Learnings from Duo

Jon Oberheide on Duo's story, from conception through acquisition, and the important lessons he learned along the way.

2024 Update: Jon gave a version of this talk at BlackHat USA 2023’s Entrepreneur Micro Summit that you can watch here:

One of the things I like about RSA week are the serendipitous moments: running into friends you haven’t seen in a long time, meeting someone into the same security niche as you, or finding a vendor party with all you can eat artisanal ice cream.

One of the most interesting experiences I had this RSA 2020 was attending a small get together of mostly security company founders in which Jon Oberheide gave an honest reflection on his experiences from founding Duo to having it be acquired by Cisco.

This talk was intentionally not recorded and the slides not made available, so in this post, I’m just going to share some of the highlights that Jon is OK with being shared.

Overview of Duo

What is Duo?

Duo started as a multi-factor authentication mobile app that enables you to approve or deny requests by simply clicking a “Yes” or “No” button.

Duo has a 70 Net Promoter Score (NPS), which is largely unheard of among security vendors.

It’s not that hard to be loved as a security vendor, the bar is so low.

Duo’s mission is to democratize security by making it easy and effective. They want to take advanced security technology and make it available to everyone.

They want to fight the “security poverty line” (blog post, talk), which is that small businesses, schools, journalists, and other groups are being targeted by advanced threats but don’t have the resources to properly protect themselves.

Values

Duo has the following values:

Engineer the Business: like the product itself, treat the business as something that can be built and improved over time (experimentation, hack days, lean/agile).

Learn Together: Retrospectives, tech talks, book clubs.

Be Kinder Than Necessary: Publicly celebrate employees doing great work, give constructive feedback, work hard on conflict resolution, and focus on customer journey and success.

Timeline

Duo was founded in 2010, being bootstrapped by Adam Goodman, Dug Song, and Jon Oberheide.

They started the company not knowing what they’d build. “Let’s build the next great security company. We’ll figure out what we need to do along the way.”

They had a bunch of fancy ideas for what their company could create, but when they talked with customers and asked what their problems were, they kept hearing the same story: the biggest pain point was account compromise. People were using RSA, but it was so painful and costly that people were ripping it out. They decided that easy to use MFA appeared to be the fundamental thing that people needed, so they decided to build it.

The product launched in late 2010, early 2011.

Everyone said, “Wow that’s boring. You’re a team of smart people, why would you do that?” Based on the founding team, people expected them to build something related to machine learning or some other advanced technical solution.

It took them awhile to hone their go to market strategy. In retrospect, Duo’s growth looks like a hockey stick, but the blade was really long - it took them a long time to start the growth trajectory.

They wanted to make sure they were serving customers in the right way, measuring the right things, and scaling the right way.

For awhile, Duo had no sales, the “contact” number was just Dug’s cell phone.

Q: What was it like going from building the product to focusing more on management?

Philosophically, the 3 founders looked at the business every year and tried to be self-aware of their personal strengths and weaknesses. If an important task came up that no one else in the business could do, either one of the founders needed to do it or they needed to hire someone else to do it.

Many companies go a bit off the rails when founders hold on too long.

Founders need to realize it’s not their companies. It’s bigger than you. It’s not your personal toy or piggy bank. At some point you should be able to obsolete yourself out of whatever job you’re currently doing.

On Being Acquired

The IPO vs M&A process is not fun, and required a huge amount of time learning how these things worked. Jon’s wife said he was basically a zombie for a year, as he was so preoccupied with it even once he got home.

Duo ended up choosing to be acquired rather than IPO so they could avoid the quarter by quarter knife fight with public markets, and instead keep their exponential trajectory.

Lessons Learned

They say 90% of start-ups fail. Actually, based on the data, it’s 64.8%.

Go After Big Markets

This is key if you want to build a large company. Bonus for “boring” markets with weak incumbents.

Jon showed a figure of the valuation of a number of acquired companies over the past few years and noted that pretty much none of them are in a new market. Instead, they were doing core things, like firewalls, AV, etc. Well established, large markets, in which companies have big existing spend.

Why would you want to start a new category? How badly do you want to fight gravity?

Do you want to go to every customer and convince them to change their annual budget? You can, but it’s going to be a massive amount of effort, and you’re going to have to fight that fight every customer as you create this new category.

You can sell into existing budget or sell on new budget. The former is much easier.

Is there a new way to solve problems in a place where people are already spending?

Consider: how have the goal posts moved? Is there a new trend that necessitates a new solution? A short term product that can lead to a longer term vision?

Examples

Find your big, boring, and immediate market opportunity while building towards a long term vision.

Write Down What You Want to Be

Every 6 weeks, the Duo management team would write up progress, plans, things that were going poorly or well, etc., into a board report.

They’d also include some aspirational 3 year plans. Not necessarily a detailed roadmap, but rather the north star of what they wanted to become.

Ask yourself: what do you want to be known for? How do you want to be viewed by customers in the market?

Work/life balance was really important to them, for the founders as well as the employees.

Design Your Go To Market Engine Early

When Jon looks at a pitch deck now, he cares little about the technology (are you solving a problem? OK good, you’re probably doing something clever). Having working tech is tablestakes.

