Song is best known as the guy who started and nurtured a cybersecurity company worth billions in Ann Arbor, MI—outside of the big, traditional tech hubs. Duo’s $2.35 billion acquisition by software giant Cisco (NASDAQ: CSCO) in August represented the biggest exit by a Michigan venture-backed company in modern history.
Song is also beloved around these parts due to his commitment to being a connector and doer in the local startup ecosystem. I recently spoke with him, and followed up by e-mail, to flesh out his personal journey and the story of Duo.
He landed in Ann Arbor in the ’90s to attend school and from there served in a number of leadership and advisory roles at various tech companies. In 2008, he founded a2geeks, a nonprofit supporting Ann Arbor’s startup community. Tech Brewery, a startup co-op community, came a year later. The monthly meetup held by a2geeks regularly attracts a packed house and has likely launched hundreds of collaborations. More recently, he’s turned his attention toward building skateparks in Southeast Michigan. Ask anyone with inside knowledge: much of the growth of Michigan’s technology industry in the past decade can be directly linked to Duo’s success and the broad mentorship of Song and his team.
An ardent freethinker, Song also retains a maverick stripe, perhaps an artifact of his youth as a punk rock-loving skater and editor of an urban exploration zine (scroll down to the entry under 1994). Growing up in Maryland, his first work experience was doing data entry for his dad, whom he calls a “fellow geek” and gadget lover, at the liquor store he owned in West Baltimore. It was during those early days that Song got his first inkling that he had a gift for hacking.
“It was exploration more than hacking,” Song says. “It was getting to see things and have conversations with people not limited to my backyard.” That same spirit of exploration also drew him to skateboarding. “I’ve always enjoyed the culture of skating and DIY folks creating their own brands and products. I was going to build a skate company, but I built a tech company instead.”
The turning point? He was a member of w00w00, a turn-of-the-century collective described by TechCrunch as “the billion-dollar hacker club” that also included Napster’s Shawn Fanning and WhatsApp founder Jan Koum. Rather than seeking to cause mayhem, w00w00 was essentially a team of volunteers hacking the security systems of various entities to demonstrate vulnerabilities. “It was a big group and a lot of interesting work,” he recalls.
Thanks in part to his w00w00 membership and work he did right out of college for security consulting firm Anzen, Song scored a job in the early 2000s as chief security architect at Arbor Networks, a Burlington, MA-based cybersecurity firm that spun out of research done at the University of Michigan. He felt comfortable with the company’s bohemian culture. “There were a number of folks who didn’t wear shoes, or wore tie-dye,” he adds with a laugh.
One of his projects at Arbor involved setting up a “honeypot” on its network to lure hackers and test the system’s security. “It was like a burglar alarm accessible through the wireless network,” Song told CNBC. “We wanted it to be interesting enough so it could be our canary in the coal mine.”
The honeypot proved too tempting to resist for 17-year-old Jon Oberheide, who, while working at the Starbucks below Arbor’s office building, took the bait and broke in. Oberheide’s hacking skills impressed Song to the point that he gave the teenager a job at Arbor. Oberheide went on to become Song’s Duo co-founder when the startup launched in 2010, not long after Arbor Networks was acquired by Tektronix. (Tektronix was later bought by NetScout in 2015.) Song spent a total of seven years at Arbor Networks, until it began moving toward acquisition. “It started going in a direction that didn’t appeal to me, so I left to do something different,” he says.
He then did a two-year stint as the vice president of engineering for Zattoo, a Zurich-based peer-to-peer Internet TV platform led by people he knew from the University of Michigan. “It wasn’t a business that could scale in the United States because of the regulatory environment,” he notes. “But it continues to be successful today.”
From there, he spent a few months helping Ann Arbor’s Barracuda Networks (NYSE: CUDA) perform technical due diligence on two companies it eventually acquired ahead of Barracuda’s 2013 initial public offering. Song says he realized the enormous scope of the world’s cybersecurity challenges while at Barracuda, which sells security, networking, and storage products with a focus on the public cloud.
