know?
Find find the industry or pathor figuring out what your
highest contribution is. Andthen your forties, then you

(20:38):
start. And that's that's verydifferent than, I think, the
American sort of model of, atleast, tech entrepreneurship.
We're like, oh, drop out ofschool, you know, raise a bunch
of money. And but it actuallytracks, right, with the results
we see, where we know that, youknow, entrepreneurs who have had
more professional experience andseem you know, figured out what
problems are worth solving theworld and kinda how they're best
suited to do it actually aremuch more effective in building

(21:00):
really significant companies.
And then the continuation ofthat is is, you know, in your
fifties, then you then you justreturn to better young people.
Right? So now you're you couldbe that good leader. Other
people follow. And then yoursixties, you should be drinking
a daiquiri on the beach.
And so, you know, I I reallylike that rubric, which is my
Asian dad sort of model forentrepreneurship. But, again, I

(21:23):
think I don't take credit forit. It's Jack Ma who is much
more smart much smarter than Iam.

Well, talking about your twenties and thirties,
let's talk about that earlycareer that that you had. And,
you you know, you spent sevenyears at a company called Arbor
Networks. You started off as afounding engineer. You built a
whole bunch of security tools. DSNIF is one of them that's well
documented.
You can easily search it onWikipedia and and learn about,
you know, the password sniffingcapability that you provided.

(21:50):
When you look back at those, youknow, early kind of formation
years in your career, was therea pivotal learning moment or
something you and and this couldbe a positive learning moment.
It could also be a failure thatyou that you experienced that
helped you and shaped you as aleader and as an innovator?

Dug Song (22:08):
Yeah. Well, from innovation perspective, I think
the other thing I realizedquickly is that in many cases,
security, the emperor has noclothes. Right? Like, as a as a
security person, you know, youryour sort of job as a
professional paranoia is todispel dispel all these myths
about, like, this this piece ofsoftware is really secure or
this these systems are viable.Like, a teenager, right, with a

(22:29):
little bit of time on theirhands and and Internet access
can actually really do a lot ofdamage.
They can kinda figure all thisstuff out. And so so, yeah, I
mean, a lot of my activitiesearly in my career, if you will,
was was simply just breakingother people's software. And
being on the offensive side ofof security and technology, you
realize really quickly that,actually, a lot of these
companies and a lot of theseproducts are not you know,

(22:51):
they're not anything that youcan do. I remember when we broke
Checkpoint firewall one. Youknow, we found, like, nine ways
through this thing and, youreverse engineered all their
authentication protocols, theirtheir VPN protocols, and, you
know, it led folks like MarcusRandom to contemplate whether
some of the things we found wereactually Massad backdoors,
right, in in these systemsbecause they were, like, zero

(23:13):
knowledge sort of exploitsagainst their authentication
protocols and so forth.
And we printed this all at BlackHat. It was interesting to me to
see the response, and I remembertalking to Nir Zuk about this
years later who had built allthis and because he had to go
and rewrite Checkpoint firewall.It's with Checkpoint NG. NG was
a result of us basicallydestroying his his first
product. Right?
And so and, you know, the thingyou kinda realize as a young,

(23:36):
somewhat brash attacker or, youknow, security researcher is
that, actually, you know,there's there's, you know,
there's so many more problemsstill to be solved, and,
actually, some of thesesolutions actually create their
own problems. And so for me, youknow, it's just kind of this
realization that, wait a second.You know, it's sort of like I
don't say the empire is allclosed, but, you know, in in
some cases, you know, securityproducts are some of the most

(23:57):
dangerous because they have somuch access. Right? And they and
they they sit in very importantpositions of privilege and
management and control that,again, they're they're huge
targets, right, for attackers togo after.
We know this now, right, seeingkind of all this this happened,
but back then, you know, it wassort of assumed that, no. These
these systems, these firewalls,and all these, you know, are are

(24:19):
sort of inviolable. But and sofor me, it created this
perspective that there's there'sreal opportunity to go after
still in security that you couldbuild where you even as, like, a
small new startup. And so,anyway, the the other side of
that was from pretty from Arbor,you know, two other things. One
was kind of we we built thatcompany to create kind of a
whole new category ofinfrastructure security for the

(24:41):
global carriers, a time where,you know you know, a single
teenage attacker like Mafia Boyin Canada could command
thousands of machines to gopoint at a, I don't know, a bank
and hold them hostage, andnothing no one could do anything
about it.
You know? Sort of realized that,wow, there's a fundamental issue
in terms of security on theInternet that is still unsolved.

(25:01):
And so we we worked really hardto create, you know, these kind
of systems as as globalsolutions from the from the
jump, and we're prettysuccessful in doing so. Just the
timing was quite difficult asthe market had imploded trying
to sell to global carriers whenthey were putting their execs in
jail during the telecom nuclearwinter in the early two
thousands that followed thefirst Internet bubble being
burst, taught me really quicklyabout the the need to be sort of

(25:23):
nimble in business. And so so acouple things.
One, you know, Arbor was a goodexperience, but a difficult one
in some ways because we builtwhat I thought was an amazing
culture and team. You know?Every company since since Arbor,
have had a group chat like IRCjust like we did in any of our
hacking groups, not the centerof it, until, you know, Slack or

(25:45):
HipChat first, and then yourSlack came and created the the
real opportunity in that market.But but we had a very online,
very open source, very hackersort of culture, right, to all
this that I've learned was wasreally fundamental to building
great products. The parts ofthat really got away from us,
you know, by the time we were onthird CEO, fourth head of sales.
You can really lose the soul ofthe business sometimes that way.

(26:07):
And so, again, one of the thingsI I I learned sort of deeply
from an experience that wasdifficult for me at Arbor was
how important culture andleadership really are. Because
in in a technology company, youhave nothing else. You don't
have factories or machines orland or, you know, all you have
are people. And if you cannotlead those people well with
integrity, with vision, withpurpose, with care, with with

(26:32):
inspiration, you really can'taccomplish more, right, together
than than you could apart.
And so you the balcony of ofreally organizational sort of
leadership is something that I II came to really respect and
value deeply when when it cametime to start something my own
company later.

After spending years in cybersecurity, you took
a fairly unusual detour joininga peer to peer TV startup around
the time when YouTube alsolaunched. Could you talk more
towards how did stepping outsideof security broaden your
perspective as a technologist,and, also, which of the new
ideas and perspectives did youlater bring back into security?

(27:08):
Thanks, Ross. This is animportant one because I, you
know, I think I used

Dug Song (27:12):
to joke with this about I used to joke with a
friend, Tom Tajik, who's a verywell known security hacker,
researcher, and, you know,erstwhile founder, about how all
of us who are secure seriousabout security, care about it
deeply or kinda grew up in it,all have to leave. Because at
some point, you realize how howbad the industry is. It's sort

(27:32):
of like, you know, crunch allyou want. You know, they'll
someone else will always makemore. You know, it's an
adversarial thing, so your yoursoftware doesn't go out of style
or is obsoleted by it is broken,right, frankly, by by attackers
or bypassed or all these kind ofthings.
And so so it's not a matter ofjust getting ahead, but to stay
ahead, right, in security in away that that is there's a real

(27:54):
cost, right, of of innovation.And but but also because of
that, customers are accustomedto buying things that they don't
really need. And and, you know,we we're not mature as a market,
as an industry, in securityengineering the way that, for
instance, like like NASA oreven, you know, you know, here
on on Earth, you know, our ourterrestrial sort of

(28:16):
transportation safety boardsare. Right? Like, a a plane
falls to the sky only the sameway maybe once or maybe twice
because that's why everyone hasblack boxes.
That's why, you know, there'san, you know, TSP that looks at
the root cause analysis and doesall this, and we sort of stop
kind of things from happening.But but in security, it's like,

(28:36):
wow. Even the same organizationsometimes are breached multiple
times the same way. So, youknow, it's like Groundhog Day in
in the worst way, oh, in Oregon,where things were not burning,
were not getting better, andthere's this hamster wheel of
pain, right, that companies areon. And so I do think sometimes,
you know, because of that,security can be a lemon market,

