Dug Song is the co-founder and CEO of Duo Security which was acquired by Cisco for $2.4 billion. On today’s episode, Jon Sakoda speaks with Dug Song about how he fell into a world famous hacking group made up of “angels and devils” and how he got hired by his college after hacking into their networks.
Dug Song is the co-founder and CEO of Duo Security which was acquired by Cisco for $2.4 billion. On today’s episode, Jon Sakoda speaks with Dug Song about how he fell into a world famous hacking group made up of “angels and devils” and how he got hired by his college after hacking into their networks.
Follow Jon Sakoda https://twitter.com/jonsakoda
Follow Dug Song https://twitter.com/dugsong
Follow Decibel https://twitter.com/DecibelVC
DUG SONG: And if I do have a bit of advice, it's try to learn on someone else's dime. There's so much that can be learned by joining a startup first. By being part of it, you don't have to slam into the wall yourself.
JON SAKODA: Hey everybody. Welcome to the Decibel podcast. I am here with my good friend, Dug Song, the founder and CEO of Duo Security.
For those of you that don't know Duo, this was a company that enabled you to access applications safely and securely from your mobile phone. The company was acquired by Cisco for $2.4 billion just a couple of years ago. Dug has been a great friend to Decibel and has been one of our founder advisors and I'm so excited to welcome him to our show.
People always know you for the successful entrepreneur that you are today, and they don't always remember where you came from and what it was like in the very beginning. The founders that are out there right now, those that are starting companies, and other ones that are coming from underprivileged backgrounds – their back is up against the wall. So, I want to bring you back to those days because that's really the main point of the podcast.
DUG SONG: I’m living those days now. The secret is that nobody truly knows what they're doing. No matter what level you get to. Not if you're really trying.
JON SAKODA: It's so funny. I put this out on Twitter this morning because I end up having this conversation all the time. Especially for an early-stage founder, every single journey is the same. It's okay at first, then it's not okay, then it's okay again, then it's not okay, then it's okay again. And that could just be Tuesday, right? You got to wake up the next morning and find a way to get through the highs and lows and what seem like the valleys of death.
Someone did ask me, “Hey, does this ever get easier?” And I said, “Well, the problems change and what you begin to focus on becomes a new set of harder challenges.” But this process of uncertainty, of pushing yourself, challenging yourself, and going through this really demanding creative process of trying to build something or evolve yourself or an organization – that never really goes away.
DUG SONG: Yeah. I tell people… Particularly in the first three years of a company's lifetime, every day is going to be the best day or the worst day of your life. I’ve come to realize it's not just the first three years of a new company, it’s the first three years of any job. I guess anything that feels like growth means that you're doing something you haven't done before or you're stretching yourself in some way.
So, you just learn to live in constant sort of discomfort. Maybe anxiety? But it's always a stretch. That’s the definition, you know. You're trying to do things you've never done before. You’ve never accomplished before. Sometimes you have to do things you've never done before, or you have to learn along the way. And yeah, learning doesn't always feel good, as it turns out.
JON SAKODA: Let’s go back to the beginning because I love your story, man. So, if you don't mind, can we go back to the very beginning and talk about where you grew up? How you became a hacker? How you eventually found your way to Michigan? How you eventually decided to become a security researcher?
DUG SONG: I grew up on the east coast near the DC area. My parents were Korean immigrants, and, like most immigrant families, I was the product of child labor. My dad employed me for no money — no compensation — other than the roof over my head in his liquor store. Ultimately, we ended up having a liquor store in West Baltimore.
It was there that I actually learned how to use a computer because at eight years old, he was having me do some basic data entry. His was one of the first retail stores, I think, using a software package called Retail Mates for the IBM PC/XT to do inventory management and all this kind of stuff.
I kind of tracked along with him and ran his adoption technology for use in his business. He was something of a gearhead. We had like the first Betamax camcorder, we had the very first CD player, and every kitchen gadget you can imagine like food dehydrators.
JON SAKODA: We had the food dehydrator too. Did you have the pasta machine? I think we had the pasta machine.
