Editor’s note: Matt Cohler is a General Partner at Benchmark. He worked actively on the firm’s early-stage venture investments in Domo, Duo Security, Instagram, Snapchat, Twitter, Tinder, Uber, Zendesk, and others, and serves on the boards of many of these companies. He was previously part of the founding team at LinkedIn and was the seventh employee at Facebook.
You don’t have a history in the security market. Why Duo, why now?
The security market has never been more important than now, of course. We’ve backed a couple of companies in this market recently at Benchmark, Duo and HackerOne, which is the leading bug-bounty marketplace and which was started by the people who first developed the idea of bug bounty programs at Facebook and Microsoft. But that being said, my partners and I tend to approach new opportunities in a bottom-up way, looking for specific attributes rather than making sector-level bets.
We like to joke about the old idea of “having a play in a space” — that’s not really how we think about things, although no disrespect meant to those who do. The most important thing for us is always an extraordinary founder and team of course, and Duo absolutely has that, but it was also the first enterprise security company I’d seen which speaks to the single-most important trend in SaaS applications right now: consumerization.
For several years, going back to when we were fortunate to lead the Series A at Uber in early 2011, I’ve had this idea that smartphones can be a kind of remote control for real life. The way the Duo mobile client app uses the push notification channel felt like a great example of that to me when I first saw it. It was a radically different experience from traditional enterprise security products.
You were talking about when you first saw the product. I’m always curious about how venture investors find these companies early on.
There’s no more interesting signal to my partners and me than when we start hearing about a company word-of-mouth from our other portfolio companies. Like with Zendesk when we invested in them in 2009, I started hearing about Duo word-of-mouth from other Benchmark entrepreneurs who were customers (and from other colleagues around Benchmark and from former colleagues at Facebook). And the more I heard about the technical reputation of the founders and of the technology they’d built, the more excited I got — it was reassuring to me as a newcomer to this market, and I know it’s reassuring to customers too.
Then, in talking to Dug Song and Jon “Jono” Oberheide, CEO and CTO of Duo Security, respectively, about the vision they had for what you could call people-centric security, that just intuitively made sense to me, and I guess it just clicked from there.
How is that something new or different?
Well the infosec industry was originally designed to protect physical spaces. Data centers sat inside locked skyscrapers. Chief information security officers — CISOs, in the jargon of the industry — bought firewalls to protect that data in private server farms. The threat environment was contained largely by physical perimeters and the metaphor was literally “firewalls.”
That’s floating away now, vanishing into the cloud and accessed by billions of devices, particularly consumer mobile devices, that the CISO no longer controls. In a world in which smartphones have made the Internet ubiquitous and cloud infrastructure has collapsed the cost of computing, companies need to rethink their approach to information security.
Traditional security isn’t very effective anyway. Estimates of the losses companies suffer from cyber-breaches start at half a trillion dollars a year. JPMorgan Chase acknowledged that it spent a quarter of a billion dollars on information security in 2014 alone, and that still wasn’t enough. How can it be that as companies spend more on security, breaches just keep getting worse? Gall’s Law! This is something I learned about from the team at Duo.
John Gall was a pediatrician with a practice in Ann Arbor, Michigan. He passed away in 2014. He published research on what makes systems work and fail, and he observed that complex systems that actually work are invariably found to have evolved from simple systems that had also worked.
Complex systems designed from scratch never work. You can’t make them work. You have to start over with something simple that just works. Given the enormous cost and complexity of modern security systems, how hard they are to use, and the shift of the threat environment driven by mobile, consumerization, and cloud computing, maybe there is an opportunity for new franchises to emerge that can better protect us all.
The companies hit hardest by recent data breaches – Home Depot, JPMorgan, Sony and Target – they were victims of something security experts call advanced persistent threats. These attacks succeed by infiltrating a computer network, snooping around as quietly as possible, and, over time, sucking out valuable corporate assets.
What’s interesting is that these attacks almost always start the same way, fooling an unsuspecting employee into revealing their login credentials – known in the industry as “phishing.”. That’s consumerization of the enterprise! What it highlights is that the greatest point of vulnerability in today’s corporate world is not at the network or application level — it’s people.
A very simple process called two-factor authentication can stop these breaches almost every time. Two factor just means someone has to supply both a login password and some other piece of uniquely identifying information such as a PIN or one-time code to gain entry to a system or application. A good analogy is a bank card and a PIN. You need both to gain secure access.
This is where Duo got its start. The team recognized that incumbent security vendors had developed two-factor solutions that were just too hard to use and administer – quasi-shelfware. Duo made it simple and easy, taking advantage of ubiquitous smartphones for their original push implementation of two-factor authentication, without sacrificing security. So now true two-factor security protection is as easy and magical as pushing a button on your phone to get an Uber.
So what’s next? And speaking of what’s next, what’s going to happen to the price of bitcoin?
I don’t have a crystal ball. This shift to a mobile-centric, cloud-centric, person-centric world is opening up new distribution models and new product models and new business models for SaaS startups. We’ve seen that at Benchmark with Zendesk and New Relic in their markets and we’re seeing it with Duo now. There’s lots more room here, as this playbook is still being written.
As for Bitcoin, like I said, I don’t have a crystal ball. I can’t tell you for sure that it’s going to be huge, but I can tell you for sure that bitcoin and the Blockchain are among the few things that have come along since the Internet itself with what feels like unbounded platform potential and optionality. My partners and I are very optimistic.