The Founder Formula
Every passing moment, a tech startup disrupts life as it was. In humanity’s pursuit of faster, better, and higher capacity, fresh companies are tackling old problems and modern complexities, all while pushing the bounds of the future.
The Founder Formula brings you in—behind the curtains and inside the minds of executives at Start-ups that have traditionally only been found in Silicon Valley—and the Venture Capital Firms that fund them.
The Founder Formula
Jon Oberheide - Co-founder of Duo Security
After growing up in Ann Arbor and attending the University of Michigan, Jon Oberheide and his partner Dug Song started their career as offensive security researchers.
They soon found that it’s really easy to break things in the security space but it's a lot harder to build something resilient.
Jon joins us on this episode of The Founder Formula to share the story of their journey, and some of the simple solutions they were able to identify early on.
Listen to this and all of The Founder Formula episodes through your favorite podcast platform or Trace3.com.
And we started the company not with a crazy idea, but with the kind of understanding that we go out, we talk to customers and actually figure out what problem we should solve on their behalf.
Todd Gallina:Founder Formula brings you in behind the curtains and inside the minds of today's brave executives at the most future-leaning startups. Each interview will feature a transformative leader who's behind the wheel at a fast-paced and innovative tech firm. They'll give you an insider's look at how companies are envisioned, created, and scaled. We hope you're ready. Let's get into the show. Hey, everybody. Welcome back to the Founder Formula. We are rapid-firing these episodes. My name is Todd Galena, and with me is Trace3 Chief Innovation Officer, Mark Campbell.
Dug Song:Hello, hello, hello, Todd. How is bright, sunny California?
Todd Gallina:Bright, sunny California is doing just fine, thank you. And this weekend, are you ready for this? This weekend, I will be driving up the coast. Oh,
Dug Song:which coast? I had to put that in there. Hey, the people of New Zealand know what I'm talking about.
Todd Gallina:We're going to be taking the 10 all the way to Florida and then driving up that coast.
Dug Song:Nice. You might as well. You might as well.
Todd Gallina:We're heading on up to Big Sur. Oh, nice. Super beautiful. Just in case we're not allowed to go anywhere near the beach, the views are are tremendous, but I do have some terrible news regarding one of our favorite stops.
Dug Song:Well, what? What happened?
Todd Gallina:So there's this Mexican restaurant called Freebirds. It was kind of like the first ever version of Chipotle, and it's in Santa Barbara, and it's right there next to the college. I was actually introduced to it by somebody here who works at Trace3, Drew Kather. We all had it for a meal one time when we were doing something in Santa Barbara. And since then, Anytime I drive through Santa Barbara, I make kind of like the long winding journey to this place and everyone loves it. It's great. So as I'm planning this trip, I'm like, Hey, I'm going to be driving through there. It's going to be like six o'clock and I just better make sure that they're open because my wife and my daughter love the place. And I went there and I checked and it said closed. And then they had that word that just gives you the chills closed permanently. No.
Dug Song:Yes. It's like,
Todd Gallina:Forever.
Dug Song:So it's kind of like an institution. Is it like gone, gone? Or does this just mean that they don't know when they're going to open?
Todd Gallina:The sense I get is they are gone, gone. But they do have other locations. They have one in Los Angeles. My understanding is they have one in Utah. So the franchise will exist, but the original is now gone forever.
Dug Song:So as far as how good the original was, you kind of could be lying and we'd have no way of proving it.
Todd Gallina:Yeah, but those who are listening who are familiar with it, I'm sure that those people will all agree it was a pretty awesome place.
Dug Song:Wow. Well, it's sad to see that. Sad to see that. The passing of the guard. I guess we're starting to turn in those people that are sitting on the front porch complaining about, well, these newfangled things just confuse the heck out of me. Right? We're those guys now. Yeah.
Todd Gallina:These newfangled burrito and taco making places that look like Subway. The
Dug Song:crime against nature is what it is.