(28:58):
meaning it's like a used carmarket.
People buy something. They don'tknow if it's any good or not
until they've after they'vedriven it off the lot, then it
breaks down. They're like, oh,crap. I didn't realize this was
no good. But by that time, youknow, there's a company that's
already made money, and theyweren't and so I think there's a
there's a fundamental problem insecurity that way that for a lot

(29:18):
of a lot of security people,right, people who actually grew
up in this or really care aboutit deeply in this way and
identify with it, sometimes takea really cynical view of which
is, you know, wow.
The industry is is is snake oilor bad and blah blah blah. And,
you know, there's definitelysome some element of that truth
to that, and that's why I left.You know, I left security in a

(29:40):
go to inner TV because I felt itwas more honest living, and I
felt like I was tired of tryingto convince anybody that these
things are real problems ortrying to compete against, you
know, competitors who had wereselling a bunch of air. Right?
Like, you buy a box, put it inthe network, nothing's hap
nothing happens, and the vendorsee says, see?
You're more secure. Nothing'shappening. And I just was

(30:01):
growing tired of that kind of,you know, lack of value
proposition and and andchallenge, right, in in the
market. And so, anyway, we builtthis inner TV company. It was
our it was basically, like,atoning for my sins with
Napster.
You know, it was live streamingpeer to peer TV, very hard,
difficult technical problem tosolve, and one that we partner,

(30:21):
right, with, you know, thetraditional kind of industry
players to go and extend thereach, right, of terrestrial
broadcast or satellite to toInternet viewers and so forth.
But, anyway, you know, it was itstruggled for other reasons.
It's doing fine now, but, well,it turns out that, basically,
you don't need peer to peer. Itdoesn't matter to having a
theoretically perfectdistribution of video over
application that are multicast,you know, where one person one

(30:44):
household gets the stream forthe World Cup and shares with
everyone else, right, on theirsubnet. Doesn't matter.
Right? Unicast streams,polluting the backbone, all this
stuff are just fine when itturns out it's it's all a big
game theoretic model anyway ofeyeball providers dumping kind
of the ports to the contentproviders in settlement free
sort of ping agreements at themajor Internet exchanges, and no

(31:06):
one's paying for anything.Right? So, like, it turns out
that's just fine. And so there'sthere's other ways that the
world really works that kinda,you know, meant that our
approach wasn't needed.
But the lessons I learned otherthan technical around that were
that you can build a businessthrough word-of-mouth. Right?
Like, Zattoo is a company thatspent almost nothing on
marketing and did almosteverything to engineer a viral

(31:28):
acquisition model, right, wherewe we did track kind of the
viral k coefficient of ofinvites per user to any other
user. We figured out how todrive engagement right on the
platform. We figured out how to,again, scale these these
audiences, right, with withoffers and and things that we
could test in real time, right,and not not have to take out a

(31:51):
billboard ad and then see whathappened the next month.
Right? And so so there was athere was a consumer kind of
marketing angle, frankly, that Ipicked up from Zattu that we did
apply to some of what we did atDuo to make security something
that was much more accessible,widen the market for but, yeah,
it all came

from doing Internet TV. So, Dug, as you
look at your career arc, youknow, Ann Arbor or maybe going
back to, you know, WestBaltimore, Ann Arbor, then
Zurich I mean, from Zurich, youcould have moved to literally
any part of the world, you know,London, Silicon Valley, which is
like this crucible or a magnetfor people such as yourselves.

(32:34):
But you've been extremely loyalto your roots in Ann Arbor. You
know, I my one of my most vividmemories of you in Ann Arbor is,
like, you know, there's a cafeoutside Zinger Bend, Sweetwater,
where I was sitting, and I hearthis loud noise, and it
literally jolts me. And I seethe noise with the your
skateboard hitting that brick,you know, paved path outside

(32:57):
Zingerman's, and I see Dug'ssong like skateboarding pie.
So, I mean, you've been veryloyal to the community in Ann
Arbor. In fact, I remember thatyou also created a community at
at a brewery, a local brewery.You you'd repurpose that for a
entrepreneurial community. Tellus about this notion of
geography, entrepreneurship.What draws people like you to

(33:20):
certain geographies?

Dug Song (33:22):
Yeah. Well, you know, I I I happen to I didn't ever
have an intention to be inMichigan. I was in Maryland when
I was applying for college. Iapplied mostly to small liberal
arts colleges in New England,thinking I was gonna go major in
philosophy at a small liberalarts school, and I happened to
apply to Michigan because I hada friend who went a year ahead
of me and wrote back saying howgreat it was and how the
application was so cheap. Sothat was it.

(33:42):
You know? It was a cheapapplication, and I I did it
because my friend said, hey.It's a good it's a good fallback
option or something. Turned out,it was the best decision I ever
made. I I only realized thisafter I went to go visit some of
these schools in New England,Williams and so forth, and
realized, wow.
It's just a bunch of just abunch of white kids drinking in
the woods. Like, that's like notthat's just like not not for me.
And so I went to Michigan inpart also because, you know,

(34:06):
I'll just say, I I explored thenetwork from afar when I was
still in high school, and I'dnever seen a place with the kind
of network for students with thenumber of commercial unises, as
well as a what they call acenter for it was a
supercomputing center, but theycall it center for parallel
computing, the craze, and allthese systems that I had not

(34:29):
seen anywhere except NASA Ames.And won't really talk about that
right right now either, but,basically, you know, I was
amazed that a public researchuniversity would have all these
kind of resources for itsstudents. And so that's one of
the reasons I went.
That's the best decision I evermade. It was it was great. The
the difficult to hear me wasthat Ann Arbor is such a small
town, and I was used to, youknow, hanging out in cities.

(34:50):
But, you know, it was it wasit's a amazing undergraduate
experience, great place. And andwhat I came to appreciate was
every place is about something.
Right? Like and then Paul Grahamonce said something like this,
like, you know, New York isabout money, and LA is about
fame. Right? And and when I wasgrowing up, you know, being in
the shadow of DC, you know, DCwas about power. You know, San

(35:11):
Francisco was about disruption,right, whatever that was.
But a place like Ann Arbor, youknow, Ann Arbor was naturally
about ideas. It's a sort of deeprooted place. Like, it didn't
matter how much money you had.Didn't matter what like, it was
all about ideas and what crazyideas you had, and this goes all
the way back, right, to thehippie movement and the student
movement and, you know, allthese kinds of things. There's a

(35:33):
culture here, right, to kindaround this.
It's very, very deep. And so Ilove that. I love the fact that
I could be inspired. Like, theConor O'Neill's, you know, local
Irish pub trivia night, youknow, hearing all these amazing
people sort of killing it.Because, like, oh, man.
That person seems sounds like aworld expert on, I don't know,
Parkinson's disease or, like,whatever nerve neurodegenerative
disease because they are. Youknow? They're actually actually

(35:55):
the world after they're in abunch of books or or even other
people, like, I'm a theory ofrevolution or I love being a
place where there are peoplewhere it's about those kind of
ideas, and it wasn't just tech.And so though I love tech, I
sort of feel like tech is justsort of an approach or a skill
set, a tool in your toolkit toapply to all kinds of
interesting problems, butthere's so the world is a much

(36:17):
wider place and so amorous. I Ikind of fell in love with the
community of of people and ideasand idealists here.
The other thing I I'd say alsois that and I grew up in, you
know, in Baltimore and DC in acommunity of, like,
skateboarders and punk rock andall that kind of stuff. And I'll
just say, you know, like, myfirst concert music show was a a
very important band to me now.Well, you know, then too called

(36:38):
called Fugazi, which was I kindaimprinted on, and this is a punk
rock band that was very muchabout community. And every show
had nonprofits and would donatemoney to, you know, all this
kind of stuff. But I I thinkpunk rock in general is sort of
contrarian and very much aboutcommunity.
And and for me, a large part ofthat mindset you know, if
there's, like, a securitymindset, which we understand,

(36:59):
like, punk mindset is sort ofresisting this pressure to
conform but without being justcontrarian, which is its own
kind of conformity. Right? Andso I feel like, you know, from
that experience in kind of punkand growing up, I I learned how
to sort of rebel meaningfully. Ijust sort of stand for something
with integrity. And and here inAnn Arbor, you know, with all
these kind of big thinkers andstuff, I sort of feel like I

(37:20):
learned a lesson that, you know,the world is really resistant to
change and progress.
And so it's like purpose andmeaning and impact requires sort
of deep intention and actuallysometimes subversion. And from
hacking, like, we're pretty goodat that. So and so I I just feel
like I'm in the right place. Ifeel like this is my home. This
is my people.
This is the community that Icare about, and it's the

(37:42):
community that helped me buildmy company. And so, yeah, I feel
I feel like place matters, andmy ambition is to be a good
neighbor, be a contributingmember of my community. And,
also, it's fun. It's fun being apart of a place where you know
people, see them kind of buildalongside or with you for many
years, and where you're rootingfor them just as much as they're

(38:02):
rooting for you.

