Category: People at work

The ‘Inside the Network’ podcast recently (April 6 2025) interviewed Dug Song. https://insidethenetwork.co/episodes/dug-song-values-over-valuation-reflections-on-building-duo-security-and-leading-with-purpose/transcript 

 The transcript is rather poor quality, so here’s a selected summary. 

Dug is best known as the cofounder and former CEO of Duo Security, a company that transformed the way organizations approach security by making it simple, effective, and accessible. Under Dug’s leadership, Duo grew from a small startup in Ann Arbor, Michigan to have over 50,000 customers. The company was acquired by Cisco Systems in eight years for $2.35b. 

Background

Dug grew up as a Korean immigrant, working for his father at two liquor stores, the first in West Baltimore, the second later  in Jessup, Maryland.

Dug Song: 04:33

Many folks later in my career helped me with, you know, access to opportunity and so forth. But in my dad’s store, I saw a lot of people who had basically none. And  my dad had hired some homeless teens who lived in the motel next door. He also hired a returned citizen from the penitentiary who lived in an abandoned milk truck in our parking lot. And so  I saw pretty early how business could actually be a positive force for good in creating kind of opportunity for folks.

At the University of Michigan he was part of the hacker collective w00w00 .. “ everyone had really big ideas. You know, we were all just working on projects that ultimately just scratched our own niches, but turns out there are many, many more people that had similar issues or concerns that led to kind of big opportunities from these things that we created.There was there was a just a a basic belief in our ability to use technology to solve these kind of interesting problems, and, a very supportive culture ethos of us all learning together how to do that.”

Israel is a classic example,  where you have all these young people in Unit 8200, they’re given budget, and responsibility. They’re driven by mission.

Dug Song: 13:19

They’re given all the resources. They have a bunch of training and a short amount of time, which is to go and accomplish some pretty outsized goals, ton of responsibility, It sets a purpose. And so what do they do after a couple years and they no longer have to do that as part of the military? Well, they go into companies. That Israeli program is a natural breeding ground for the kind of entrepreneurial mindset and problem solving and hacker ethos, that leads to all these projects which is why we’ve seen so much success out of that market.

South Asian advice on how to be successful 

Dug Song: 19:37

And so Jack Ma’s rubric on this is quite different from ‘drop out and start a company’. He says, in your teens, learn to learn. Very Asian, stereotypically. In your twenties, follow a good leader, not a good company, because you always have the opportunity to go do a good company.

Dug Song: 19:51

Why park yourself at a Microsoft or a Google or whatever if, you know, you can go and if you want to be an entrepreneur, go follow a good entrepreneur. See how they move. See how they execute with all the resources needed.

Dug Song: 20:05

See how they recruit people into that program, assembling  a team and showing what that kind of entrepreneurial leadership and the risk taking and decision making look like. And it’s not even really risk taking. It’s about how you abate risk, right, which is what those folks do really remarkably. And then in your thirties, figure out what you’re good at. 

Arbor Networks 

We built that company to create kind of a whole new category of infrastructure security for the global carriers, at a time where, a single teenage attacker like Mafia Boy in Canada could command thousands of machines to go point at a bank and hold them hostage, and nothing no one could do anything about it.

Dug Song: 24:54

We realized that there’s a fundamental issue in terms of security on the Internet that is still unsolved. And so we worked really hard to create these systems as global solutions from the jump, and were pretty successful in doing so. 

One of the things I learned  from an experience that was difficult for me at Arbor was how important culture and leadership really are. Because in a technology company, you have nothing else. You don’t have factories or machines or land,  all you have are people. And if you cannot lead those people well with integrity, with vision, with purpose, with care, with inspiration, you really can’t accomplish more together than you could apart.

Zattoo 

was live streaming peer to peer TV, very hard, difficult technical problem to solve. It struggled for other reasons. It’s doing fine now, but it turns out that, basically, you don’t need peer to peer. It doesn’t matter to have a theoretically perfect distribution of video over that is multicast,  where one person in one household gets the stream for the World Cup and shares with everyone else, on their subnet. Doesn’t matter.

Dug Song: 30:49

Unicast streams, polluting the backbone, all this stuff are just fine when it turns out it’s all a big game theoretic model anyway of eyeball providers dumping the ports to the content providers in settlement free agreements at the major Internet exchanges, and no one’s paying for anything. So, it turns out that’s just fine. And so there’s other ways that the world really works that meant that our approach wasn’t needed.

Dug Song: 31:15

But the lessons I learned other than technical were that you can build a business through word-of-mouth.  Zattoo is a company that spent almost nothing on marketing and did almost everything to engineer a viral acquisition model, where we did track the viral k coefficient of invites per user to any other user. We figured out how to drive engagement right on the platform. We figured out how to, again, scale these audiences, with offers and things that we could test in real time,, and not not have to take out a billboard ad and then see what happened the next month.

Ann Arbor 

here in Ann Arbor, with all these big thinkers, I sort of feel like I learned a lesson that the world is really resistant to change and progress.

Dug Song: 37:24

And so it’s like purpose and meaning and impact requires deep intention and actually sometimes subversion. And from hacking,  we’re pretty good at that. So I just feel like I’m in the right place. I feel like this is my home. This is my people.

Dug Song: 37:39

This is the community that I care about, and it’s the community that helped me build my company. And so, yeah, I feel like place matters, and my ambition is to be a good neighbor, be a contributing member of my community. And, also, it’s fun. It’s fun being a part of a place where you know people, see them kind of build alongside or with you for many years, and where you’re rooting for them just as much as they’re rooting for you.

Duo Security 

The idea for Duo came out of working at Barracuda Networks. Barracuda where I saw the opportunity for security to be to be much more mass market. I just thought that we could do without the channel and without the hardware, but I didn’t know how or what we would do. All I saw were there were companies that were being hacked that didn’t seem to have any options.

These customers were saying that the biggest problem we have is account takeover. I mean, they didn’t call it that at the time, but they had, people losing their passwords to phishing attacks and then taking over the infrastructure. So we figured that we had to go and solve that problem. I didn’t really want to go into two factor authentication until, in fact, when we looked at all this and we worked with a reseller that got us access to more of their customers  to do some customer discovery, do some customer reviews, and figure out what problems they were facing.  I realized that actually it’s much easier to just tailgate users in.

Dug Song: 47:13

To get access to systems and environments  than try to break through firewalls. 

We identified three massive defects in terms of how strong authentication was being done. One was it was not usable. The hardware key, it was the numbers that change every minute, and, you know, all this is just not really anything anyone wants to do. 

Dug Song: 47:56

So you basically just frustrate your users, not the attackers. The second was that, again, there’s a tremendous cost to actually deploying this stuff. Putting little tiny computers in the pockets of every employee. Having to not lose them or put them in the wash or whatever.

Dug Song: 48:10

It’s just not tenable. And, of course, integrating that right in the path of every login, right, that you have to protect is just really painful. And then the last is, you know, it just didn’t provide for many buyers, for many customers  the cost benefit, that they needed to protect themselves. They didn’t understand how this would actually really stop the problem as a measure or first or last resort. 

My point of view is that actually security engineering, design engineering are the same thing. It’s how do you make the right things happen by default? And so we just had a strong focus on how we make the strongest security the easiest for people to go deploy and use. It turns out, you know, we were at the right place at the right time with the rise of the cloud and the ability to deploy sort of services even to not software applications, but hardware sort of devices, via the cloud with a device already sitting in everyone’s pockets in the form of a cell phone, or smartphone,  with applications that we could deliver.

It’s kind of amazing how far we’ve actually come in security in some ways, security in the consumer product world. A hardware root of trust, a trusted execution environment, root attestation protocols, secure boot sequence. Increasingly, I think the future for security is more of that. Security that no one has to see, no one has to deal with because it’s just built in versus being bolted on.