Todd Gallina:Exactly, exactly. We've got a pretty amazing guest coming our way for today's show.
Dug Song:Yeah, I know. This guy in on the ground floor of something kind of special has gone through the whole the whole founder's journey from the academic setting and then working in the industry, starting his own gig, growing it up into a real behemoth, a real trendsetter in the cybersecurity space, sold it to a large company. So, I mean, he's kind of done the soup to nuts in this. And if there's anyone out there listening, kind of wanting to know, you know, how do you do that end-to-end, this is a guy that's got the secrets.
Todd Gallina:Yeah, for sure. And he, without revealing the location, he's not coming from some of the traditional places where you would see a startup like this founded.
Dug Song:No, coming from downtown lower Manhattan, which is kind of neat. That's not where he's from. Oh, I'm sorry.
Todd Gallina:All right. Well, why don't we get it straight from the source and why don't we introduce our guest?
Dug Song:Yeah, absolutely. Let's go. Let's let someone with some brain start talking.
Todd Gallina:Okay, as promised, our guest hails from Ann Arbor, Michigan, and is the co-founder and CTO of Duo Security, which he founded in 2009. They're a cybersecurity firm specializing in two-factor authentication and endpoint security. Cisco purchased them in 2018 for $2.35 billion, which isn't too bad. Please welcome to the show, John Oberheide. John, welcome. Thank you, guys. Thanks, Todd, Mark, for having me.
Dug Song:Well, it is so great to talk with you again, John, and kind of exciting to see how your neck of the industry is really coming into its own, given the current crisis and so forth. But obviously, this is kind of further on in the movie. Let's go back to when things started. Tell us a little bit about what your motivations were on going out and starting Duo, and what was that big that got you into rolling the dice on a startup?
Jon Oberheide:Yeah, I mean, there's a long, medium, short version of this, but I'll start with the short version and we can dig in. Myself and my co-founder, Doug Song, we kind of set out back in late 2009, early 2010, to really build a different kind of security company. We'd both been in the industry for several decades and I just really wanted to kind of maybe right some of the wrongs of security vendors and how they delivered products, how they treated customers, how they built their business. And at the same time, focus on solving some pretty fundamental problems in computer security that we've struggled with kind of since inception. And wanted to tackle the security challenges that were faced by pretty much all organizations, kind of big and small, regardless of how much budget you had what attackers you were facing or how sophisticated your program was. That really guided us since the early days, but also still stays with us. How do we democratize security technology by making it easy and effective? That's our stated mission as a company. It sounds kind of simple, but at the same time, that's some of the biggest challenges we face in the security industry is that the solutions are very complicated, very costly, and oftentimes not actually effective in solving the problems that organizations are facing.
Todd Gallina:So John, Duo is a big player in zero trust. For our listeners, you may not have heard of that term. Can you give them the lowdown on what exactly that means?
Jon Oberheide:Yeah, we see our value to customers as how do you enable secure access from any user, from any device to any application? How do you do that in a secure and usable way? You know, we used to do this in a very different way. Kind of in the original model of IT a few decades back, things were very simple. You know, we had everything within our physical four walls. You had all of your employees going into the office building, using the desktop computer, you know, chained to the desk. All of your applications and data, servers, network resided within the four walls of your physical office. That was fine, but, you know, we decided to poke a hole in that physical perimeter. to enable mobility, to enable remote work. And we call that a VPN. And obviously, you know, a VPN enables you to act as if you are in the building on the corporate network, but remotely. In the modern day of IT, things are a little bit more complicated. If you call it zero trust, or you call it kind of a deep, deprimatized model, there is no physical four walls of the office anymore. And your user populations are, very distributed and diverse. It's not only your first-party employees, it's your third-party contractors, it's your vendors, your service providers, your consultants, your customers, kind of an extended ecosystem of the enterprise. Your devices are heterogeneous. It's not your corporate-issued and managed laptops anymore. It's mobile devices, some that are BYOD, some that might be corporate-issued. They're the Windows XP laptops that your employees are now using at home because they've moved to a work-from-home environment. It's the only device that's available to actually get their job done in this new environment. And your applications certainly have gone outside the four walls with cloud applications, hybrid, while still not leaving behind any of your existing kind of apprentice applications. So it's a very complicated ecosystem, and we need to apply new security controls in these different environments to make sure it's the right user, it's the right and it's the right access to those applications.