And so And, you know, it makes complete
sense, Dug. One sort ofobservation that I remember
having in Ann Arbor, which Ikind of sorely miss in San
Francisco, is that you couldwalk down and bump into somebody
who was working onnanotechnology. You could walk
down and bump into somebody whowas working on biotech, cancer
research. All this confluence ofdifferent brilliant minds in a

(38:26):
very small place was so amazing.And the valley, look, it is a
sort of somewhat of amonoculture in its own way.
There are now changes occurring,but I I see why you you speak of
Ann Arbor as a place of ideas.Talking

about Ann Arbor being a place of ideas, Dug, you
and John Oberheide, yourcofounder duo, came up with a
little idea that ended upbecoming a pretty big company.
You've talked about the earlydays in the past and other
conversations, and and you'vesaid that neither of you had any
intention of building a companywhen you got started, you know,
tinkering on the idea for whatended up becoming Duo Security.

(39:01):
Could you talk a little bitabout those early days, and how
did you switch from that how didthat mindset shift happen from,
you know, tinkering to actuallybuilding a business?

Dug Song (39:11):
Yeah. Good question. I I think for a lot of technical
founders, and I consider myselfone, though I was CEO of Duo, I
was you know, I mean, I grew uphacking, and, you know, my my
role had always been at thatwhen all these other companies
although at Zattu, the inner TVcompany, I was actually managing
engineering. Was VP engineering,not a cofounder, where I kinda
learned some management ropekinda learned the management

(39:33):
ropes in someone else's businessfirst. But with Duo, you know,
the idea for Duo kinda came outof working at Barracuda
Networks.
You know, Barracuda was acompany and and I don't know if
you had similar journeysyourselves or see this with
other founders, but I tellpeople all the time, there's a
time to earn. There's a time tolearn. I think Mark Sester had
something like this. But, youknow, my my point of view on

(39:55):
this is there's so many lessonsthat are better learned on
someone else's dime than thanyour own. And so I've kinda flip
flopped my career for kindastarting a business or then
joining someone else's orstarting you know?
Because, you know, you you canlearn a lot, right, from what
other people are doing. AndBarracuda, man, I I was I wasn't
there long, but it was it madean impression in a big way for

(40:17):
me because they had opened anAnn Arbor office. The the
company was based out ofCalifornia. The founder had been
Michigan alum, Dean Draco. ButI'll be honest with you.
I had friends of mine who weremaking fun of me for going
there. They're like, wait asecond, Dug. You're building all
this, like, super sophisticatedanomaly detection behavioral
anomaly detection kind ofsystems in your past in both
Anza and in both the at ArborNetworks, right, for wide area

(40:38):
as well as for, like, all thebig banks and financials. Like,
why would you go do open sourcespam appliance company? Like,
what what's that about?
And I didn't have a great answerfor them other than I saw them
kind of picking up into themarket that didn't seem to be
well served, right, which are,smaller businesses and folks,
you know and and I I felt kindof deeply that I watched as as

(41:00):
security had spread beyond kindof the purview of just the
banks, hospitals, andgovernments that had things to
protect than to every othertarget of of chance, not of
choice, right, that attackerswere going after with these, you
know, phishing campaigns andeverything else, sort of
indiscriminate hacking. And so Ileft Barracuda after learning

(41:22):
that there was a real marketopportunity in democratizing
security. Right? Because, Imean, Barracuda was amazing in
lot of ways. They were buildinga version of something like
Cisco or someone else might haveBlue Coat might have at, like, a
tenth of the cost.
Right? And with a model thateveryone said, oh, you know, you
crack the hood on, like, one oftheir boxes. You're like, wait a

(41:43):
second. This is, four year oldIntel cell alarm processor.
Like, why would anyone run this?
Like, what is this about? Andbut you realize that they're
they were it was kinda wild.And, again, I don't wanna share
too much about kind of theirtheir process or method or or
speak any way would beinterpreted natively, but they
were very clever or in terms ofhow they sourced not only
components and assembled kind oftheir their their platforms.

(42:06):
Although, I would say that theyhad, like, a new Harvard
generation every two weeks.Kinda kinda wild.
But even how they source theirtalent. Right? They were they
would pull people out of the gymafter seeing them, like, wow.
That guy is, like, in here allthe time. First in, last out.
Let's put them on the phones andhave them sell cybersecurity,
like, totally strange, but kindof amazing right now. They were

(42:26):
focused on kinda buildingoperational sort of excellence,
right, and what they were doingin in ways that were pretty
pretty different. But, anyway,long story short, you know,
Barracuda was one where I sawthe opportunity for for security
to be to really be much moremass market. I just thought that
we could do without the channeland without the hardware, but I
didn't know how or what we woulddo. All I saw were there were

(42:49):
companies that were being hackedthat didn't seem to have any
options.
You know? Like, who was actuallysolving for their needs? Are
they really gonna go deploy afirewall? Because and my my my
first company straight out ofcollege was a security
consultancy. You know?
Was for all the big banks incasinos and UN and and and so
forth. But the small businesses,they they had no chance, right,

(43:09):
at at securing themselvesmeaningfully. And so so we
didn't know. We didn't know whatit would be, and we were
screwing around with. And,actually, when I when I left
Barracuda, because I was thereto help, you know, them prepare
for what would be their IPO.
And when I left, you know, preIPO, my wife was six months
pregnant with her second child.She's like, what have you been
doing? Like, I do not understandthis logic. And for me, it was

(43:30):
it was more that, no. No.
No. I there's a problem to besolved here. I don't know what
it is. All I know is who I wannaserve. Right?
That there's, like I wanna buildsecurity from the 99%, not the
1%. Like, attackers are goingafter everybody, and no one has
a focus on kind of how how yousolve that. And so I said, I
don't I don't know what that is,but, you know, I I just think I

(43:50):
can do that in a way that's thatdifferent, maybe better than
what Vericat had done, but I hadno idea what that would be. I
just felt compelled to go in andtry. And and it was some of
these activities.
Like, I remember seeing a smallauto body shop here in Michigan
get get hacked by an attackerwho siphoned 3,000,000 out of
them, right, in this in thiswire transfer and their bank,

(44:12):
Comerica. There's a there's alawsuit you can look up on this.
Comerica Experimental was thethe business. You know, the
small auto body shop sued theirbank who had issued them RSA
tokens. And you look at this,and you're like, wait a second.
The bank did everything right.Right? They extended the best
security available to them,right, to the small customer,
and they still got hacked, andthey still have the money. And

(44:33):
so who's at fault? And herealized that, wait.
This is, a bad situation allaround. And and so anyway so,
you know, Jono, I pulled inafter I left Barracuda to go
start something, but we didn'tknow what it would be. And I
remember tell telling Jon, like,I don't know what we're gonna
do, but let's let's let's gohave some fun explore. He was in
in the second year of his PhD,so he was still a student, and

(44:57):
and we just started hacking. Ihad, like, came up with a bunch
of different ideas.
It was kind of a kind of a woowoo style kind of situation.
Like, this you know, here's,like, 20 different things we
could kinda work on as we did,and we tried kinda it was just
fun to hack with him. John wasmy my student intern at Arbor,
and so I knew what he wascapable of, and he's, like, a
ten year younger version of me.So, yeah, it was it was it was a
lot of fun just to hack around.But then we came across, you

(45:19):
know, something which was abunch of these folks we were
talking to.
Know, these these customers werelike, you know, the biggest
problem we have is is accounttakeover. I mean, they didn't
call it that at the time, butthere have, you know, people
losing their passwords to tophishing attacks and all that
kind of thing and then takingover kind of the infrastructure
or other business. And so we wefigured that we had to go and

(45:40):
solve that problem. I didn'treally want to go into two
factor authentication until, infact, when we looked at all this
and we had in fact, we hadactually worked with a reseller
that got us access to me more oftheir customers just to do some
customer discovery, do somecustomer reviews, and figure out
kind of what problems we'refacing and all this. And it was
actually very disappointing tous.
We realized that actually, youknow, strong but usable and
deployable two factor allocationfor this end of the market is

(46:03):
something that is a hugeopportunity that no one's really
addressing. And I was prettydepressed because, know, that's
like a thirty five year oldindustry, you know, security in,
like, the eighties and stuff.And so so I didn't wanna do two
factor, and neither really didJanu, but but it's end up being
what was most impactful andimportant for the customers that
we wanted to serve, and then wejust kept going from there. But
but, yeah, that was that waskinda what Barracuda was about

(46:25):
and leading us into kind of thisopportunity.

What was so unique about Duo is that the
company didn't really invent themultifactor authentication. As
you mentioned, it was a thirtyfive year old market. But what
it did do, it made it easy todeploy. It made it very easy to
manage. It made it very easy tooperationalize.
And it can indeed be said thatDuo was the first company in
security that has gotten to amultibillion dollar exit not

(46:49):
because it invented some kind ofa new way of securing
infrastructure, but because ofthe user experience. And what
are your thoughts around theimportance of of UX in in
cybersecurity?

Dug Song (47:01):
Yeah. No. I think I think it's just it was just
overlooked. I I think attackershad already changed their MO.
Right?
You know? And I was I was one ofthem. Right? Like, why did I
real build these stuff? BecauseI realized that actually it's
much easier to just tailgateusers in Right.
To access to systems andenvironments than than try to
break through firewalls.Although I did that too. And,
you know, users have always beenthrough that that that weak

(47:21):
link, and access is always king,right, for attackers. Right? If
you have access and, you know,to what users can do, you bypass
all other security controls,right, where you can simply put
on the janitor's uniform androam the casino freely, right,
like a casino heist.
And so, yeah, we we realizedquickly that there were kind of

(47:42):
three massive defects in termsof how strong authentication was
being done. One was not usable.Right? The hardware key, it was
the numbers that change everyminute, and, you know, all this
is just not really anythinganyone wants to do. Right?
So you basically just frustrateyour users, not the attackers.
The second was that, again,there's a tremendous cost,
right, to actually deployingthis stuff. Right? Putting

(48:04):
little tiny computers in thepockets of every employee. It's
like, you know, having to notlose them or put them in the
wash or, you know, whatever.
It's it's just not tenable. And,of course, integrating that
right in the path of everylogin, right, that you have to
protect is just really painful.And then the last is, you know,
it just it didn't provide formany buyers, for many customers

(48:25):
kind of the cost benefit, right,of what you know, they they
needed to protect themselves.They didn't understand how this
would actually really stop theproblem as a measure measure
first or last resort. Right?
Like, you know, at the time, wewere sort of so focused on,
like, well, prevention detectionis so much more important than
prevention because the attackerswill always get in. I was like,
this is this is sort offatalistic. But this notion of,

(48:46):
you know, the attackers willalways sort of get in, and you
just need to be able to detectthem and respond fast enough.
I'm like, well, there's a wholeclass of, you know, business
problems, right, in terms ofthat impact. Like, when I siphon
out your money at 04:30PM on aFriday, you know, just past the
Fedwire you know, ahead of theFedwire, you know, limit, and
you're not getting that moneyback.
There's no way to cover it.Like, that is a game over sort
of problem, right, for a lot ofbusinesses. And, you know, I

(49:09):
think it'll only later that VCssort of understood this when
some of their portfoliocompanies were the ones kind of,
you know, losing money out of,like, a $10,000,000 a round, all
being siphoned out by anattacker and no recovery. Now
those are things that I thinksort of shifted sort of the
mindset of investors thinkingabout this stuff too. But but,
no, I think of securityengineering and design
engineering as being two sidesof the same coin.

(49:32):
Right? Not not opposite.Everyone thinks, oh, security
and usability. They'reopposites, diametrically
opposed. Right?
You you can't have one withoutsort of sacrificing the other.
But my point of view is thatactually security engineering,
design engineering are the samething. It's how do you make the
right things happen by default?And so we just had a a strong
focus on how do we make thestrongest security the easiest

(49:54):
for people to go deploy and use.It turns out, you know, we were
at the right place at the righttime with the rise of the cloud
and the ability to deploy sortof services even to not software
applications, but hardware sortof devices, right, via the cloud
with a device actually alreadysitting in everyone's pockets in
the form of a cell phone, right,or smartphone, right, with

(50:14):
applications that we coulddeliver.
You know, we could create, youknow, traditional sort of Orange
Book terminology, a trustedpath, right, to that user
outside of kind of the main inline sort of band of of access.
We had all all the pieces weneeded to go and create
something that would actually bemuch better, but also easier to
use. And so that was really thefocus. And, again, as as as

(50:36):
particularly smartphones gotbetter. I didn't for many, many
years, I didn't have asmartphone.
I you know, John was all aboutit, thought because I think the
smart I think the iPhone wasless than two years old when we
started Duo. And I was like, oh,it's a fad. What's that crap?
You know? I I love you know?
Like, I remember I never had aBlackBerry, but I always wanted
one. I always thought thekeyboard was so cool. But, no, I

(50:57):
was I was admittedly a pessimistwhen it came to smartphone
adoption. John was like, no. No.
No. This is happening. But Ialso didn't trust it. You know,
part of it was like, I don't Idon't think you know, John,
like, you you and I know, like,we can hack the hell out of this
thing. Like, this is probablynot a very safe platform.
We we know we can probably takethis thing to the cleaners if we
wanted to, but it turns out, youknow, that all got better. We

(51:18):
had friends at all these places,at Google and at Apple, who
built security in instead ofwaiting it for debolted on. And
so for instance, there's no,like, antivirus market for iOS.
There never will be and nevershould be because, you know,
they they built in a secureelement. Right?
A hardware root of trust, atrusted execution environment,

(51:39):
road attestation protocols,secure boot sequence, road
attestation protocol. We allthese things that is basically,
again, the sort of delivery ofthe dream of the eighties or
nineties, right, of the orangebook. Right? Trusted computing
base, all that stuff. So, youknow, it's it's kind of amazing
how far we've actually come insecurity in some ways, but
really in the consumer sort ofsecurity in the consumer sort of

(51:59):
product world, right, not asmuch the security industry per
se, which might be a little bitcontroversial to say, but you
know, that's my story.
I'm sticking to it. So, yeah, sothat's that's kind of my
perspective. And and,increasingly, I think the future
for security is more of that.Right? Security that no one has
to see, no one has to deal withbecause it's just built in
versus being bolted on.

(52:20):
And it's integral part, right,of any of the systems that we're
using largely because thesehyperscaler platforms and, you
know, vendors, they own thehorizontal and the vertical.
Right? The Microsofts, theApples, the Googles, etcetera.

You clearly the decisions that you
made, Dug, at Duo when it cameto user experience and design,
the decisions you made that ledto solid engineering, that
translated into a lot ofcustomers, a lot of economic
value. What 50,000 customers,economic value would say two
plus billion that that Ciscopaid when they acquired Duo. How

(52:57):
did you continuing that arc ofmaking decisions between user
experience, between engineering,how did you navigate the
situation between Cisco versussaying, we could take this
company public? So it's it'ssort of classic classic
diversion of the roads to say,should I turn left? Should I
turn right?