Cisco acquisition

Dug Song: 56:26

We had a decision to make when Cisco came to us with a number that represented the largest multiple ever paid for a private software acquisition at the time. Do we do the acuisition in the interest of our team and our shareholders as well as our investors and and expand this kind of journey with Cisco’s platform, or do we just keep going?  Why get off the train now? And at the end of the day,, Cisco had a convincing argument that, in fact, you know, a lot of what the business could be as part of Cisco’s broader security business. When we joined, it was a $2 billion part of the security business. By the time we exited, it was $5b.

Dug Song: 58:47

I left  two years after Jono did. I felt basically a central responsibility for, eight thousand people, that I came into the orbit of in the leadership of inCisco’s global security business versus the 800 people I brought into it. But we made tremendous impact, you know, and not just in terms of our business, but in terms of Cisco’s. And so for that, I’m proud. 

What we learned

Over and over again, the only thing we did better than our competitors was we learned together new routes to success that our competitors never found or never took seriously. And and so the practical advice I’d have for founders in in thinking about how to do this is, one, hiring in a  college town, where you have a large research university where you have a lot of bright eyed, bushy tailed, talent looking to to get into new things. Because, you know, the majority of the people wo work for had never worked in tech. There’s not a lot of that here in Michigan.

Dug Song: 01:04:36

And so I need to augment where needed,  with a couple leaders here and there, from the Valley or  elsewhere. But, again, the majority of my team had never worked tech or certainly had not worked in security. But we did have the security people where we needed them, and we had, a deep bench of hackers like myself and Jono in Duo Labs and a bunch of our product side. But we had just as many that weren’t. And I think that was a huge part of our success because we had a very diverse team and diverse in all the ways.

Dug Song: 01:05:05

40% actually of Duo was women and an underrepresented minority, which is actually very different than cybersecurity, which I think is 11% typically. But we also hired people from all kinds of backgrounds that had no engineering background.  Again, a lot of my best hackers I ever worked with never had, la college degree.

Dug Song: 01:05:24

So we could solve problems sort of from the vantage point of having different perspectives. And the largest part of what we needed to be successful in doing so was building the kind of culture where that diversity of opinions or perspectives and ideas would lead to creativity, not conflict. I took to heart what Steve Jobs once said about creativity, which is that it’s not about having some idea no one’s ever had before. It’s about combining and smashing together ideas from different domains, to lead to some different result. I don’t need 10 people with the same background in any meeting.  If they all have the same ideas and same opinions, the same background, I need one of them, not 10 of them. So I need to understand, for any person we’d hire, especially in an early team, what do you think is special that you can bring to us that we don’t already have?

These days with founders, that’s what I spend a lot of my time doing, making sure that other founders have more in their toolbox to achieve success from the lessons we learned in trying to build this stuff. But, you know, none of it’s proprietary.

Company culture and information sharing

Pro tip for founders out there, we used to do a board report every six weeks. I had a  board meeting or  board calls. So we had quarterly board meetings, made quarterly board calls,  checking in on progress, each quarter with the board to see if there’s anything they could do to help. Ahead of each one of them, I had a board report as a Google document. I’d have each of my department heads write three to five paragraphs of the plans, progress, and problems in their business, sales, marketing, customer success, product, technology, or engineering.

Dug Song: 01:16:16

And I’d write the preamble, which is the story of the business, and I’d share it with the board. And they comment on it right before the board meetings, and we focus our board discussion on the two of the topics of strategic concern.  I wouldn’t just sit there reading the slides to them,  I’m not doing weather reporting. I’m here to actually have a conversation about what we need to do with the company.

Dug Song: 01:16:34

And after a board meeting, we’d sanitize it. I would share it with the entire company. And so every year, we had eight of those reports, on Octave basis, every six weeks. The first of those every year was our strategic plan. You stapled that together, and it’s the book of Duo.

Dug Song: 01:16:51

Every major decision, every major success, every major failure, every learning we ever had. And when I hired new people, not just executives,  we do hiring classes of 30 people at a time. I used to do all the onboarding classes with some of my team. We have them go and look at that. Read the last four, five, six board reports.