Dug Song:And in doing so, one of the niches, of course, that you guys carved out was that kind of that two-factor, multi-factor. Can you kind of maybe unpack that a little bit and what the world might look like in an age without passwords?
Jon Oberheide:Yeah, multi-factor authentication was really our act one of the company because at that time in 2010, it still was the early days of cloud computing. Office 365 wasn't a thing yet. iPhone was launched in 2007. Android had come out in 2008. So these big waves of cloud and mobility had just started to hit organizations. And they're trying to adapt their access and their security architectures to this new model of access. So that was really where we built that first act of the company of saying, hey, the real threat here is user-targeted attacks and account takeovers. It's not zero-day exploits. It's not people directly breaking into infrastructures and servers and networks anymore. It's just the fact that I can send you a phishing email and then get access to all of the systems and data that you're authorized to access already. So we saw attackers starting to really go after people as kind of the soft underbelly of organizations. And we said, hey, this is clearly the problem to solve. it does fit that kind of universal challenge that whether you're a mom and pop coffee shop with some online HR systems, or you're a global financial, or you're a federal government, everyone is facing these same challenges. And the current solutions out there were just kind of underwhelming, to put it politely. We were competing with the RSAs of the world, which that security technology that we still love to hate was invented in 1985 and really hadn't changed for several decades. So we saw that as the real problem to go after of how do we just solve the fundamental question of who's on the other end of the computer when they're logging into our systems, but in a way that has a different usability profile that's kind of built for the modern world. Those humans. Do you know what I mean? It's a real challenge in the industry is that kind of common refrain of like, the users are stupid. So how are we going to fix security? And we kind of took a different approach of like, users are trying their best. Like we have failed them. You know, technology and the security industry have failed users. The kind of common advice of like, you know, don't click on links or like don't plug things into your computer. Like, how is that? how's that approachable? How's that usable? Like a user's job is to click on links and open emails and open attachments and plug things in their computer. So we need to build security technology that can allow a user to do their job without having to jump through, you know, a thousand
Todd Gallina:hoops. No, true. It's funny when you talk about humans and security. I know one thing that I run into is every time I have to create a new password, there's always the one that's advised to me and the one that I'm going to need to remember. And some of the ones that are advised, I'm like, how on earth would I ever use a password like that. Yeah,
Dug Song:Todd, you can use post-it notes. I stick mine on the edge of the monitor. It makes it super simple. It's not that hard.
Todd Gallina:John, I mentioned in the intro that you are our first founder to Hale from Ann Arbor. You're still there. You spent quite a bit of time there. Can you tell us what in your background made you think you could start a successful company?
Jon Oberheide:Yeah, I think it's... you know, being a bit foolish and naive, of course, to take that kind of risk to start something new. I think that's somewhat natural in founders. You have to have a little bit of foolish ambition. But, you know, both myself and Doug had kind of similar backgrounds. We had been on the other side of the aisle, so to speak. We had been, you know, offensive security researchers showing how to, you know, break into a number of systems and weaknesses and protocols and credentialing and so on. And, you know, we'd worked together at a previous company in Ann Arbor called Arbor Networks, which at the time in the early 2000s was solving the, you know, largest cybersecurity problem of that decade, which was just trying to keep your website on the internet against, you know, denial of service attacks. So after that experience in the early 2000s, I ended up continuing in the graduate program at U of M, which I do not recommend to many people. It's a great experience, but... You know, academia is an interesting place. Thankfully, our research group was very kind of entrepreneurship oriented and that a lot of our students ended up going on to start great companies themselves, both here and on the coast. And, you know, Doug and I eventually kind of got back together when the timing was right. So we, you know, we realized that we always wanted to start something together, start a company. And that's kind of how we approached it. We said, hey, this is a good time personally and professionally to go start a company together or the There's never a good time, but the best time available. And we started the company not with a crazy idea, but with the kind of understanding that we go out, we talk to customers and actually figure out what problem we should solve on their behalf, which is, I think, a little different than many startups.