Dug Song (53:16):
Yeah. That's that's a that's a tough one that I
haven't really talked very muchvery very much about. Yeah. It's
complicated. I'll put it thisway.
I think every CEO and founderand every CEO and every board,
you know, have fiduciaryresponsibility, right, to seek
the best outcome for for for acompany and its shareholders.
And, you know, Duo was one thatwe're you know, we were one of

(53:38):
the best performing SaaScompanies of all time. Like,
people don't really know a lotof this, but, you know, there's
a point every year which Duo wascash flow positive, right, for
almost all of our lifetime. Inever had to necessarily go out
and raise money, and we had alot of folks come to us
typically at the end of the yearbecause I would basically blow
them off. I had investors kindof reach out, and I'd say, look.
I'm busy building a company. Ifyou wanted to chat, you know,

(54:00):
why don't you come visit us inAnn Arbor at the end of the year
in December in Michigan? Veryfew of them did. The smart ones
all did, and they found that,you know, we were a company that
we didn't really need a lot.And, you know, ultimately, you
know, having raised hundred19,000,000, I spent 14 of it to
get to over a hundred million inARR and kept going.

(54:21):
And so, you know, we so we wereon the path to IPO, and and
there were a bunch of thingsthat were pretty remarkable
about kinda what that path wouldhave been in that you know, I
think only a hundred companieshad IPO ed, I think, since
twenty two thousand five. Iforget what it was. Well,
anyway, there's there's wholethis whole rubric that, you
know, our our lead bankers hadfor us on on on how special Duo

(54:42):
was, and, you know, I guessevery banker will make you feel
that way. But but here, theyhad, like, real details and and
stats and so forth that werereally interesting for us. And
so when we did get sort ofinterest, you know, like Cisco
came at us one year, and I waslike, nope.
No interest. You know? Sorry. Istill had to present to the
board, though, that, you know,that that there was that there
was interest. And and, ofcourse, you know, I my board was

(55:05):
long, the company.
No. No. Keep going. You know?Like, this is a distraction.
Don't worry about it. But but wedid end up I ended up making
sure that we ran a dual processbecause I said, look. Know, Ken,
if if this is sort of from one,you know, I'll just say that
this was not a great offer, butmaybe there's gonna be others.
And and, you know, there's I Ibelieve I believe at the time we

(55:25):
had a fiduciary duty to run downsort of a dual track and make
sure that people understood whatelse was going on out there, our
last look, basically, at theprivate markets before we went
to the public. And and so Ibuilt out, you know, kind of all
the things I needed to for ourIPO.
We had our ops meeting, puttogether the the consortium
bankers. We had built a publiccompany board. I was I that's

(55:46):
the thing I actually one of thethings I missed. Other than my
team, I miss the other team Ihad, which was my board, but I
loved my board. I built a reallygood board with people I really,
really respected and reallystill look up to and and still
stay in touch with.
But by the end of day, whenCisco came back to us with a
number that represented thelargest multiple ever paid for a
private software acquisition atthe time, you know, I I took a

(56:08):
pause for a a bit here with withwith Pajano and and and my CFO
at the time, who's not going tobe my public company CFO. I I
wanted him to be, but he waspretty clear he didn't want to
be. And so we brought in anotherCFO, and that was fine. But I,
you know, I think we had adifficult decision to make. You
know?
Do we, you know, do we do thatin the interest of our team and

(56:30):
our our, you know, our ourshareholders as well as our our
investors and and expand thiskind of journey with on with
with Cisco's platform, or do wejust keep going? You know? Why
why get off the train now? Andat the end of the day, you know,
I think, you know, Cisco had aconvincing argument that, in
fact, you know, a lot of whatthe business could be on as part

(56:52):
of kinda Cisco's broadersecurity business, I think But
when we joined, it was, a 2 anda billion article of the
security business. By the timewe exited, was, like,
5,000,000,000.
Right? By the time I left,right, I missed 5,000,000,000.
And Duo was the fastest part ofthat. Right? Fast growing
business within Cisco for manyyears.
But, you know, these these arehard decisions that come down to

(57:15):
really sort of what whatfounders want to do. And, you
know, I'm I'd be full credit tomy board. I mean, they didn't
beat me up too bad about itbecause, you know, by and large,
they were like, why are youselling now? My son fucking oh,
this is crazy. Like, we haveand, you know, it's hard not to
sort of look back at what couldhave been.

(57:35):
I try not to. Life is too shortfor regrets anyway. I don't
really have any necessarilyabout about this, but it is you
know, by the math of it, youknow, kinda what what the
business is doing today is we'relike, yeah. Well, you know, that
was a interesting decision. But,again, I think we we we did
expand kind of that to what was,you know, from the 50,000, you
know, customers we had cominginto Cisco, but Cisco having

(57:57):
many hundreds of thousands ofmore customers, right, that we
go after, you know, meantsomething meaningful, and
especially in ways that, youknow, we were we we're still yet
to build out.
We had done quite a bit ofenterprise. You know, it's half
of our business, but, obviously,Cisco had a ton of of really
large enterprise customers andand relationships, and and I
also had a very global business,right, where our our entire rest

(58:19):
of world business was, you know,pretty small, right, like, 15%
of what Duo was doing by thetime we came in. And so, anyway,
in any respects, it it madesense, right, for the continued
scale and growth and, you know,trajectory of of Ooduo as a as a
business and company. But,again, these are these are hard.
And and any founder tells youotherwise, you know, either the
company is doing not doing wellor there's some other similar

(58:40):
circumstances, but these arehard decisions, right, to have
your baby, you know, sort ofbought into another family.
And when I left, you know, Ileft, yeah, well, after Jono. I
think Jono I left kinda twoyears after Jono did. I felt
basically a centralresponsibility for, like, eight
thousand people, right, that Icame into the orbit of in the
leadership of in in globalsecurity business Cisco versus

(59:01):
the 800 people I brought intoit. But we made tremendous
impact, you know, and not justin terms of our business, but in
terms of, you know, Cisco's. Andso, you know, that for that, I'm
I'm proud, and and hopefullyhopefully, you know, g two came
later.
Felt and saw this. I mean,contribution. Because, you know,
we there there were sort of aSAS cabal we had within Cisco to

(59:21):
kinda help build all this andkinda really, you know, help
take the business next level.And and, again, it it did scale.
Like, it it, like, doubled theglobal security business, right,
in the time that we were there.
So, anyway so, you know, I don'tlike I said, life is too short
for grits. I don't necessarilyhave any about kinda exiting the
business, but you always wonder.Founders will always wonder
about, like, what what elsecould have been? What would the

(59:42):
other paths look like?

You know, I remember doing a conversation
with you, Mahendra, Chenxi in2021 on the CyberSeed community.
I remember this exact samequestion, and this was when you
were at home sitting at yourdesk, and you actually pulled
out the draft of the SWAT.

Dug Song (59:58):
Right.

You said, you know, I think about this. I think
about this more than you think.It's

Dug Song (01:00:04):
just Yeah. Yeah. Well, I I should probably not keep it
by my desk. That's. I

Sid Trivedi (01:00:10):
was gonna ask you if you still keep it. So
clearly, you do.

Dug Song (01:00:13):
No. No. It's at that's at home. I you know? Now now we
have another office here now.
And then now we've been focusingon other things. We built a
family office, built afoundation. We're kinda funding
a lot of other people'scompanies. You know, I'm
actually I'm actually not doingas much security investing as
you might expect, you know,although I did just make another
security investment yesterday.But, you know, I am I'm
investing basically in almosteverything else these days, like

(01:00:34):
from mushrooms to space, And Ihaven't had lot of fun doing
that, particularly in Michiganwhere there's a lot of
interesting founders andcompanies tackling global
problems, but in ways that arevery specific to to what's here.
So

Well, let's get into the final section and just,
you know, broader lessons forfounders. And, you know, one of
your leadership mantras has beento build a learning
organization. Could you talk alittle bit about what this
learning oriented culture is andwhy it matters for founders?