Around this time, he began plotting the creation of Duo in earnest, drawing on these past work experiences for inspiration. “I left to build Duo and go after a broader market,” he says. “A lot of the experiences I had led to the design of Duo and doing cybersecurity in a very different way. At Zattoo, there was a strong focus on usability and accommodating the user’s workflow to make it frictionless,” an approach he wanted to apply to cybersecurity. “So with Duo, could we rethink what cybersecurity looks like?”
Part of that involved rethinking what cybersecurity would look like for a modern bring-your-own-device workforce. Duo wanted to create a security system so easy that end users would be happy to use it, saving IT administrators time and money. “It was a much more holistic approach,” he says. “Businesses have become new targets as their digital transformation brings their customers’ worlds, and data, into theirs.”
Duo’s software hinges on multi-factor authentication, a process to confirm a user’s identity through a second device, like a smartphone, or through a piece of information only the user has. Duo’s technology can also check the health of its customers’ devices, and block access to those deemed risky. Its customers include some of the world’s biggest tech companies, including Facebook, Etsy, Yelp, and Zillow.
“It’s unified access security, instead of cobbling together 10 different products,” Song explains. “It ensures the right person with a safe device is accessing networks and data in the right way. The reason I got into this is because I saw a problem that wasn’t getting addressed.”
Duo realized that spam, phishing, targeted malware, and other attacks were increasingly directed at users rather than systems. “To succeed [in that environment], you have to make cybersecurity usable,” he says. “To do it well, you need a very different approach. I drew on what exists here in Michigan that others don’t have.”
The Great Lakes State has always excelled at building things for people, whether those things were fur coats made from pelts captured by voyageurs on our lakes and rivers, or trinkets hammered out of copper pulled from the Upper Peninsula’s cliffs, or breakfast cereal, furniture, cars, and even the industrial supply chain itself. Song wanted to tap that spirit and work ethic as he built his company.
“Michigan is a really interesting proving ground for innovations that improve people’s daily lives,” he points out. “The culture of Michigan is exported in such a big way around the world. We’ve given the world so many different platforms to build progress. It gave us confidence, too—what do we want to represent? We want to be that kind of brand, to carry on real relationships with our partners and customers where they don’t just love us, they trust us. It’s not just about what we do, but how we do it.”
Some of Duo’s design DNA comes by way of West Michigan’s furniture industry, which made the region a mid-century powerhouse. “They were building easy, elegant things that people loved. That’s the differentiation—people love our products,” he says
Not that building a cybersecurity company outside of Silicon Valley, or Boston, or the DC area was easy. “Our first would-be investor said they’d do a seed round, but to be successful, we’d have to move,” he says. “We turned them down.”
Instead, they found investors who understood that Duo was in Ann Arbor to stay—and began growing quickly.
Acquisition was not the end goal when Duo was founded, Song says. “When Cisco came knocking, we were not looking [for a buyer], but we saw the transformation of what they’re going through as a company.” Cisco’s ubiquity made it an especially intriguing prospect. “We had 12,000 customers, and they had 800,000. They are the network. They built a lot of the Internet’s physical infrastructure and saw an opportunity to extend security where attackers are going after people beyond the bounds of the network.”
The deal with Cisco happened “very fast,” Song says. “Their tech met our roadmap and vice versa. It’s remarkable how complementary our paths were.” Together, he says, the two companies offer “a complete picture of security through a unified approach.” (Of course, many tech acquisitions don’t end up delivering on their promise, so a lot remains to be seen of Duo’s integration.)
Duo announced in August that Cisco had made a purchase offer of $2.35 billion, a deal that was finalized in October. Duo retained all of its 700-plus employees as well as offices in Detroit and Ann Arbor; Austin, TX; San Mateo, CA; and London. Song’s title post-acquisition is vice president and general manager of Duo Security.
“Everyone at Duo has come over to Cisco, in all our locations, and we’re continuing to grow as a business unit within their security business group,” Song says. “Our long-term ambition is to help reshape the security industry at large—we just get to do it faster together with Cisco.”