Dug Song:So when you were kind of... venturing to go out. You mentioned that you'd worked with Arbor previous to that. Was this just something that was always like a burning desire? You know, like, hey, ultimately, I know that's where I'm destined. Or did one day they started charging 25 cents for coffee in the break group? Was there like some like catalytic event that just charged you out the door? Or is this kind of a long time coming?
Jon Oberheide:I think it was. I think it was more of a long time coming. I always had a little bit of the The entrepreneurship bug had a very small-scale company back in high school that we continued into college, which is where I cut my teeth on some of the basics of what it takes to run and build an organization. But we were just a two-man shop trying to figure out what we could do on behalf of our clients at the time. So that informed, I think, my view on what I wanted to do professionally. I certainly wanted to leverage some of my unique skill sets in the cybersecurity space and also maybe atone a little bit for our sins of being on the offensive side of things and actually build defensive technology. It's really, really easy to break things in the security space, but it's a lot harder to build things that are resilient and actually solve some of those core problems. Okay,
Todd Gallina:so you guys decide that you want to start a company. You're familiar with what customers want. And now you've got to get your pitch together because you've got to gather up some funding. Can you tell us a little bit about that process, putting together the pitch? Did it work? Did you have to revise it? Did you already have a bunch of buy-in from investors?
Jon Oberheide:Yeah, we bootstrapped the company from the start. So maybe the first year or so, we were just kind of running on our own fumes. And that worked pretty well. We were able to build some reasonable... technology that landed us a few early logos. And that was right out of the gate. I think we closed our first customer 30 to 60 days after starting the company. And that gave us a lot of validation with some of our early customer discovery of, no, obviously there's a huge need. We know phishing is a massive threat and people are being breached left and right with really simple, scalable phishing campaigns. But we really, really validated the opportunity for delivering something that was different, that didn't require hardware tokens or, again, a bunch of hoops to jump through. And that allowed us to get some initial traction so that by the time we were going out to raise a seed round, we had some proof points under our belt. We were still only three people, probably maybe like five customers total. But we had revenue and a working product to some extent. And we're able to go do the kind of the Sand Hill Roadshow, which led to some mixed results, you know, given that we were based here in Ann Arbor. That was definitely a sticking point for some venture firms that kind of looked at us and said, hey, like, can you actually build a company in Michigan?
Dug Song:Ford did?
Jon Oberheide:Yeah. I mean, there's plenty of, you know, examples over the last century. You know, it was a bit of a hurdle. for investors to say, all your customers are on the coast. How are you going to do this? How are you going to find the talent? And this two-factor thing seems kind of boring. And our response was, yeah, it is boring, but everyone needs it. If it's boring, it's likely a fundamental capability that all organizations need. And you have a multi-billion dollar TAM and you have incumbents that own the majority of the market that haven't innovated in years and are ripe for disruption. So there are all these things that may be more in hindsight that were completely obvious, massive opportunities. But at the time, it was a little
Todd Gallina:bit of a tough sell. That's amazing that while you guys were self-funded, you were able to get five customers before you walked in. You mentioned that, and I think that must have been a huge motivator for your next round of funding. Yeah.
Jon Oberheide:Yeah, definitely. The first round was certainly the hardest. There was a firm called True Ventures. Kunit Agrawal ended up being our partner from True that led our seed round. And, you know, after we'd gone out to the Valley, they had heard kind of through the rumor mill that we were raising, and they actually flew out to Michigan to visit us and spent a day with us. And it was, you know, I'd say, you know, love at first sight. You know, we really clicked and, you know, very quickly closed that round. But that was kind of the, you know... the beginning and the end of fundraising challenges. Because after that, you know, the business really took off and we kind of had our pick of the litter from there out in terms of, you know, fundraising partners and opportunities.