Dug Song (01:01:02):
Yeah. Well, you know, I'll just say I think this was
just an artifact of us being inAnn Arbor. Right? We talked
about sort of the the culture ofof ideas, but but, really, you
know, what's Ann Arbor about,actually? The team the team the
team, right, the winningestfootball program in history and
national champions as of alittle bit ago.
Frankly, a different kind ofdisruption, which I think is it

(01:01:28):
really comes from sort oflearning and doing. So, you
know, I I think, you know,teamwork is important, but the
ability to actually improve andlearn together is actually the
most important, right, as as forany team. Right? And and so, you
know, like I told my my folks,right, just make sure we keep

(01:01:50):
ourselves sort of at leastMidwest humble. We weren't
smarter or we didn't work anyharder, and we weren't any
better looking or anything likeany of our competitors.
The the one thing we did betterthan any of our competitors was
to find new routes of success,right, that that we could own.
Because, know, just just andjust like a college football
team, like, we were to steal,like, Ohio State's playbook,

(01:02:11):
there's some people that mightargue that we did, but, you
know, in some other ways. But usrunning their plays, why would
we more successful than theywere? Right? They they they
figured out how to do this.
They they own that playbook. Weneed to build our own. And so in
every part of the business, notjust in tech or a product, but
in sales and marketing and CS,we worked really hard to
innovate. Right? Do things thatother companies weren't.

(01:02:34):
In fact, when I hired my entirego to market team for Duo, we
were pattern matching forsomething that we hadn't seen
anywhere, which was highvelocity, high volume inbound
inside sales in a way that I'donly seen anything similar at at
Barracuda. Right? But this waseven smaller ASPs and even
higher velocity deals. And whenI looked around, it was my my

(01:02:55):
early board. I was like, well,who else's business is like
this?
And we're like, wait a second.Zendesk. Like, Zendesk was the
comp, and that's why I hired allthese Zendesk people. Went after
I went after their, you know,head of North American sales or
head of the marketing, and, youknow, I even pulled in an
adviser who then became later myCOO, who was also from Zendesk

(01:03:15):
and worked with these folks.But, basically, you know, that
was the the commercial enginefor the business because we had
built Duo's go to market sodifferently.
And that only came as a resultof, again, us trying things very
different. Like, you know, we westarted the business with $5 a
day AdWords, testing a bunch ofthings, seeing what what people
were interested in, trying tofigure out if, again, there was

(01:03:35):
a different signal in the marketfor security or people needing
it than what was traditional,which was, like, you know,
through resellers and VARs and,you know, the folks who were
also consulting, right, to theirto their clientele on security
strategy. So for many of ourcustomers, they they had nothing
like that. They they weren'tengaging security VARs or
anything like this. And so so wetested our way to a bunch of

(01:03:56):
that kind of stuff and foundthat, again, it worked.
And so over and over again, theonly thing we did better than
our competitors was we learnedtogether new routes to success
that our competitors never foundor never took seriously. And and
so the practical advice I'd havefor founders in in thinking
about how to do this is, well,one, you know, hiring in a sort

(01:04:20):
of college town, you know, whereyou have a large research
university where you have a lotof bright eyed, bushy tailed,
you know, talent looking to toget into new things. Because,
you know, the the majority of mymy work for us to do, I'd never
worked in tech. Right? Like,there's not a lot of that here
in Michigan.
And so so I need to augmentwhere needed, right, with a
couple leaders here and there,right, from the Valley or or

(01:04:42):
elsewhere. But but, again, themajority of my team had never
worked tech or certainly had notworked in security. But we we
did have the security peoplewhere we needed them, and we
had, like, a deep bench ofhackers like myself and Jono in
Duo Labs and a bunch of ourproduct side. But, like and we
had just as many that weren't.And I think that was a huge part
of our success because we had avery diverse team and diverse in

(01:05:04):
in all the ways.
You know? 40% actually of Duowas was women and
underrepresented minority, whichis actually very different than
cybersecurity, which I think is11% typically. But we also hire
people from all kinds ofbackgrounds that had no
engineering background,whatever. You know? Again, like,
a lot of my best hackers I everworked with never had, like, a
college degree or, you know,whatever sometimes.

(01:05:24):
And so so we could solveproblems sort of from vantage
point perspectives. And thelargest part of, again, what we
needed to be successful in doingso was building the kind of
culture where that diversity ofopinions or perspectives and
ideas would lead to creativity,not conflict. You know? But I
took to heart seriously whatwhat Steve Jobs once said about
creativity, which is that it'snot about having some idea no

(01:05:46):
one's ever had before. It'sabout combining and smashing
together ideas from differentdomains, right, to lead to some
different result.
And I believe that. I've seenthat deeply. I mean, that's,
again, a lot of what kept mehere Ann Arbor. So many
different interesting ideas.Like, when we were building
Arbor Networks even, you know,that second company, there were

(01:06:07):
folks I hired from epidemiology,right, who were helping us
build, like, interesting viralmodels of self propagating worm,
right, infection, right, withinenterprise networks.
We never had would have had anyidea about how to do that and
then how to defend against thatand build, like, these sort of
cell containment sort ofalgorithms if had we not sort of

(01:06:28):
had access to people who hadthese crazy other sort of ideas,
or crazy it was, but, you know,very well trod and very
watershed right in in otherfields. And so so the one is, I
think, start by having as asmany different kinds of ideas
and people as you can. We wepractically on our website, we
had one question and for in allof interviews, right, that we

(01:06:49):
started with, which is whatmakes you unique? Right? What
what makes you unique?
Because I don't need 10 peoplewith the same background in any
meeting. Right? I need if theyall have the same ideas and same
opinions, the same background, Ineed one of them, not 10 of
them. Right? And so I I I needto understand, like, for any
person we'd hire, especially inan early team, what do you think

(01:07:11):
you is special that you canbring to us that we don't
already have?
Right? How does that augmentkind of our capability set,
right, and then what we think wecan do? And what do you know
that we don't? What have youdone that we haven't? All this
kind of thing.
And so, you know, that wasreally important to us, and it
it led to so many moreinteresting conversations about
then how do we tackle this. Andand, again but it just led to

(01:07:32):
more challenges in terms of howwe'd have to manage, but that's
why I took management soseriously. So for early
founders, like, let's say, youknow, in building a learning
organization where you'rebringing in a diversity, right,
of talent in this way, you haveto get good at management. You
have to really focus on, again,how do you elicit the best out
of those kind of diverse teams?And, again, you know, you see

(01:07:55):
elements of this in a lot ofother even big companies.
Right? Like, I think Bezos hassome really interesting lessons,
right, to learn from fromAmazon. Though only later, if he
wrote some books or, like,someone wrote books about what
he'd he'd done, we realized, oh,wait. That's just like us.
Right?
Like, disagree and commit. And Isay that all the time. Is he
like, not disagree and commit? Isay, well, you know, I I don't
agree with that, but we're gonnawe're all going to say you know,

(01:08:16):
we're all gonna make sure thatit happens. Right?
And I'll make some support thatidea. And the only reason we did
that is because we had acommitment to learning together
and practically had rituals andoperations to support that. You
know? Blameless retrospectives,right, where we'd figure out
what was right and not who wasright. We had an unlimited book
budget.
Right? Anyone who wanted to buybooks and get smarter, well, why
would we stop them? Know? Buythose books. When you're with

(01:08:39):
them, put them on the shelf inthe library and tell us what you
learned.
Right? Share share it withothers so we can all sort of
benefit. We had rituals likeappreciations, which, you know,
ended or started or ended everymeeting in the company,
including all all hands meetingseven. Three to five minutes of
people thanking each otherpublicly for the things that
they'd seen others on the teamdo that made the team
successful. But that's how welearn because, you know, we

(01:09:00):
spend all our time as leaderstrying to impart kind of our
ideas and wisdom or whatever,not wisdom, but, like, opinions,
right, to to our teams at large.
But how do how do leaders everhear about what's important,
right, or what's working? Andso, you know, we had these sort
of cultural rituals, likeappreciations, where also they
need the fact that, you know,positive feedback is so much
more important than negative.But, again, in in all hands

(01:09:21):
meetings, you have someone call,hey. You know, babe, you know,
thanks, you know, Zoe, foruploading those leads within
twenty four hours from RSA. Wehad this, you know, this many
sort of SAOs or opportunitiescreated out of that.
But, anyway, anytime anyone didanything good, it was publicly
called out in this way so thatothers could follow. And that's
how we elevated and standardizedexcellence across our

