Dug Song: Values over valuation—reflections on building Duo Security and leading with purpose
Episode 12 of the Inside the Network Podcast where Sid Trivedi, Ross Haleliuk, and Mahendra Ramsinghani bring you the best founders, operators, and investors building the future of cybersecurity.
Duo Security is the most remarkable success story in security, both in terms of its industry impact and financial outcomes. Duo spent less than $20 million to get to over $100M in ARR. When Cisco acquired Duo for $2.35B, it did so at the highest revenue multiple ever paid for a SaaS company (!).
Sid, Mahendra and I just published a new Inside the Network episode with Dug Song, co-founder and former CEO of Duo Security.
Here are six takeaways from our conversation with Dug I am still thinking about:
1. The most valuable companies aren’t always the loudest.
Duo spent less than $20 million to get to over $100M in ARR. The company was cash-flow positive almost every year (it didn't really need to raise). No hype, no your usual cyber startup buzz, just a disciplined, design-driven team solving a real problem.
2. Culture is the only real asset in a tech company.
Dug’s philosophy is simple: tech companies don’t have machinery or real estate, all they have is people. Culture isn’t a perk or a line on a slide. It’s everything. From hiring students and nontraditional candidates to building rituals of appreciation, Duo treated company-building as craft and it proven to be Duo's most impactful decision.
3. Great security should be invisible.
Duo didn’t invent the MFA. It made it usable. Dug sees security engineering and design engineering as the same thing: making the right thing happen by default.
4. In hindsight, success always looks obvious, but it never is.
Today, it’s easy to say “MFA on your phone was a no-brainer,” but Duo launched when the iPhone was still a question mark. Dug didn’t even believe the smartphone would take off but thankfully, his cofounder Jon Oberheide did. Duo’s success wasn’t inevitable. It was a leap of faith on unproven tech, built with discipline and customer empathy.
5. Security is broken, and we keep breaking it the same way.
Dug said it best: “A plane falls out of the sky the same way only once. But in security, companies get breached the same way over and over again.” The industry doesn’t learn, and that’s a call to action for every founder building in this space.
6. If you’re serious about security, you might have to leave it.
Dug left the industry after Arbor Networks, frustrated by snake oil and meaningless products. But he returned with a renewed sense of purpose, realizing that without deliberate effort and thoughtful design, the core problems in security would remain unsolved. He saw that unless someone took action, the 98% of organizations would continue to get breached.
This episode is a masterclass in values-driven leadership, capital efficiency, and building enduring companies with heart.