Dug Song:Well, you had mentioned like landing those early logos, right? And kind of giving yourself a place on the map before you went out to get funding. That, I think, in the end wound up really putting you ahead when you were talking. You knew exactly what you were going for. But I think in order to pull that off, you've got to have that initial team just be so focused. Can you tell us a little bit about how did you pick that founding team? I know you and Doug were in school together and so forth. But even like those couple core hires, how did you pick that? did that all come together?
Jon Oberheide:Yeah, it's a good question because we were maybe five or six employees for the first, oh, I don't know, two, almost two and a half years of the company. So we kept it very, very lean at the beginning. And our first kind of non-founding hire was actually a UX designer out of the University of Michigan. And that kind of early investment in user experience is what led to a lot of our you know, business and customer success of not necessarily building something, you know, new. I mean, you know, multi-factor authentication, again, had been around since the 80s. So it wasn't like we were attacking some fancy new problem or some fancy new solution. We were just trying to make what was a really poor experience just palatable. We had an early tagline that was, we suck less. That was really... That's ambitious. That was kind of the bar. Yeah. In security, the bar is kind of on the floor. So if we can develop a user experience that adopts a lot of the emerging trends at that time around consumerization of IT. How do you make it really simple? How do you make free trials and signups available so that someone can kick the tires on your product and not have to talk to a a sales rep. You can just plug in your credit card if you want to buy it. You can deploy it on your own in five minutes. You get to experience our dual push technology, which was one of the key innovations we had within the first 30 seconds of hitting our website. Our documentation is on the site, not behind a paywall. It's just a webpage with five easy steps. All these things are completely obvious for any kind of modern enterprise SaaS application these days. But back then, it was mind-blowing. for prospects that were coming in the door. So we really, as much as we built interesting technology to solve the problem of phishing and user-targeted attacks, we're more so kind of innovating on the business model side of things so that we could both build a really strong, kind of high-velocity, low-touch, inside sales, you know, telesales business for VSV, for SMB, for mid-market organizations. as well as kind of layering in the traditional kind of enterprise field sales model. So that kind of bimodal kind of go-to-market across all aspects of our business allowed us to process thousands of customer transactions a year on the loan of the business and then just kind of have the more lumpy enterprise six, seven-figure deals on the top half of the business.
Todd Gallina:It's great hearing that your third or fourth hire was a UX designer, you know, focusing so much on user experience. And shockingly, you're not the first co-founder who's mentioned that to us. That seems to be pretty important out of the gate.
Jon Oberheide:Yeah. And if you think about, you know, most people's, your average end user, their interactions with security technology are always so negative. I'm clicking on a link and I'm being told that I'm a bad user for clicking that link or, you know, I can't go to that website. I can't open that email. I can't do this or that. Like, I just want to get my job done. And I have security technology that's just yelling at me and, you know, telling me I'm a bad person all the time and doing things unsafe. So you can understand why, like, people reject security technology because it's always, it's never telling them good things. So, you know, Duo was that, as one of our customers says, it's kind of the spoonful of sugar that helps the rest of the medicine go down while the other painful security controls. Like, Duo's in your face, but then it just gets out of your way so you can, you know, get your job done. So that investment in people-centric security was so important because we were building security for humans, not machines or infrastructure. And so our first hire was kind of a good precedent for what now is basically a really strong ratio of one designer for every six software engineers, which is very rare. It's rare even for consumer-facing companies like Google or Apple and so on, but especially for B2B technology companies, especially security companies.
Dug Song:Well, and certainly the industry changed around you, a lot of that, because you were helping to change it. As you guys started developing, did you guys have to do any of those massive pivots? Or did you guys just say, no, look, here's what we're doing. This is our true north. We're going to stick on this path. How did you guys handle that?