(01:09:44):
organization. It was not byaccident. We built a culture of
it and a culture that I didn'thave to go and sort of be
everywhere to sort of drive.Everyone, right, was sort of and
in, you know, in some otherways, like, anytime we promote
people, we we anyway, long storyshort, we had all kinds of
system by which, again, we wesupported an organizational
learning in the business, andthat came from taking kind of

(01:10:06):
our job as managers seriouslythat, again, just like as, you
know, engineers, you're you'rebuilding systems, right, of of
code and all that kind of thing.
But as as managers and leaders,you're building systems of of
people and and work, and and sowe spent a lot of time really
focusing on how to do thateffectively, hiring, you know,
folks from the university whoalso done, you know,

(01:10:28):
instructional or, you know,curriculum design and does a
whole l and d, learning anddevelopment sort of organization
within Duo. We had, you know,training budgets for folks. We
also had, again, a lot ofinternal conferences and ways in
which we shared kind of our bestpractices with each other.
Anyway, so there's a lot to it,but that's these days with

(01:10:48):
founders, that's what I spend alot of my time doing, just
making sure that other foundershave more in their toolbox to
kind of achieve success from thelessons we learned in in trying
to kinda build this stuff. But,you know, none of it's
proprietary.
Don't and, also, none of it hasto be done this way. I just
think that there this probablyis it's the

Mahendra Ramsinghani (01:11:04):
most fun way to do it, right, where
everyone grows together andeveryone can kinda claim success
as a team. Thank you, Dug. Asyou talk about spending more
time with founders and you takethis unique example of what Duo
did in its culture, onefundamental question that comes
up in this day and age is aboutcapital efficiency or capital

(01:11:27):
allocation, if you will. Youknow, we live in a day and age
where seed rounds used to be$5.10, 15,000,000. Now, gosh,
seed rounds have exceeded mean,the numbers are staggering.
You know? You're approaching500,000,000, billion dollar seed
round.

Dug Song (01:11:41):
My a round was 5,000,000. My seed round was
1,000,000, and I had no preseed.

So so I think this will be a great
analogy. Walk us through yourcapital raising journey, but
also share some advice with ouraudience, with our founders on
how you manage every dollar soeffectively, and what can
founders do when they thinkabout money and not boast about

(01:12:06):
valuations as opposed tocreating value?

Dug Song (01:12:08):
Yeah. Well, part of this is also just maybe the
culture difference or theMidwest where because tech isn't
sexy here, you know, like,people look at you as a tech out
of there, what do you do? Iguess, what is that? You know,
it sort of kinda weeds out a lotof I wanna say the I wanna say
wantrepreneurs. I mean, that'sthat's kind of mean.
But but I mean to say thatpeople don't care about those
vanity metrics that are soimportant to people in the

(01:12:30):
Valley. Like, I remember whenwhen we kinda did this round
that, you know, we becameunicorn. The time, there's only,
like, a hundred unicorns. Right?Is no.
Back back then, I was a bitembarrassed about it. I didn't
really wanna talk about it. Youknow? I was like, you know, I
was like, I don't so my teammember's like, oh, we're joining
the unicorn club. I was like,please don't say that again.
Like, this you know what? It'snot none of that matters. Like,

(01:12:54):
you know, like, do you see thisthis the new account we just
closed? And, hey. Did we justdeploy you know?
Like, we did you see we stoppedthe the Russians again at this
You know, we had all kinds ofother things to be proud of that
were really about kind of ourcustomers, right, and our our
our you know, making themsuccessful, not not a not about
us. But part of that is thiskind of this this look in in

(01:13:14):
Michigan of of of of of, again,always looking outward. Right?
Because, you know, Michigan hasbeen the, you know, history of
building industries throughexport in this way. And so
whereas, again, I think in insome ways in the valley or
places like New York City, youknow, you you can sort of be
caught up in these echochambers, right, of of companies
buying.
Like, would startups buy fromstartups and all I'm like, oh my

(01:13:36):
god. This is, turtles all theway down. And so for us, you
know, we were always focused onthose kind of results. And, you
know, even in the early setup,we had monitors in in our
offices with every deal. Like,we built, you know, kind of
these software dashboards forour business that when we closed
deals, we'd see them pop up,and, you know, we all celebrate
bang the gong, all this kind ofthing.

(01:13:57):
You know, it was all that kindof stuff. And so for me, like, I
know that historically in thesecurity industry, there's been
sort of this weird culturaldivide, right, between sort of
the product and tech folks andthen sometimes the go to market
teams and all that kind ofstuff. I lived that, right, at
these other companies, and Ididn't want that for Duo. I just
thought, look. You know, we'rewe're building an integrated

(01:14:17):
sort of go to market where theproduct is the marketing.
When you kick the tires, trybefore you buy. You know, in
SaaS, you know, you have to beproduct led because, you know,
there's nothing to install orremove. You know, it's product
is the demo, is the marketing.And so we worked to create a
focus on the customer from thestart. You know, every engineer

(01:14:37):
I mean, it's kinda weird to say,but, like, every engineer at
Duo, through my tenure anyway,had been part of a customer
conversation directly at somepoint in their career.
And and, yeah, they could evensign up on internally for sales
calls, right, where, you know,our reps are talking to the
customer because they need tohear that. Even if they wasn't
even if weren't gonna sayanything, they need to
internalize that point of view.Like, what is the customer

(01:14:59):
actually dealing with? Why didthey come to us? What's the
positive business outcomethey're looking for, right, in
in looking for our solution?
And it's created, like, acompletely different empathy.
And, like, at our all handsmeetings, we'd have a customer
there, you know, talking aboutkind of all this stuff because,
you know, that that's why wehave a business, right, at all.
And and so, anyway, we've spenta lot of time kind of focusing

(01:15:21):
on on that that kind oforientation. And as a result of
that, it leads to a fluency withthe operations of the business
when when people, you know, canempathize. They commiserate.
Like, oh, yeah. That part of ourcustomer journey really does
suck. Like, I need to fix that.Right? Look.
And people care differently,right, when they sort of are

(01:15:42):
have that sort of exposure andthen point of view. The other
thing we also did, you know,just pro tip for founders out
there, we we we used to do aboard report every six weeks. I
had a very board meeting or veryboard calls. So we quarter
quarterly board meetings, makequarter board calls, right,
checking in on progress, quarterwith the board to see if there's
anything they could do to help.Ahead of each each one of them,
I had a board report where as aGoogle document, I'd have each

(01:16:06):
of my department heads writethree to five paragraphs of the
plans, progress, and problems intheir business, sales,
marketing, customer success,product, technology, or, you
know, engineering, whatever.
And I'll write the preamble,which is the story of the
business, and I'd share it withthe board. And they comment on
it right before the boardmeetings, and we focus our board
discussion on the two of thetopics of strategic concern.

(01:16:26):
Right? I wouldn't just sit therereading the slides to them, and,
you know, I'm not doing weatherreporting. I'm I'm here to
actually have us have aconversation about what we need
to do with the the company.
And after a board meeting, we'dsanitize it. I would share it
with the entire company. And soevery year, we had eight of
those reports, right, on Octavebasis, right, every six weeks.
The first of those every yearwas our strategic plan. You

(01:16:48):
stapled that together, and it'sthe book of duo.
Every major decision, everymajor success, every major
failure, every learning we everhad. And when I hired new
people, not just executives, buteven you know, we do hiring
classes of, like, 30 people at atime. I I I used to do all the
onboarding classes with withsome of my team. We have them go
and look at that. Read the lastfour, five, six board reports.

