Michigan. “It wasn’t a business that could scale in the United States because of the regulatory environment,” he notes. “But it continues to be successful today.”
From there, he spent a few months helping Ann Arbor’s Barracuda Networks (NYSE: CUDA) perform technical due diligence on two companies it eventually acquired ahead of Barracuda’s 2013 initial public offering. Song says he realized the enormous scope of the world’s cybersecurity challenges while at Barracuda, which sells security, networking, and storage products with a focus on the public cloud.
Around this time, he began plotting the creation of Duo in earnest, drawing on these past work experiences for inspiration. “I left to build Duo and go after a broader market,” he says. “A lot of the experiences I had led to the design of Duo and doing cybersecurity in a very different way. At Zattoo, there was a strong focus on usability and accommodating the user’s workflow to make it frictionless,” an approach he wanted to apply to cybersecurity. “So with Duo, could we rethink what cybersecurity looks like?”
Part of that involved rethinking what cybersecurity would look like for a modern bring-your-own-device workforce. Duo wanted to create a security system so easy that end users would be happy to use it, saving IT administrators time and money. “It was a much more holistic approach,” he says. “Businesses have become new targets as their digital transformation brings their customers’ worlds, and data, into theirs.”
Duo’s software hinges on multi-factor authentication, a process to confirm a user’s identity through a second device, like a smartphone, or through a piece of information only the user has. Duo’s technology can also check the health of its customers’ devices, and block access to those deemed risky. Its customers include some of the world’s biggest tech companies, including Facebook, Etsy, Yelp, and Zillow.
“It’s unified access security, instead of cobbling together 10 different products,” Song explains. “It ensures the right person with a safe device is accessing networks and data in the right way. The reason I got into this is because I saw a problem that wasn’t getting addressed.”
Duo realized that spam, phishing, targeted malware, and other attacks were increasingly directed at users rather than systems. “To succeed [in that environment], you have to make cybersecurity usable,” he says. “To do it well, you need a very different approach. I drew on what exists here in Michigan that others don’t have.”
The Great Lakes State has always excelled at building things for people, whether those things were fur coats made from pelts captured by voyageurs on our lakes and rivers, or trinkets hammered out of copper pulled from the Upper Peninsula’s cliffs, or breakfast cereal, furniture, cars, and even the industrial supply chain itself. Song wanted to tap that spirit and work ethic as he built his company.
“Michigan is a really interesting proving ground for innovations that improve people’s daily lives,” he points out. “The culture of Michigan is exported in such a big way around the world. We’ve given the world so many different platforms to build progress. It gave us confidence, too—what do we want to represent? We want to be that kind of brand, to carry on real relationships with our partners and customers where they don’t just love us, they trust us. It’s not just about what we do, but how we do it.”
Some of Duo’s design DNA comes by way of West Michigan’s furniture industry, which made the region a mid-century powerhouse. “They were building easy, elegant things that people loved. That’s the differentiation—people love our products,” he says
Not that building a cybersecurity company outside of Silicon Valley, or Boston, or the DC area was easy. “Our first would-be investor said they’d do a seed round, but to be successful, we’d have to move,” he says. “We turned them down.”
Instead, they found investors who understood that Duo was in Ann Arbor to stay—and began growing quickly.
Acquisition was not the end goal when Duo was founded, Song says. “When Cisco came knocking, we were not looking [for a buyer], but we saw the transformation of what they’re going through as a company.” Cisco’s ubiquity made it an especially intriguing prospect. “We had 12,000 customers, and they had 800,000. They are the network. They built a lot of the Internet’s physical infrastructure and saw an opportunity to extend security where attackers are going after people beyond the bounds of the network.”
The deal with Cisco happened “very fast,” Song says. “Their tech met our roadmap and vice versa. It’s remarkable how complementary our paths were.” Together, he says, the two companies offer “a complete picture of security through a unified approach.” (Of course, many tech acquisitions don’t end up delivering on their promise, so a lot remains to be seen of Duo’s integration.)
Duo announced in August that Cisco had made a purchase offer of $2.35 billion, a deal that was finalized in October. Duo retained all of its 700-plus employees as well as offices in Detroit and Ann Arbor; Austin, TX; San Mateo, CA; and London. Song’s title post-acquisition is vice president and general manager of Duo Security.
“Everyone at Duo has come over to Cisco, in all our locations, and we’re continuing to grow as a business unit within their security business group,” Song says. “Our long-term ambition is to help reshape the security industry at large—we just get to do it faster together with Cisco.”