Zingerman’s deli was a little bit of inspiration for some of this because, even as a small, $70m a year, a  Jewish deli vertically integrated with all these different businesses, they did open book finance.  They shared all their numbers, operations with their entire team so people could actually have empathy for what they would have to do and, come up with their own solutions to how to improve the business and the margins, all this kind of stuff. That’s what we did as well.

Dug Song: 01:18:01

It scaled really well. It led to outsized performance for us every year. Every year, most of the years, we doubled the team and we tripled revenue. It was a way to align all of our team to the operating realities of the business and really see how to contribute because they they could then create their own commitments, in planning and toward what we’d have to do to to actually move the numbers, move the needle on these numbers, and really help build something unique.

Applying the tools we’ve learned to use to help our community

Dug Song: 01:19:56

How to be successful doing these things in ways that create much more shared prosperity and wealth. And so a lot of what we do these days is focusing on ecosystem building, making sure that many more people have the opportunity to do what we’ve done in terms of building a successful technology driven business. And an example of things that we funded that’s caught fire in Detroit, which is a super majority black city. It’s the blackest city in the country. Nearly 80% African American.

Dug Song: 01:20:24

It is called Black Tech Saturdays, and it’s a movement that we’ve helped to fund and support.  It  has 12,000 members, coming together to build a culture of tech innovation that is welcoming and inclusive, right, of people across all the experiences that people have lived,, in a city like Detroit. Those are things that we’re really excited about, and there’s some great companies we invested in out of all that. We’re trying to create the virtuous cycle, of founders reinvesting, not just their capital, but their expertise,  into their ecosystems in this way. And so, yeah, though Duo was the first unicorn, first multibillion dollar tech venture backed exit in Michigan, there have now been nine more. And we’ve, thankfully been able to invest, in some of that along the way, and I think we can help drive a whole lot more than success in a place like Michigan that really needs it.

Dug Song: 01:21:24

Detroit’s not completely out of the woods, but it is a beautiful and amazing and emerging ecosystem, particularly in tech and start up land. And I encourage any of you, who are looking for amazing deals with founders who are built differently,, because you gotta be pretty resilient, build tech in a place like Detroit, resourceful and scrappy.

Dug Song: 01:21:45

Every place is about something. Detroit is about resilience. It’s about grit. You know, these are folks who have just been through hell.

Dug Song: 01:21:56

The first city in the country to have gone bankrupt and all. But, man, if you’re looking for, like, resourceful founders, Detroit is full of them, and we’re proud to be backing a lot of these folks. And so, anyways, investors, if you ever wanna look at at this stuff, let me know. We’re syndicating all kinds of deals. We write a lot of first checks to a lot of founders, and you’d be surprised at the scale and ambition of a bunch of these companies. I just had one launch yesterday called Electric Plant Company,  and they’re doing planetary scale. They’re building for plants. And number one, it’s a bit of a mind bender,  talking to plants and hearing what they’re saying. But second is the scale of what they’re doing, which is planetary scale. It’s kinda amazing. We’ve got very ambitious founders building very practical businesses from the start, global ambitions, but acting locally, and so that’s what we’re supporting.

Pay it forward

Dug Song: 01:24:29

Sort of if you’ve figured something out, you need to bring people with you.  In that enlightenment, if you will, and everything else. So I am always happy to help, and that’s one of the things I love about the startup and tech community is that it’s built on that ethos, of  giving back or maybe even giving first,  as the Tech Stars people like to say.

Dug Song: 01:24:46

So, yeah, proud to help. And, again, like I say, if any founders ever benefit or learn anything from me, my only ask is that they do so for others as well. That pays for it.

I first came across Dug Song when he was at Arbor Networks and I was at Cisco; Cisco Systems was an investor in Arbor. Every so often the investment reviewers would ask “Should we acquire Arbor ?” They were a critical and independent force in detecting and responding to certain kinds of network attacks, and it wasn’t clear that function would continue if they were acquired.