Serial cyber security entrepreneur Dug Song on building an ethical business

Duo Security's Dug Song speaks to GrowthBusiness on growing a morally responsible cyber security business in a time where chaos and fear rule the industry.

Growing up in Maryland in the shadows of the NSA, Dug Song felt a natural attraction to cyber security, even at a time predating the internet. A computer science degree later, Song dove head-first into the murky underbelly of cyber security, back when attacks only made the headlines in obscure tech publications. His first start-up was a cyber consultancy, with clients ranging from banks to Vegas casinos, but as glamorous as the Ocean’s Eleven type of business sounds, he tells GrowthBusiness, it’s harder than it looks. To stay one step ahead of attackers, Song’s go-to approach was to think like those same attackers.

“I sold that company and went on to build Arbor when I realised that the nature of attacks was evolving at a really rapid pace. Teenagers were turning companies like Yahoo, eBay and CNN upside down, holding them hostage. We saw that pendulum swing, that even teenagers could hold the world hostage, so we decided to jump in,” he says. Song’s next leap was when he joined Barracuda Networks, building security for everybody else.
Eventually, he founded his current venture, Duo Security, which he sees as an interesting exercise in gaining middle ground. “Arbor was for government organisations and institutions, Barracuda was for everyone. Duo Security is more for that middle, democratising security and making it something that every organisation can be capable of,” Song adds.

“Attacks aren’t sophisticated. Breaches happen in the most mundane and embarrassing ways, through simple malware, or a phishing attack.”

Hackers with a heart of gold

UK businesses have been hit 230,000 times by cyber attacks of some form over the past year, and that’s excluding the more recent high profile WannaCry and NotPetya strains of malware. Amid growing fears over evolving strains of nasty ransomware attacks and data breaches, Song says that the onus should be on security providers to temper panic and confusion.

“The response should be something really accessible. That’s the gap we saw in the market. Security was over complicated, and started to lose itself morally. The industry benefits from the complexity and confusion, admiring the problem rather than solving it. Plus, even security experts can’t tell who the attackers are. Is it a nation state or a teenager?”

In the context of the morality and ethics in the security profession, a recent study from KPMG revealed that 53 per cent of British companies are considering hiring hackers to take on their cyber security needs. While the report authors see this as a desperate cry from understaffed businesses for specific tech talent, the art of counterespionage surely isn’t new. Are all hackers bad by default?

As a renowned hacker in his own right, Song has always had a soft spot for hackers with a heart of gold. “If you’re in security, you have to have a foot in both worlds. You have to think like a hacker to defend against them,” he says. Back when he was at Arbor, Song remembers working late one night, only to have a digital alarm go off, alerting him to the fact that someone was trying to hack into their WiFi. That turned out to be then 17-year-old Jon Oberheide, a streetwise hacker-turned entrepreneur and innovator. “I caught him hacking into one of the wireless networks in our office, hiding under a stairwell outside a Starbucks. He had basically triggered some alarms we set digitally for a ‘honey pot’ (a pseudo wireless network set up to trap hackers).” Instead of pressing charges against Oberheide, Song hired him as a student intern at Arbor, and later on co-founded Duo Securities with the now Dr Oberheide.

“People of my generation earn security in a different way. This type of exploration wasn’t illegal. This was before there was Linux. We grew up in the age of Wargames, and all that is sort of evaded, and by now there are laws in place. There are more standards and code of ethics and conduct in the space.”

When in comes to ethics, just having the skills isn’t enough, however. You need the right motivation, he says. “We operate by a very clear code of ethics, and it includes going out of our way to help others be successful. We’re the kind of team that have each other’s backs, not one that talks behind each other’s backs.”

For Song, the industry has lost its way, playing up to the hype rather than playing it down when necessary. “It’s so important to establish a rapport and build a community. There are instances when you can solve a problem half way, which may be enough to tide a company over, and it gives the security provider a reason to make more money later on. As long as there are more problems, there will always be a security industry. We believe we need to set an example, which is why we work with other tech vendors. It’s not about profiting off the misery of the world at large.”