DUG SONG: We had the bread machine, the bread maker. All kinds of stuff.
JON SAKODA: Did you have the ThighMaster, Dug? I think the ThighMaster was the bestseller.
DUG SONG: Yes, but that was my mom’s, not my dad’s. We always had technology around us in the house and in my dad's work. But it was really when we got a modem and connected to the world beyond our own that it opened up computing to me. And back in those days, computer intrusion wasn't really intrusion. It was a sort of exploration. There were no laws, literally, against that stuff.
But there were communities. There were BBSs, there were folks comparing notes in that era — in the 80s and the height of the Cold War. Also living where I lived… Later, we ended up moving to Columbia, Maryland, and like a third of my neighbors, all worked for the agency or the NSA. The kids of all these employees had all this kind of stuff on their mind like the geopolitics of all this stuff. So, there were some really interesting bulletin board names.
Anyway, the point being that that's how I got my start into computing. So, I never really— it was just sort of a thing to do. It was in college actually where I sort of got my first taste of the broader kind of internet and what was going on because I never had - a fully wired connection in my dorm room. Like that was crazy! I fell off the wagon in a big way. I had unfettered access to the internet at large, I never had to dial in or like, wait.
JON SAKODA: That’s right. That's right. And you were at Michigan, which is like one of the initial points of presence for the internet backbone, right?
DUG SONG: Yeah. The crazy thing is I had no intention to go to the Midwest. I grew up on the east coast. I applied to all these small liberal arts colleges in New England thinking I’d go study philosophy like my dad did but I had a friend who went before me in high school to Michigan and reported back that it’s an amazing place. And so I checked it out, virtually.
I realized that actually, wow, Michigan’s network looks like NASA’s Ames. They have one of every sort of commercial Unix. They have a supercomputing center with Crays. It was stunning to realize that this is all there for students, like legitimately. That they can learn on and access and so forth. That's actually the reason I went.
Anyway, long story short, it was in college where I sort of really ended up getting into security because I got into trouble. My dad died my freshman year and so, I wasn't all there and ended up causing some trouble on the university networks.
Anyway, I was pulled aside and ended up having to work for the University for four years on academic probation. I give full credit to a fellow who later I had the really amazing, good fortune of being able to not just work with but hire in turn. Paul Anderson was a DEF system administrator at the University of Michigan who took pity on me and said, “Look, let's not throw the book at this kid. Let’s have him come in and work for us and help keep other kids like him out of a fire.”
JON SAKODA: Now prior to this, you were a fairly well-known open-source contributor. Is that right?
DUG SONG: Yeah, that was shortly after college. I had joined a small computer security consulting firm where, you know, there were both sides of it — offensive and defensive — protecting and assessing banks, hospitals, casino owners in Vegas. That was some of the most interesting stuff we did. Very colorful world there!
Through all that work, I did end up writing a bunch of tooling to help in those engagements and quickly found my tribe. And it turns out, on the internet, you’re just a hop, skip, and jump away from anyone else you want or need to know.
I fell into a hacking group called w00w00, which was kind of the Switzerland of computer security. Like in any community, there are angels and devils, and the unique thing about w00w00 is that it had a little bit of both. We ended up with folks that both ended up founding some of the most iconic companies of our era, like Napster…
JON SAKODA: It is a really amazing group of people. I encourage everybody to go and Google it. I mean, you had the initial guys from Napster: Sean Parker and Shawn Fanning. You had Jan Koum who went on and founded WhatsApp. You also have some really great security researchers too.
DUG SONG: Yeah, yeah and we had people who went to jail too! It's a mix. Like I said, we had our angels, had our devils. Also, uniquely, it wasn't just an American crew or a European crew or Asian crew or whatever. It was sort of international — white hack, grey hack, black hack. The only rule you had for w00w00 was that someone had to vouch for you to come in and that… Well, that was pretty much it. They have to really vouch for you to come in and that you shared what you knew. Generally speaking, it was a pretty well-behaved group of folks.
JON SAKODA: I was going to say, back then… I know that now it is more mainstream since the internet has moved to these decentralized communities. But back then, it was still relatively small, this world that was finding each other on IRC, that was contributing to open source, that was contributing to, I guess, the gray area of entering computer systems or exploring computer systems on your own.
DUG SONG: In any group of people you pull together, there are going to be people who are going to do things that make a difference or have some sort of impact. Others, you know, maybe go a different direction. You never know at the time. It never matters. There was this Russian hacker who I knew. He was part of a crew called ADM, which itself was a French-founded group — Association De Malfaiteurs — who fundamentally believed that security was immoral. That security is a program of control. Why should institutions, organizations have control over individuals?
He had a really well thought out and surprisingly established philosophy about security from a moral perspective. And that actually really turned the wheels for me. I really thought about that and took him very seriously. Thinking about, “Yeah, the dude's living in Soviet Russia” That guy knows what it means to see technologies used in systems of oppression. And it’s surprising to meet some of these folks who were brilliant Russian scientists or mathematicians who are now hacking because that's the only way they could feed their families or…, I mean, all kinds of stuff.
JON SAKODA: Let's fast forward to the Duo story. As I recall, you started it in 2009, which was not a really inspired time to start a company, right? It was right in the middle of the financial crisis. Certainly, it probably wasn't the easiest time to raise a bunch of money and go do something? So, walk me through your thought process there.
DUG SONG: So, you know, it's funny. I grabbed Jon who was my intern at Ann Arbor, and I was like, “Jono, we need to build the Salesforce of security. It's possible now!”
JON SAKODA: Jono was Jon Oberheide, your co-founder at Duo, who, as I recall back then, was getting his Ph.D. in mobile security.
DUG SONG: Jono was doing all kinds of interesting mobile research in security. It was early days, right? I think the iPhone came out in what, 2008? And so, we started Duo technically end of 2009. I swore I was never going to get smartphones like, “No, that's a gimmick.” I was intent on keeping my Motorola…
JON SAKODA: You were early majority.
DUG SONG: But it turned out that the combination of those two is what really provided the formula for us to deploy our technology successfully in the hands of admins via the cloud and in the hands of users via mobile.
JON SAKODA: Well, before you get to that though… because remind me. This was not the first idea, right? You sort of decided you wanted to start a company with Jon.
DUG SONG: Yeah.
JON SAKODA: But you guys maybe didn't land initially on doing 2FA on mobile.
DUG SONG: Yeah. That's true. We ended up backing into that somewhat unwillingly, at least by my count. I was really almost ashamed of building a two-factor company. We would have been, I think, probably the 140th company, literally, doing two-factor authentication. It’s like a 30-year-old idea, right? Dating back to the ‘80s in security like RSA. What we wanted to do was build the next great security company.
But, at that point, I had an idea of what that might look like, which was democratizing security. At a time where, you know… Starting in 2007, we started to see small businesses turned inside out, right? In the ‘90s and certainly the early 2000s, it was mostly phishing, right? The 419 boys, the Nigerians were kind of scamming the world with all this stuff. But starting 2006, the Brazilians were turning kind of their country inside out with targeted malware, realizing that the easy way into the banks wasn't through the front door or through the firewall or whatever, but actually through the users.
And so, you know, there were all kinds of banking trojans, all this kind of stuff happening at the time. It started to make its way over into the US. And by 2007, there was guidance from the American Bankers Association and the FFIEC, the executive arm of the FDIC, that insures all of our accounts, that you shouldn't be using a computer for email and web that you use for online banking. But who's going to use a dedicated computer for online banking? That was kind of the quality of the problem at the time and we were all stuck.
There were examples of a company called Experimetal, a small auto body shop out of Sterling Heights, Michigan, which got fleeced for roughly $3 million by some attacker and they had done everything right. Comerica had given them an RSA token to use for two-factor. It just turns out, if I can steal your first password, I can steal the second one. Even if the password only lasts for a minute. That's why at Duo, we ended up kind of doing something out of band instead of inline. It was amazing just how broken that market was.