Jon Oberheide:Yeah, I'd say there wasn't any pivots necessarily, but there was definitely... some bets that we had to stay true to. One of those is not rare for cloud companies, which was believing that cloud adoption was going to continue and that not building on-prem software was the right bet to make. And so that was an assumption that we had challenged, been challenged on many times as we were starting the company off in the early years. Organizations that said, no, I would never I've never outsourced my authentication to a cloud service. Of course, they said the same things years before about I would never outsource my email to the cloud. I'd never outsource my productivity to the cloud. I'd never outsource my firewalls to the cloud and so on. As we know, that has changed pretty dramatically over the past decade. So that was a tough one to swallow and say, hey, now this is the right thing to do. Let's channel our inner Benioff and stick with a SaaS delivery model as opposed to, kind of chasing some of the more conservative enterprise deals or verticals that at that time it was a kind of untenable approach for them.
Todd Gallina:John, for many founders, you know, the early stages are pretty easy. In your case, you connected with Doug. You made a few key hires with UX. You were up to five people by the time you really started to ask for money. But then you've got to scale and you got to scale pretty quickly. Did you discover anything personally for you as you started to scale the company? Was it difficult? Were there some lessons you could share?
Jon Oberheide:Yeah, you know, we started Duo with kind of the premise of like, we're going to do the right thing. And that was a number of different double clicks on that. But it's like, think of all the ways that security vendors treat their customers, basically do the opposite. So, you know, we were really kind of fed up with with the industry of kind of the defeatist attitudes of like, you know, it's not a matter of if, but when, you know, your breach happens or the attackers are already in, what are you going to do? And it's all this, you know, very kind of threat-centric, navel-gazing, defeatist approach. And we wanted to kind of flip that on its head and say, hey, like, you know, our job is not to necessarily like spend all our time threat hunting or trying to figure out if this was like Russia or China. It's like our job is to make our employees productive, allow them to do their job in a safe and usable way. And we want that the same great experience that our customers and end users have with the product. We want them to have that great kind of positive experience with our company as a whole, the way that we work. market to them, the way that we sell, the way that we onboard them, make them successful and allow them to grow on our platform. Even the way that they go through procurement and our contracting process. We wanted to design the company around that customer journey, not just the product, not just a portion of their experience, but make sure that we had designed their experience and interactions across that full lifecycle. I think that's a kind of knowing, having that gut feeling for like, this is the right thing to do for customers is a little rare in the security space. Like to use an example that we use internally in our onboarding presentations for new hires, there's a lot of ambulance chasing in security.
Dug Song:Oh, for
Jon Oberheide:sure. There's a breach that happens, you know, that CISO, their phone is ringing off the hook. They're being called by, you know, sales reps and ADRs from every security company. And the sales reps are trying to tell that CISO, you did a bad job. And if you'd only bought our products, you would have not had this breach. And it's kind of created this environment where CISOs hate talking to sales reps.
Dug Song:Oh, sure.
Jon Oberheide:And they don't want the inbound. They don't want someone to tell them what they should be knowing about different product categories or whatever else. And so we said, hey, when a breach happens, what does that team, what does that organization actually need? They don't need us calling them and pitching our products. They can come find our products anytime if they're interested. And so our sales team, instead of cold calling them, they would send pizza. We called it our pizza play. When a breach happened, we would say, yeah, we send pizza and we send a case of five-hour energy. And we'd send it to the security team. We'd say the note that said, so sorry, you're experiencing this. I hope this helps your team through this incredibly challenging time. feel free to call us if you aren't, when you come up for air, if there's some way we can help. And, you know, it's just kind of like one, one example, but that was what we drilled into our team is that level of customer empathy of like, really think through, uh, how do we help a customer, you know, multiple times before we ask them to do anything. And we had that kind of empathy first approach across all the different functions in our organization to make sure that we were truly partnering with our, our customers. And, um, you know, we are in the authentication space, but we really want to be authentic in our brand and in our marketing. That's why our logo and our colors are green instead of like red and black and scary colors. And so that kind of came through, kind of seeped through the pores of all parts of our organization.