(01:17:11):
You know? You will knoweverything that we've done. And
it was amazing. They have these,you know, even fairly fresh
college graduates come out ofsort of a first week at Duo
where they've committed code,and they've also read kind of a
year's worth of, you know, theevery major business we made and
all the numbers and everything,and they're like, I know kung fu
now. Right?
It's just like they've he's,like, ready to go. And and so it

(01:17:32):
was that kind of you know,actually, you mentioned
Zingerman's earlier in the call,Mandara, but Zingerman's was a
little bit of inspiration forsome of this because, know, even
as, like, a small well,70,000,000 a year, a Jewish
Jewish deli verticallyintegrated with all their these
different businesses, they didopen book finance. Right? They
they shared all their theirtheir numbers, operations with
their entire team so peoplecould actually have empathy for

(01:17:53):
what they would have to do andand, again, come up with their
own solutions, right, to how toimprove the business and the
margins, all this kind of stuff.That's what we did as well.
It just and it scaled reallywell. So, again, it led to
outsized performance for usevery year. Every year, you
know, most of the years, wedoubled the team and we tripled
revenue. And so, yeah, you know,it was it was a way to align all

(01:18:15):
of our team to the realities,operating realities of the
business and and and and reallysee how to contribute because
they they could then createtheir own commitments, right, in
planning and toward what we'dhave to do to to actually move
the numbers, move the needle onthese numbers, and and really
help build something unique.

Dug, we're getting to the end of our conversation.
You've been fantastic throughoutit all. One last question for
you. Since your success withDuo, you talked a little bit
about, you know, all the thingsyou've done post Cisco. But one
of those is you and your wifehave spent your wife, Lynn, have
spent quite a bit of timethinking about how to give back

(01:18:53):
to the community and how toreshape philanthropy through
impact.
Maybe just share with ourlisteners just one example of an
initiative that you'veundertaken with your wife and
and why you've done that. Yeah.

Dug Song (01:19:06):
Well, we we started a foundation to give where we
live, and the kind of scope ofour giving tends to be know,
Southeast Michigan, althoughwe've done some in Baltimore
where I'm from as well. But inboth cases, you know, we're
we're doing this to createcommunity wealth, you know, to
be good neighbors, to help buildthe community that we wanna be
part of. And by communitywealth, I don't mean just
economic wealth, but, you know,social, cultural, environmental.

(01:19:29):
Right? And so we think aboutsort of what it means to sort of
build what refer to, you know,MLK on this.
Right? But Martin Luther Kingtalked about the beloved
community. Right? One free of,you know, hunger and hate. And I
personally think that the toolsthat we can kind of apply and

(01:19:51):
bring to serve our community inthis way are the lessons that
we've learned in many cases fromfrom entrepreneurship.
Right? How to be successfuldoing these kind of things in
ways that create much moreshared prosperity and and and
and wealth. And so so a lot ofwhat we do these days is
focusing on ecosystem building,making sure that many more
people have the opportunity todo what we've done in terms of

(01:20:12):
building a a a successfultechnology driven business. And
an example of things that wefunded that's kind of caught
caught fire in Detroit, which isa super majority black city.
It's the blackest city in thecountry.
Nearly 80% African American iscalled Black Tech Saturdays, and
it's it's a movement, basically,that we've helped to fund and

(01:20:32):
support in well, you have 12,000members, you know, coming
together to to build again a aculture of tech innovation that
is welcoming and inclusive,right, of of people across all
the experiences that that peoplehave lived, right, in a city
like Detroit. And so so thoseare things that we're really

(01:20:54):
excited about, and there's somegreat companies we invested in
out of all that. You know, it'swe're trying to create sort of
the virtuous cycle, right, offounders reinvesting kind of
their not just their capital,but their expertise, right, into
their ecosystems in this way.And so so, yeah, though Duo was
the first unicorn, firstmultibillion dollar tech venture
backed exit in Michigan, therehave now been nine more. And

(01:21:15):
we've, you know, thankfully beenable to invest, you know, in
some of that along the way, andand I think we can help drive a
whole lot more than success in aplace like Michigan that really
needs it.
You know? We you know, Detroit'snot completely out of the woods,
but it is a beautiful andamazing and emerging ecosystem,
particularly in tech and startup land. And I encourage any of
you. Right? You were looking foramazing deals with founders who

(01:21:38):
are built differently, you know,know, because you gotta be
pretty resilient, right, tokinda build tech in a place like
Detroit and resourceful andscrappy.
And and, again, like, it's everyplace about something. Detroit
is about resilience. It's aboutgrit. You know, these are folks
who, again, who, again, has justbeen through hell and Mac.
Right?
The first city in the country tohave gone bankrupt and all. But,

(01:21:59):
man, if you're looking for,like, resourceful founders,
Detroit is full of them, andwe're proud to be backing a lot
of these folks. And so, anyways,investors, if you ever wanna
look at at this stuff, let meknow. We we're syndicating all
kinds of deals. We we write alot of first checks to a lot of
founders, and you'd be surprisedthe scale and ambition of a
bunch of these companies thatare just like like, I just had
one launch yesterday calledElectric Plant Company, Electric

(01:22:22):
Plant dot co, and they're doingplanetary scale.
They're kinda building forplants. And number one, that's,
like, a bit of mind bender,like, talking to plants and
hearing what they're saying. Butsecond is, like, the scale of
what they're doing, which is,like, planetary scale. It's
kinda amazing. We've got we'vegot very ambitious founders
building very practicalbusinesses from the start,
global ambitions, but actinglocally, and and so that's what

(01:22:43):
we're supporting.
And if anyone wants everyone tojoin us on that, let

me know. You know, we're happy to happy
to partner with folks. Dug, aswe wrap up, I wanna take this
opportunity to thank you onbehalf of all the founders in
our community, obviously, onbehalf of my cohosts, Ross and
Sid. And I was trying to thinkthat what are the best way that
your image can be presented toour audience? So in my head, I

(01:23:08):
have one side of you, Dug, whichis the skateboarding, Dug, that
I that that image is seared inmy head with a laser.
Mhmm. Okay. Right outside ZingerMin. Now when I look at you, and
for the benefit of audience whomay not have the pleasure of
seeing you on camera, I see theshade of, like, a Dalai Lama
like look that has come on yourface. I mean, I was walking the
document to you about the DalaiLama literally last night, and I

(01:23:30):
said, like, Dug's side profileis actually like the Dalai Lama.
Okay. So if I draw this Venndiagram of a skateboarding Dalai
Lama who's trusted in security,that is Dug's song for all of
us. That's the song that you seethat I feel like you're gonna
leave behind. So thank you, Dug,for all the good work and
amazing culture that you builtat Duo. We have never heard such

(01:23:52):
a story of not justthoughtfulness, but creativity,
rituals, and above all, careabout the customer.
I think that is one thing thatour industry really needs to
build upon, and so thank you forblazing a path into this future.

Dug Song (01:24:08):
Well, thank you, Mahendra. Thank you, Sid, and
Ross. I I guess, know, I'll justleave with this. You know, I I
don't know about Dalai Lama, butI will say, you know, my my
father was a Buddhist monk backin the day, and, you know, I
always left an impression on me,you know, this kind of story and
history of of the Buddha andalso, you know, sort of the Vow.

(01:24:28):
Right?
Sort of if you've figuredsomething out, you need to bring
people with you. Sure. Right? Inthat enlightenment, if you will,
and everything else. So I alwayshappen to help, and that's one
of the things I love about thestartup and tech community is
that sort of built on thatethos, right, of kinda giving
back or maybe even giving first,right, as the tech stars people
like to say.
So, yeah, proud to help. Andand, again, like I say, if if if

(01:24:50):
any founders ever benefit orlearn anything from me, my only
ask is that they do so forothers as well. They pay for it.

Thank you for joining us inside the network.

Ross Haleliuk (01:25:01):
If you like this episode, please leave us a
review and share it with others.If you really, really liked it
and you have some feedback forus, wrap it on a bottle of
Yamazaki and send it to mefirst.

No. Don't do that. Mahindra gets too many gifts
already. Please reach out byemail or LinkedIn.

All Episodes

Episode Transcript

Popular Podcasts

Dateline NBC

24/7 News: The Latest

Therapy Gecko

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Dug Song: Values over valuation—reflections on building Duo Security and leading with purpose

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Dateline NBC

24/7 News: The Latest

Therapy Gecko

All Episodes

Dug Song: Values over valuation—reflections on building Duo Security and leading with purpose

Dateline NBC