We felt that we had to sort of throw our hat in the ring to go and try to solve some of this. But yeah, we came up with 30 ideas and they're still sitting on a Wiki page somewhere on our Wiki of all the things. Curiously, a lot of what we have ended up building over the years maps back to some of those early ideas of what we thought might work. But, well, I'm sure it's just survivorship bias. There were probably many, many more ideas that we considered but never would have done.
JON SAKODA: I was just going to ask, do you feel — now looking back — that you should be somewhat dispassionate to the specifics of the idea around starting a company? Or do you feel like you had a vision for what you wanted the company to do over the long term, but you were maybe a little bit less opinionated about the details of how you got there? I'm just curious if there's more generalizable advice now for founders that are trying to build a company.
DUG SONG: I actually have a strong thesis about who it is I serve and why, and my purpose in life. I did all this stuff growing up that actually can be useful now to protect others from harm. I believe there actually is a moral mission — and a noble mission at that — to make sure that that we're able to help create safer environments and all this to protect folks.
So that's really the mission we had. And honestly, when we went to go talk to customers, we did it in a way that was a little bit engineered for discovery. And it turns out, the answers didn't— we weren't prepared to hear, and actually, I was a little bit dismayed here. But it was around account takeover and password theft and all that kind of stuff that no matter what controls they had in place, whenever attackers stole their users' passwords, it was game over. The users, being indistinguishable from their employees, had access to everything. We sought to go and solve that problem but believe me, it wasn't first on my list.
It goes back to something that Adam Nash, who used to lead product at LinkedIn, had written a long time ago around kind of the three parties of product strategy, which is, customer requests. What customers ask for generally they need, but do they need in the way that they're asking for it? Those things are always easy to over-index on because very often it’s just like, “Oh, I can't sell this thing until I have this feature or whatever.” So, there's what customers ask for.
But then there's a bucket we call, customer delight, which is actually spending the time — via user research or customer discovery, whatever you want to call it. But taking the time to actually empathize with customers. And empathy is not caring about them, but actually understanding their point of view so that you can interpret that need into a solution that maybe they never had considered or thought about. And that's where those wow moments happen, right? Where you can deliver real solutions to them that are delightful.
Then the third is, metrics movers, and what are the things that you can do that move the business forward that maybe no one ever understands or cares about but are deeply important, whether to your business or to the customer in a way that they’ll never understand. A lot of the “-ilities” kind of fall into that, right? Like usability, scalability, reliability, availability, etc.
When it comes to kind of the founding idea, I think what’s probably— and this is my belief. There are so many ways to be successful, so I'll never claim that mine is right for anyone else but me. But what has kept me motivated for over 10 years now — serving this set of customers and in this industry and continue to do what I do — is that I deeply care about the customers.
JON SAKODA: I know that you and I have done events where we've talked about the success of Duo and all the ways in which you created a multi-billion-dollar company. Now you're at Cisco. I want to look back on what you think are the highest highs and the lowest lows. Like when you look back…, because it's been a long journey, right? More than 10 years, including the acquisition. What stands out now as still the highest highs and the lowest lows?
DUG SONG: You know it's funny. I just got back together with some of my old Duo team at Jono’s place. He has a lake house. And so, we're out on his boat with a bunch of old-time Duo leaders sort of reflecting on some of our journey. I think the thing we all have in common is that it's actually about the people.
I mean, the crazy thing is all the things you'll do… Hopefully, if you're successful, you have the impact on the customers the way you intended and obviously, the financial rewards is great. But for me, it was always sort of secondary. It's those personal journeys that coincided with our company's journey that are really, for me, the continued highlights of my career. To see where all those folks have gone, the legacy we have created and to have been part of that and have a legacy, that is actually the most gratifying thing.
JON SAKODA: What were some of the lowest lows, or has it been so long now that you just only remember the good times and not the bad?
DUG SONG: It’s hard. I will never say this in front of my wife because I think she would kill me but like, when you have a baby, you forget just how deeply traumatic and painful that was. My wife gave birth to our two children with no medication which I can't believe, right? I can’t understand. Because I was there…
JON SAKODA: She's a strong woman.
DUG SONG: I mean, she’s like gnawing off my arm and crying bloody murder. And yet we have another— We did it again, right? It's sort of like you forget that trauma. And if you’re a skateboarder, it’s sort of the same thing. I broke my wrist doing some stupid thing on this fire hydrant and I went and tried it again. You just sort of get over it, I think. Maybe that is sort of an affliction or something weird about founders, right? To be able to do that and get through it, not to dwell on the negative, but to continually look for— Like we used to say, “We win or we learn.”
How do you build a successful busines? Well you make, hopefully, a bunch of good decisions. How do you make good decisions? Well, sometimes you make a bunch of bad ones, and you learn from them, right? But, you know, that process of trial and error… I never cared so much about the quality of the individual decision. I cared a lot about the quality of our decision process. And so, that's what we focus on.
It's hard to say because there were so many failures, but a lot of them… There were none that were — obviously, in retrospect — irrecoverable. But there are some decisions that you really can't recover from, and those, you have to be careful about. Your choice of investors, for instance, right? That actually is irrecoverable, and I've seen it time and again. For the wrong investor or the wrong opportunity to be paired up, you know.
JON SAKODA: It is surprising. Now that I've been either a founder or investing in founders for almost two decades. The relationship between an investor and the startup sometimes outlasts the relationship that the founders have with their companies.
DUG SONG: Hundred percent.
JON SAKODA: I mean, it’s incredibly sticky. It's a very hard relationship to unwind.
DUG SONG: Absolutely. Cause you can't fire a founder. Founders will fire themselves, probably more often before that. And leadership turns over, right? There are always eras of leadership in the various growth phases of a company. So, all that's expected.
That investor relationship to the CEO is sacrosanct. It has to work. My best advice for that comes from, who had been my lead director, Lorrie Norrington, whom I love.
JON SAKODA: Oh, she's great.
DUG SONG: Yeah. I want to be Lorrie when I grew up. She once told me — as we were building our Board in preparation to go public — about her litmus test, which she called “The Grocery Store Test.” If I saw this person at the grocery store, would I hide from them in a different aisle or run up to them because I want to spend the time with them. I can't get enough of them. And I really believe that. Life is too short to do business with people you don't want to do business with, or don't respect, don't like, don't enjoy… And it's imperative to find folks that you really, really love to be on your board. Because those are the people that are nurturing they're raising your child with you, right? You've got to align on a bunch of things. You have to enjoy working with them.
JON SAKODA: Any lessons to your younger self? The younger Dug Song that's about to start a company.
DUG SONG: Yeah. Ask for more help. I think early in my career— And again, it's sort of like in skateboarding. No one can really teach you kind of how to do some of these things. Or maybe they can but you don’t think that. Everybody just goes. Half the fun is in trial and error and kind of going about it. When people watch skate videos, it's not so that you can learn how someone does a trick. It’s so you realize that it can be done. It's to get the inspiration to go out and try it yourself.
And so, there's a little bit of a lone wolf syndrome amongst skateboarders, but I think it translates to founders as well. You know, as a founder, I was all too willing to learn certain lessons the hard way when really you don't need to. There's so much out there. And in this age where like, I give full credit to these folks like Brad Feld or some of these early bloggers who demystified…
JON SAKODA: Oh, Fred Wilson?
DUG SONG: Fred Wilson. Yeah, absolutely, for sure. They demystified the black art of venture. And founders now, I remember when I showed up to speak at SaaStr, I gave full credit and blessings and respect to Brother Lumpkin because that's what used to call him. When he first started blogging about SAAS, it was like he was the only person who was really capturing a lot of the early thinking in a really, truly authentic way from a founder's point of view. I think there's so much wisdom to be gained from learning from others.
