In 2008, Jon Oberheide founded Duo Security, which was acquired by Cisco for a reported $2.3B in 2018. As CTO, Jon led Duo on its mission to protect enterprises and data at scale. Today, Duo covers more than 35 million devices, 400,000 applications, and 800 million monthly authentications.
In his more than 12 years serving as Duo Security’s CTO, Jon Oberheide has had to reinvent his role and his leadership style to adapt to what the organization needed the most—from its earliest days to hyperscale. Throughout, Jon has not only been one of the most authentic leaders in tech, but has also applied contrarian thinking to build a product, team, and company that has reshaped the security industry.
He joined FirstMark’s CTO Guild, a private community for venture-backed CTOs across the technology ecosystem, to share some of the most important frameworks that have helped him succeed. While most of the conversation was off the record, here are two of the most important lessons from Jon and the Duo journey.
Framework #1: You can’t build a uniquely high-performing team if you do what everyone else is doing
In its early days, Duo was in some ways a difficult sell for engineering candidates. It was based in Michigan, as opposed to Silicon Valley. And the company worked in security, which some perceived as a staid and bureaucratic industry. Rather than attempt to compete for, and groom, the same talent targeted by Silicon Valley peers, Duo took a counterintuitive approach. They reframed how they thought about recruiting and—perhaps more importantly—talent management, in order to build a high-performing, high-retention team.
This contrarian approach began with a simple strategy: Duo would not compete for the type of high-profile engineers sought by dozens of its peers. Instead, they would embrace two things: first, identify talent outside of the coastal technology hubs. Second, make an early, meaningful, and long-term commitment to cultivating careers for engineers (meaning, providing ample resources and support to grow their professional and technical skills over time.) The consequence of these decisions was profound; Duo had engineering retention metrics that were off the charts. And, with its long-term investment in team member growth, saw compounding gains in teamwide efficacy and throughput.
One specific way that strategy manifested was through an early commitment to an internship program. Duo drew in countless talented students from the University of Michigan. In Jon’s words, “a program like that is a negative ROI for the first several years because you're investing more in the interns than you're actually getting in production. But if you believe that's going to be your core pipeline for early talent, it's worth it. You get to see them in action and even help shape their philosophy of what it means to be a software engineer.”
Another framework that served Jon well was a belief in “cultivating leaders who create more leaders.” Duo’s VP of Engineering was a perfect case study of what this looked like in practice. This VP had grown up with the organization; first as an IC, then as a Director, and eventually as VP. What was striking was that, in some ways, he did not spike on leadership dimensions that are typically recognized in a startup environment. But he spiked in an area of extreme strategic importance to Duo: the ability to create more leaders. Year after year, individuals who’d grown up under this VP’s leadership took on bigger scopes and bigger teams—he helped his team become more successful, and by becoming a leadership factory, enabled Duo to become more successful.
In many ways like these, Jon and his team were thoughtful about rejecting dogma. Of course, there are a large number of widely-accepted talent practices that can and should be adopted. But finding the right places to question accepted practices, be contrarian, and take alternative approaches are things that can help you find and groom talent that others may miss.
Framework #2: no matter what every company says, most are not as customer-centric as they should be
Consumerization of IT and product-led growth. Two startup-building concepts that, today, are borderline cliches. It’s common wisdom to build products that are simple to use, elegantly designed, low friction to adopt, and that enable both top-down and bottoms-up selling motions. When Jon founded Duo, however, these were novel ideas. And by being early practitioners of both, Duo charted its own course to reshape the security industry.
While we share some specific stories from the Duo journey below, the more generalized lesson is that leaders should always reflect on where the world is evolving to. What else is changing or will change about how customers identify, evaluate, and buy solutions? How can you meet those customers’ needs faster and earlier than your competition?
From its earliest days, Duo understood that people wanted to have more agency in how to buy and use software, and apply it to one of the least consumer-friendly industries: security. So what the team set out to do was take advanced security technology, traditionally reserved for the “0.1% most sophisticated” organizations, and bring it to everyone. To do that, they needed a product that customers could purchase and use without having 0.1%-level information security leadership. Thoughtful product and go-to-market decisions flowed naturally from these simple and powerful principles.
“Our goal was to demonstrate that Multifactor Authentication [MFA] doesn’t have to be painful. We built an incredible onboarding experience… you could try the product within 60 seconds of visiting our website. Within minutes, you could send it to colleagues to try it out too. Pricing and documentation were all available on the website. And within minutes or hours, you became a Duo customer… and our competition, which could take days, weeks or months to do all of this… they hadn’t even responded to your email yet.”
One very specific principle that Jon and Duo embraced along these lines: your customer should never feel your org chart in their product experience. For countless companies, it becomes painfully and abundantly clear where there’s an organizational handoff. This can manifest anywhere: significant product differences between your marketing site and your actual product, personnel handoff between sales, legal, and customers success teams, and beyond. What customers want is a product and buying experience that is smooth, frictionless, and consistent; so give it to them.
The key to creating this seamless customer journey is to make it a shared responsibility. At Duo, they have a strong user research function that goes deep into the customer environment to see how they operate the product. The team is then tasked to pull together all the different functions of the company to figure out how to improve the customer experience. A great example of this synergy was when Duo’s Legal team actually went to the Product team to tell them that they could remove a legal control because they understood that users were getting confused by it. In most organizations, the Legal team suggesting the easing of a constraint would be unthinkable. For Duo, it was evidence that their focus on the customer experience was working.