Staying innovative

Oberheide’s team within the company, Duo Labs, has an aggressive focus on research and innovation, with a sole focus on staying a step ahead of attackers. “We try to break the security of Google and Paypal’s two-step authentication systems, as well as corporate issued laptops straight out of the box, like Dell, HP, Lenovo, and Acer, and find a way to compromise these machines. It’s important that we stay innovative by building that capability within our organisation,” Song says.

“My job is to make obsolete how security operates today. We’ll work to automate and prevent a lot of problems in the future. It’s about defending others and help protect their mission. Security can be made much more simple.”

With a focus on innovation, Duo Security is now one of the fastest growing cloud-based security software-as- a-service (SaaS) providers in the world. The company turned over $73 million in annual recurring revenue in 2016 and now protects more than 8,000 organisations worldwide, including Bolton NHS Foundation Trust, Etsy, Facebook, and Yelp.

In the UK, and the wider EMEA market, the company’s growth has been exponential, a market which Song calls ‘the ticket to (Duo Security’s) growth’. “We believe there’s a tremendous upside for us in this market. It’s still early in its journey. We’ve been learning a lot in the two years operating the territory. Now we have nearly 2,000 paying organisations, and 1,000 organisations using the free version in EMEA. They include customers in every vertical you can imagine of every size,” Song says. “And we’re here because we’re pulled into it. Over 90 per cent of our customers are in-bound.”

With GDPR on the horizon, Song believes that this isn’t jut as issue for UK or EMEA, but for the world. “In so many ways Europe has led the world in terms of having a conscience of what’s needed for data protection, privacy and ensuring that corporations are held up to the proper standards. This is one of the biggest geopolitical problems of our time,” Song adds. “Ours is a noble but quiet job.”

Company culture

What makes this ‘noble but quiet’ profession all the more cause-driven for Song is Duo’s company culture, which he says is completely intentional. “It’s something we work to develop and grow. For us it’s more about how can we be thoughtful on how we evolve. Every year we’re effectively a different team, since we’ve doubled our workforce and revenue that often. If you look around every six months, half of the team will be new,” he says.

The Michigan based tech firm, being based so far away from the “new boys’ club” in Silicon Valley, believes in hiring for shared values rather than cultural fit, which, according to Song, can be toxic for the sector.

“We’re happy not be part of all that mess in the Valley; the monoculture, which leads to groupthink from not very diverse teams. We have tremendous diversity, having folks with wide degree of background, perspectives and skills. We ask every hire what makes them unique, and what can we learn from them? It’s so important to know what their cultural contribution will be to the team rather than hiring for cultural fit. That’s the way we can grow, and be able to do new things.”

Song’s team includes experts in anthropology, journalism, politics and everything else in between, because he believes the only true way to grow is by incorporating new ways of thinking that comes from as much diversity as possible.

“80 per cent of our hires don’t come from our industry. We choose to be open rather than closed, especially because the sector can be clubby. For me, it’s part of doing the right thing,” he says. “We’re all aligned in our ambition and shared set of gaols and values of how we treat each other. That’s all that matters.”

In terms of the infamous gender skew in cyber security, Song says that while the average number of female employees in the industry is only 11 per cent, Duo’s workforce is 35 per cent women. When tallying up other represented minorities combined, that’s 40 per cent of the team. “It’s about working to establish the social capital, and building relationships that transcend role responsibilities in the org chart. We turn hundreds of perspectives into creativity instead of conflict. You have to evolve with the times as any business, especially in security. Our deeply held belief is that in order to grow you have to be willing to incorporate new ways of thinking and different perspectives. What got you here won’t take you there.”

Praseeda Nair

Praseeda Nair

Praseeda was Editor for GrowthBusiness.co.uk from 2016 to 2018.