Dug Song:Well, and, you know, you guys have continued that after acquisition by Cisco. Tell us a little bit about the acquisition, right? I mean, when you were first getting the initial funding, did you guys kind of talk about, hey, maybe one day we'll sell or maybe one day, you know, we're just going to keep growing at Infinitum? Or how was that all laid out?
Jon Oberheide:Yeah, it's funny because, you know, there's always, you know, anytime there's like a fundraising round, there's always like an interesting inflection point of like, you know, okay, you're signing up for some more implicit expectations of the company, of your investors, of your employees with each new financing round and each new valuation bar you're setting. We always had opportunities to get off the train a little earlier, but there's just still so much opportunity ahead of us in terms of our growth, in terms of the need in the industry. We saw no No kind of, you know, kind of slowing down of the opportunity for sure. I mean, we went through many years of hyper growth where we're tripling our ARR and doubling our headcount, kind of growing at the fastest pace that we possibly thought we could responsibly without kind of the organization falling apart. You know, this challenge that of even just still that, putting aside kind of zero trust and IT and security kind of transformation, with cloud and mobility, even just like the MFA market opportunity, we still see so many organizations that do not have kind of full wall-to-wall deployments of MFA, either because they don't have the skills or the resource, or they don't have a solution that's kind of scalable and usable enough for all those use cases. So this problem is global. This problem crosses every segment, every vertical. And as we were kind of on this IPO kind of standalone trajectory, that's when Cisco started kind of coming at us with a lot of interest. And we had raised a small bit of our D round from Cisco Investments. We had some engagement with their company, but it wasn't until 2018 that it started getting a little more serious. And we started seeing that this this opportunity to kind of scale the distribution of our products. The market need was there, the technology was there, and we looked at Cisco's massive channel, including folks like yourself, as this great opportunity to be able to really get at our mission of democratizing the security, going from maybe a couple hundred sellers on the Duo team to 300,000 sellers in the field through Cisco's direct and partner network. And that was something that was, you know, kind of a, you know, very attractive proposition to say, Hey, how can we, how can we continue to do what we're doing? Just having completely different kind of order of magnitude, like not 10,000 organizations, but hundreds of thousands of organizations. And that that along with certainly, you know, shareholder return to our investors, as well as kind of the right home and kind of platform for development for our people that had joined us on, this crazy journey, it checked a lot of those boxes, which led us to consummating the transaction.
Todd Gallina:So Trace3 was a big fan of Duo even before Cisco, but you're right, that does kind of pour some hot lava on the ability to introduce Duo to new customers. How much has changed during the acquisition? Did you guys physically have to move an office? Do you guys still feel like you've been able to retain that culture? We totally understand that. the ability to have more access to resources and customers. But has there been a big change from a culture perspective for you guys? Yeah, in a lot of
Jon Oberheide:ways, we took the dual organization and we just kind of plugged it into Cisco Security Group. And that's been, you know, as Cisco goes on this journey from, you know, hardware to software and on-prem to cloud and, you know, perpetual licensing to SaaS. Those are all things that Duo represents. So not only have we had the opportunity to kind of latch on to what Cisco's doing in terms of the distribution, there's also been interesting opportunities for us to help other parts, other groups, other BU's within Cisco figure out how to operationalize kind of software selling and a SaaS business model that kind of helps groups beyond our own. So it's kind of a bi-directional sharing of value. So there's plenty of Plenty of companies that will acquire you and just pull you apart into little bits and everything just kind of dissolves away. The inverse in this case where Cisco is not only buying us to keep growing our business and product, but also to learn from our team and what we've been able to do so far. So it's kind of that balance of trying to keep it whole and keep it successful while spending the time to learn from the company and figure out what could we be doing That's more like Cisco. And what can Cisco be doing that's more like Duo's standalone?
