This cybersecurity founder's path from liquor store, to hacking group, to Cisco
Duo Security's former CEO Dug Song opens up on a colourful journey that eventually saw him sell his business to Cisco for over $2bn
airInventory management in an off-licence at the age of eight is not the most conventional path into cybersecurity, but Duo Security co-founder Dug Song got bitten hard by the hacking bug at a young age.
He laughs that he was used as child labour in his father's liquor store, doing data entry on his father's computer but that experience and interest led to studying computer science at university, before working as a security consultant and ultimately establishing several security companies.
"I cut my teeth working as a security admin at the University of Michigan," he recounted.
"It was perilous before you had the notion of corporate campus networks, there were actual campus networks; people needing roaming access, or needing to access systems without firewalls and VPNs.
"Universities are some of the most interesting environments. A good tip for customers; look at what universities deploy because they don't have the budget to spend willy-nilly and they have to do things that work and they have very sharp communities of technologists."
Song's interest in hacking led him down a colourful path, joining the now-defunct international hacking group w00 w00 (pronounced woo woo), which also counted WhatsApp founder Jan Koum among its members.
However, it was the European security bulletin boards on pre-internet networks that really fuelled his interest in cybersecurity.
"W00 w00 was an international hacking cabal, but mostly US-based," he explained.
"Some really interesting innovations happened out of Europe. Diversity breeds innovation and one of the most unique things in Europe is its diversity, with its history of technology and networking and security."
The Duo boss then spent some time working as a security consultant for banks and casinos, before a stint as security architect at Barracuda opened his eyes to a gap in the market, which would be the catalyst for Duo's creation.
"Until I joined Barracuda, all of my experience had been at the top end of the market," he said.
"Then companies like Barracuda started popping out of nowhere, where they assembled what was effectively a bunch of open source technologies for SMBs to use.
"It opened my eyes that as every business was coming to the internet, every business now had a security problem and there were few vendors addressing those needs in a meaningful way.
"When I left Barracuda it was to start another company with this notion that Barracuda had been focusing on email security, but all of the attacks were going after people, not systems. The rise of targeted malware was the primary route successful hackers had into organisations."
And so the seed for two-factor authentication vendor was planted.
Master and student
Song recruited Duo co-founder Jon Oberheide when he was his intern at network and security vendor Arbor Networks (now part of Netscout).
Song had set up a "honeytrap" wireless network to lure potential students in. He found Oberheide sitting behind a Starbucks with his laptop open, accessing his network.
Song then drafted in some of his old banking clients to survey them about their experiences of the cybersecurity landscape and the attacks they were seeing in their industry.
"What happens to the banks usually [goes mainstream] five years later, the attack techniques become democratised," he explained.
"We realised that we had to democratise security; we had to make these technologies that only banks had available to them.
"Two-factor authentication for a long time was something only banks deployed, so we had to figure out how to make that available to everyone, by making it easy as a cloud-delivered service. We were able to ride the waves of both cloud and mobile adoption."
Duo Security was formed in 2009, with Song took on the mantle of CEO and Oberheide that of CTO.
They ultimately raised $121.5m in investment before being acquired by Cisco last year. But Song is adamant that the takeover will not affect the culture he has worked hard to cultivate over the past ten years.
Empathy and compassion are pivotal to the work culture, as well as having an interest in the motivations and interest of employees, the CEO stated.
"At the end of the day, tech is a people business," he said. "The best tech doesn't always win - we see that over and over again in this industry.
"We're not smarter and work no harder than our competitors. But what we have been able to do better [than them] is to learn together and innovate everywhere in our business: in terms of our go to market, how we partner, how we talk about what we do with partners and customers and what the problems are.
"My dad used to say if you take care of other people, the universe won't let you starve; I think more than anything that has led to our enduring success. I hope we can set an example for others in this industry."
Security cynicism
For the happy-go-lucky Song, his relationship with cybersecurity has not always been a harmonious one, as he admitted he left the industry at one point due to the "unhealthy cynicism" he encountered.
In 2007, he moved to Zurich for two years to work for an internet provider. However, the pull and potential of security was too strong and he returned to the industry two years later to form Duo.
"I think a lot of how people have operated in this business has left a bad taste in many people's mouths, mine included," he explained.
"I did try to leave security…I didn't see a lot of hope in the direction of the security industry. But I came back to it because there are so many people doing the work and so many deserving customers and partners.
"We wanted to come back and build better security, not just more and the time was right for the consumerisation. Security users had agency and didn't have to deal with bad user experiences, they could do stuff in their own way."
But that bitter taste from his earlier experiences remains in Song's mouth, particularly when he views the biggest threat to the cybersecurity industry.
"The biggest threat to cybersecurity is irrelevance," he stated.
"Much of the cybersecurity industry is useless. A lot of products out there quite frankly are lemons; where you buy something that you don't know is good or bad until much later.
"Proving the ROI of security effectiveness for most products is a challenge. This is the curse of security - if you're a security buyer, you can only keep buying more products that sit there and do nothing and its tricky to figure out what you can take out, consolidate and what you really need."
"The foundations of security are: knowing who your users are, that you know what devices are being used and their security posture and define the policies for access in an appropriate manner for your business.
"It is hard to do those basics. The biggest threat to businesses is that they don't get those fundamentals right, which is what we see with breaches happening over and over again."
Future moves
The $2bn acquisition of Duo by networking giant Cisco in 2018 has not knocked Song off his perch. The integration is going well and both parties are working together to see how they can best take advantage of the broadened portfolio.
Song is now general manager of Duo since the takeover, but he emphasised that for partners and customers little has changed, only that there may be more opportunities coming down the line.
He added that for now he is excited to be a part of Cisco's journey and has no intention of stepping away from the frontlines.
This is the most amazing business transformation in history," he proclaimed.
"I know that sounds grandiose but they are a hardware company going to the cloud and that has never been done before. The closest example we have is Microsoft, that is a $95bn company that went to the cloud, but it was also a software company.
"Things like this you don't get to do that often in life - the opportunity to transform the lives of tens of thousands of employees and of hundreds and thousands of customers.
"This is a rare opportunity to help drive a transform an entire industry in security and in access and this is the right platform to do this.
"I feel like we've graduated out of high school and now we are in the next era where we get to wear the Cisco colours alongside our own."