A clever go to market strategy can make a winner.

Duo did a freemium model, let people try it out, then customers would come when they’re ready to buy.

Many people don’t want to talk to a sales person.

Duo closely tracked the progress of fremium customers, and worked hard to make sure they were getting quick success, seeing the “wow” factor.

They wanted customers to see value within the first 60 seconds of starting their trial. This makes it more likely they’ll invest the time to do a full PoC.

This approach is very disruptive to the traditional enterprise sales process.

Say an IT director tasks his employees with vetting various MFA solutions and gives them a 60 day RFP process. With Duo, the employees can get up and running and start showing some wins in the first half hour or at most the same day. Though the RFP process may be 60 days, they can go back to their manager and say, “Hey, we got this working in the lab, it’s within our budget, I don’t want to spend the next 59 days getting mailed a CD from RSA and then testing to see if it works for us.”

Growth: Build a Team

There are a number of challenging inflection points when building a team. When you go from 10 to 50 employees, or 50 to 100, 200, etc.

Netflix has the policy, “No brilliant jerks,” which Duo adopted as well. They stress those kindergarten skills - be nicer than necessary. Drama gets in the way of building a good business.

Attitude > Aptitude > Experience

Being in Ann Arbor, they didn’t have easy access to the vast number of experienced security or developer professionals, as you might have in the Bay Area or other hubs.

But they found that if you find the right people with a good attitude, who are hungry and eager to learn, that can trump having lots of experience.

Their biggest hiring failures were when they hired someone with an impressive resume, that potentially blinded them to personality or cultural traits that might make them not fit in at Duo.

Duo didn’t have more experience than their competitors, they couldn’t outspend them, but they knew that if they could learn more quickly as a team (e.g. about their customers and their needs), then they could outcompete their competitors.

Duo employees had roles and responsibilities, but they wanted to empower people to say, “Hey, there’s a crack here, if we grow 5x this is going to fall apart.” Give people bigger spheres of influence, and recognize people who step up and make these improvements.

Hire outside the Security Industry

Most of the people they ended up hiring didn’t know anything about security beforehand, but they were smart and could learn. Only about 25% of new Duo hires had worked in security before.

Duo had a bias towards internal promotion and internal growth over hiring external candidates, which can be higher risk.

If we were going to build a different kind of security company, we needed different people.

Build the Product Company Around the Customer

Duo worked hard to think through the customer journey and all the various touchpoints. What are they, and how do we optimize them?

They tried to approach everything as an engineering process, and designed in the open when they were trying new things. For example, they would do retrospectives on marketing launches.

Your product is the holistic experience your customers have with your company.

Duo has a high net promoter score, not because it’s a great product, but because every step in the process has been carefully engineered to be a great user experience.

Scale: Build an Organization

“T2D3” - If you want to IPO, your ARR has to triple twice and double 3 times.

This is really hard. In SaaS you can get to ~1M ARR with anything, $10M for many things, but getting to $100M is really hard. That’s where you find out if you entered big boring market or something more niche.

They wanted to make sure they got big before they got loud (e.g. hyping their product in the press).

There are many “bands” companies get to. For example, some will get to $10M, and you’ll see a firesale early acquisition. Others will get to the $200M middle band but have mediocre growth, so you’ll see a decent exit depending on capitalization.

As You Do, Not as You Say…

Scaling culture is hard. It’s easy to do the right thing when there are 20 people in the room. “This is how we should operate as an organization. If you face X, do Y.”

But when you get to 200, 400, and more employees, how do you scale those beliefs about how the company should be run?

Dug and Jonn had very particular views on the security industry, that they should sell based on value, not FUD. “Help, help, ask” - help the customer multiple times before asking them to buy anything.

Teach Empathy, Tell Stories

Empathy is not a natural skill. It takes real, conscious focus.

Telling illustrative stories about how your company has handled situations in the past become, over time, almost allegories encompassing the values the company stands for.

This is much easier to remember and more impactful than having a checklist of how to behave or inspirational phrases on the wall that noone actually abides by.

It’s Not Your Company

You may be a founder, but it’s not your company. You have a lot of shareholders, and even more stakeholders. It’s important to stand up for the best interests of the company and the employees.

By joining your company, people are entrusting you with their careers, years of their lives, and taking the bet that it’s a stable position that will enable them to provide for their families. That’s a big responsibility and you should take it seriously.

Do the Right Thing

In our industry, integrity isn’t just the Confidentiality Integrity Availability (CIA) triad. It’s everything. There are so many ways you can build a company; choose to serve your customers.

In many situations, there’s a “right thing” to do. Doing the right thing will pay off in the long term.

“The score will take care of itself.”

- Bill Walsh, legendary football coach (book)

As you’re building a company, there will be many challenging decisions that will test your values.

For example, your top software engineer may have a toxic attitude that negatively affects his or her team.

You have to separate performance from attitude and behavior. If you let that go one time, it can be become something that is tolerated at your company.

Sometimes you may have to disagree with large parts of your company to do the right thing.

Misc

David Duffield the founder of Workday, decided to interview all of the first 500 employees, because they’re going to hire the next 5,000 employees.

Jon recommended the books: