Seven Things the Duo Founders Did Right
Lessons on building a great company outside Silicon Valley
It’s not easy to build a great company and being far from Silicon Valley can further complicate things. Some investors put pressure on startups to relocate to San Francisco. Yet, the founders of Duo Security managed to buck this trend by building a multi-billion dollar business in Ann Arbor, Michigan.
Duo was founded in 2010 by two security experts, Dug Song and Jon Oberheide to bring cybersecurity into the mainstream. They chose to start with two-factor authentication, a fundamental security practice that was well understood but not broadly used because of its complexity. I was lucky enough to have a front-row seat at Duo as Chief Operating Officer.
I meet a lot of startup companies beyond Silicon Valley and here are some lessons for companies based on seven things the founders of Duo got right. I’ll also speculate on one missed opportunity.
High Quality Investors
Duo raised its seed round in Michigan, but quickly set its sights higher. As the company grew, they raised from increasingly higher quality Silicon Valley investors who understood the value of growth and the advantages of a SaaS model. The B round was led by Benchmark Capital, among the most highly respected and strategic investors. Later investors included Google Ventures, Index Capital, Lead Edge Capital, Meritech, Redpoint and True Ventures.
Everyone Got Equity
If there’s one invention that has fueled the growth of Silicon Valley more than any other it’s stock options. I occasionally run into founders outside of Silicon Valley who haven’t fully absorbed the power of stock options to drive a growth mindset among employees. Duo gave stock options to all employees, from the receptionist to the C-Suite. Everyone understood the importance of building and growing the company. When Duo was sold to Cisco, 85 millionaires were minted, many in Ann Arbor. Sharing the equity has also helped drive regional growth and the development of a midwestern software ecosystem.
The Founders Aimed High
They weren’t looking to build something and sell it in a couple of years. In fact, the company turned down repeated early inquiries from Okta for a potential acquisition. To Duo’s credit they always focused on building a substantial company. Some of their competitors threw in the towel way too early, selling for under ten million, leaving the field wide open for Duo.
Bottoms Up Disruption Model
Duo wasn’t the first company to come up with two-factor authentication. In the early days, the founders were almost embarrassed that it was not a new approach to security and was widely available from companies like RSA, IBM and others. However, what the founders got right was the use of mobile technology in order to serve an underserved market. Instead of having to install software and distribute 2FA fobs, companies could use the technology everyone already had. The result was dramatically shorter installation, greater ease of use, leading to widespread rapid adoption. True to form, the incumbent vendors insisted no one would want security in the cloud, until it was far too late.
Run Experiments
Although we had a good thing going, Duo wasn’t afraid to experiment and try new things. And it was understood that not every experiment would yield great results. This enabled us to continue to innovate in marketing, in product, in engineering and in sales without fear of blame. If an experiment didn’t work, we killed it, learned from the process and moved on. Some of our best sales and marketing campaigns came from experiments. Early in the company’s history when we didn’t have a lot going on in Enterprise, we undertook an experiment on behalf of a potential healthcare customer to integrate with Epic Systems. Over the next two years, that became our fastest growing vertical industry yielding eight of our top ten largest customers.
Focus, Focus, Focus
In the early days, sometimes you have to close deals that are a little off-center in order to see what might work. When I joined, there were a couple of OEM white label deals that needed to be cleaned up. As we grew, there was no shortage of tactical opportunities that came up and we were able to stay focused on the core business.
We resisted temptation to go after market opportunities that were a distraction. In the early days that meant being completely focused on authentication rather than identity and walking away from so-called B2B2C deals, where a company, say in Financial Services wanted to offer two-factor integration to their customers. We kept an open mind, but we always ended up saying no to those kinds of deals because we knew it was a commodity business with lousy margins.
Expanded from Product to Platform
Part of the reason that Duo was able to grow at over 100% year over year was because of two related moves. First, the company expanded from an inside sales model to enterprise and channel sales. Secondly, the product line expanded beyond two-factor authentication to a broader range of security platform or suite. This enabled greater differentiation and larger deal sizes. It also helped make Duo less susceptible to commoditization from larger competitors.
Did we get everything right at Duo? No, not by a long shot.
We occasionally hired too fast, brought in new hires over internal talent, and neglected our overstrained infrastructure. But by getting the core things right, the company was able to grow at a tremendous rate. We also put a high priority on building a strong, collaborative culture and pushing decision making down in the organization, encouraging innovation and resilience.
If there’s one thing that arguably the company didn’t get right it was a missed opportunity to expand into an adjacent market for identity services. Security experts, as the founders of Duo were, are quick to point out that “identity is not security” meaning, these are two unrelated technologies. However, I think it resulted in a bit of a blind spot. Many customers saw these as related purchases, even though the technology was different.
While it made sense to stay focused on the security business in the early days and develop partnerships with identity vendors such as Okta, One Login and Ping Identity, we knew those companies had their eyes on two-factor authentication. As Duo grew past $100m in ARR, there could have been a play to acquire a smaller cloud-based identity provider in order to further extend our platform. I’m surprised that Cisco hasn’t made a move like this.
Still, it’s hard to argue with the results of a multi-billion dollar exit. Duo remains a shining example of great innovation and midwestern grit. The business continues to grow and is on its way to a billion dollars in revenue inside of Cisco.
How do you balance the need for focus against finding new market opportunities? What experiments have you run to help you reconcile these two views? What were the results?
From my brief glimpse as an intern in 2015, I can confirm a lot of this. Really, it was once I joined Amazon that I grew to appreciate Duo's culture and the speed it moved at (and Amazon isn't even that slow). Zack, when they brought you in, what were the big things you focused on first?