And if I do have a bit of advice it's, try to learn on someone else's dime. There's so much that can be learned by joining a startup first. By being part of it, you don't have to slam into the wall yourself. I didn’t realize that that's not the right way to do it. And actually, honestly, I feel like many times people say, in the valley particularly, “Oh, you learn so much more from failure than you do from success.”
Man, I don't know. Honestly, I'm not sure I entirely believe that. It’s like what I tell my own team. There are so many reasons why we might fail to win a deal, right? Like the competitor dropped their pants and gave the product away for free. We'll never do that. But the reasons we win, actually we can own. We can double down on it. We can scale. We can repeat. They become our playbook.
It was Jack Ma — Crazy Jack — who had this really beautiful explanation of what an entrepreneurial life looks like. Before your 20s, learn to learn, be a good student. In your 20s, follow a great leader, not a great company. So, you sort of learn to be inspired, right? To see someone go out and do that themselves and see what it takes to translate those ideas into action and that kind of thing.
In your 30s, learn what you're good at and spend some time finding your skills and that kind of thing. In your 40s, if you're going to start, start! Which is actually really different than the way you think a lot of people think about this stuff, like, “Wow! Start a company in your 40s?” In the valley it’s like, one graduates college and starts three companies or something it seems like after Stanford.
Then in your 50s, he says, bet on young people, right? Help them be successful. And in your 60s, you should be sitting on a beach and drinking a daiquiri. But, you know, I think there's some real wisdom to that, right? There's so much to be learned from watching and being part of other successful teams or organizations building those networks. Where else will you understand what meaningful problems there are to solve in the world or who you can do that with? That's my best advice to would-be founders.
JON SAKODA: So, you're now in a position where you can give back to founders, you can give back to your community. How are you spending your time today?
DUG SONG: Well, a large part right now in my day job at Cisco is really trying to help reshape the industry. We have this unique platform and it's rare to have the opportunity to reshape a $50 billion business. The way that Microsoft kind of just transformed themselves to the cloud and SAAS.
And my intent here is to make sure that Cisco becomes the best place for anyone else to sell their company with similar ambitions and so forth. That said, what I'm doing extracurricularly is - This stuff I know I'll spend the rest of my days doing, which is helping that next generation. Whether it's founders in the spaces in which I have operated like security. Because I do feel a sense of duty to extend a hand up for the next set of entrepreneurs like myself or more broadly.
My wife and I agree. Our intention is to give away the majority of our earnings over life. I'm not going to screw up my kids. With sort of leaving them a legacy of never having to do anything. There's a large part of what I have to do next, and have been doing the last few years, professionalizing our approach to philanthropy and really approaching that in a way that is responsible. It's hard work and I never realized how much work it is to give away money.
JON SAKODA: I think it's hard to do well. Like many things, it's hard to do well, and it's very hard to do it in your own way. I want to say, thank you. You've been a real inspiration to a lot of founders. Many, many founders have come up to me and said that they grew up in some form of underprivileged background and that they’ve looked up to your founder story.
I know you've been a great friend to me as we started Decibel and we've advised and mentored lots of founders that are just starting out today. I know you're going to be a real source of change as a philanthropist too. So, I'm excited to see how that plays out. I do have one final question. I know that every entrepreneur has a little bit of PTSD after their company, but I know they also have a little bit of an itch to scratch about starting something new. So, Dug Song, are you going to start another company?
DUG SONG: Those are such hard questions, Jon. I don't know. I don't know. I mean, there are so many problems out there to solve. And there's so much fun in the journey. The other thing I just would impress upon founders is: take the time to enjoy it. Take pictures of the journey. No one cares about the end, right? It's about what you do along the way. And so, I don't know. I mean, we’ll see. I hope to have many more journeys like that. We'll see if what I have planned next will give me enough to do well.
JON SAKODA: Well, we’ll leave that as a little teaser for everybody in the audience. So, Dug, thank you for being with us in the Decibel podcast.
DUG SONG: Thank you, Jon. Just got to say, I appreciate your support and what Decibel has done for us and for many other founders so much. I just feel like I have a duty to reciprocate and help give back.