Dug Song:Well, and of course, the whole, as we mentioned before, kind of this whole industry shifting, but especially recently, there's been a renewed focus on the endpoint, as you mentioned earlier, with remote workforce and so forth. No one's got a crystal ball, but I mean, if you were to kind of look down, say by the end of the year, into next year, what are some of the big changes we're going to see in security, both from the consumer side and even from the techie side?
Jon Oberheide:Yeah, I think, you know, that's a good point around the, you know, some of the thought process around the acquisition is Cisco has a very kind of wide breadth of a portfolio, right? And there was kind of a big gap in terms of, you know, identity and authentication for sure that Duel was able to fill. But we are able to partner up with some of the other assets in the portfolio that are really interesting to us, like Ant for Endpoint, which, you know, we can say, hey, you know, we know who the user is on the other end of the device, but is the device secure enough? Is it healthy enough to gain access here? Is it heavier endpoint security agent on it? And certainly Cisco has the massive market footprint in terms of remote access with AnyConnect VPN. We saw those as other areas where we can help pull together a platform of security that serves a much broader need of our customers away from a bunch of different point products or solutions that they might get elsewhere on the market. I think that the trends over the next 12, 24 months, particularly in light of kind of the COVID kind of work from home transition. I think that'll become even more important is how do you provide that secure and usable remote access? Then how do you consolidate some of your spend and your vendor relationships with someone like Cisco that can provide the full solution at a time when your company is facing challenges? probably some cash crunch that's trickling down into IT and security budgets. How can you pick one strategic vendor that's going to solve more problems for you over
Todd Gallina:time?
Jon Oberheide:Oh, yeah,
Dug Song:definitely.
Todd Gallina:So, John, we've mentioned a bunch of times that you've hailed from the University of Michigan, but there are rumors out there that as a customer, you have engaged with Ohio State. Is this true? It
Jon Oberheide:is true, actually. The Ohio State University became a customer recently. before my alma mater, University of Michigan. So it's a little tough, but we love all of our customers equally. And actually the CISO over at OSU, Helen Patton, we have different personas that our design team came up with. And our persona for CISO personas is named Helen, after Helen over at OSU. We're big fans of her and the program there. And, you know, the EDU space is one of the many great verticals we have across our customer base. You can say that you serve the entire Big Ten. Almost the entire Big Ten. I think we're
Todd Gallina:missing one school. One school, I won't name them. Okay. You don't want to call them out. Hey, so this has been great. Thank you so much for joining us. Is there anything that we didn't ask you or anything you'd like to share with our listeners, John?
Jon Oberheide:The thesis that we started Duo specifically with of like doing the right thing for the security industry can be applied in a lot of different ways. But I think that in starting a company and operating, your integrity is everything, especially in the security space, but in any startup space. Encourage folks to think through that when you're building and growing your company. If you do the right thing, you'll come out on the right end one way or another. So that's definitely guided us as we thought about all decisions of our business, the way we treat customers, the way we to our employees and our stakeholders. Well, the
Todd Gallina:company's had tremendous success, John. So well done. And thank you so much for hopping on the podcast with Mark and myself. It's been great.
Jon Oberheide:Yeah, it's been great to chat with you guys. And this is perfect timing because my son is now coming upstairs to say hi. He has a video set. Yes, I love it. Nice. Awesome.
Dug Song:Yeah!
Jon Oberheide:Well, thanks so much, guys. It's been great.
Dug Song:We'll talk to you later. Thanks, man.
Jon Oberheide:Thank you, guys. Thanks so much.
Dug Song:Bye-bye.
Outro:Trace3 is hyper-focused on helping IT leaders deliver business outcomes by providing a wide variety of data center solutions and consulting services. If you're looking for emerging technology to solve tried and true business problems, Trace3 is here to help. We believe all possibilities live in technology. You can learn more at trace3.com slash podcast. That's trace the number three dot com slash podcast.
Todd Gallina:Until next time.