Sitting Down With DNSFilter's Newest Board Member, Jon Oberheide
by Serena Raymond on Aug 11, 2023 10:08:54 AM
Recently, DNSFilter's Director of Content Marketing, Serena Raymond, sat down with our newest member of the Board of Directors, Jon Oberheide. In this discussion, Serena and Jon touched on everything from Jon's experience as CTO and co-founder of Duo Security, to the flaws of the cybersecurity industry. Some responses from this interview have been slightly edited for clarity.
Serena Raymond: Hi there, I'm Director of Content Marketing at DNSFilter, Serena Raymond, and I am joined by former CTO and co-founder of Duo Security, Jon Oberheide, who's recently joined the Board of Directors here at DNSFilter. So Jon, thanks for taking the time to chat with me today. We're really excited to have you, literally, on board.
Jon Oberheide: Yeah, thanks Serena. Good to chat. I like the puns.
SR: I'm here for the puns. So the first question that I have for you is what led you to joining DNSFilter’s Board of Directors? Why did you ultimately decide to join?
JO: First, the quick backstory. I was the co-founder and CTO at Duo Security and was fortunate to build that business over 12 years through acquisition with Cisco in 2018. I left in 2021 and I really found the experience of a lifetime, a lot of great learning through that journey. I kind of saw the next phase to try to give back to the next generation of founders that went through that same experience that I had, especially those years of sort of scaling and hyper growth. So in this current phase of my career, I'm trying to give back to those founders and companies through board service, particularly for high growth companies in that 10 million to 100 million phase. So I connected with Thomas Crane, who's a partner at Insight. He's a prolific security investor. And he mentioned that DNSFilter was looking to find an independent Director.
So that interests me: A cybersecurity company that's in that target range and looking to expand their board beyond the set of investors they had from their fundraising rounds. And so that was how I came to DNSFilter, and just started digging in from there. Through conversations with Ken, who's co-founder and CEO of DNSFilter, and the broader management team, as well as the board, I started getting more positive momentum and positive feelings, and really started liking what I was finding and seeing about the business.
I think of it in three different buckets. One is the product. Like, DNSFilter is the leading product in the protective DNS space. From a business perspective, it’s a high growth, very efficient business with a very diverse go-to-market. And most importantly, DNSFilter has happy customers. I think back to my days at Duo, the most fulfilling part of the job was seeing the success that our customers had.
And in the security space, there's lots of bad products out there, bad vendor-customer relationships, and bad user experiences. So to find another company that had such a fanatical customer love and adoption was really important for me. And maybe less on the business side, but more on the personal side, I think that founder chemistry and alignment is so important. I found that with Ken. I found it with the leadership team. I found that with the rest of the board. And life is too short not to work with great people. So that experience of going through the process with the team was really, really validating. And that's the reason I decided to come on board.
SR: That's really cool to hear. And I agree, I'm a little biased, but I think we have a special team here at DNSFilter. We're a very customer centric company. When our customers say things, we care. And nothing's cooler than getting to hear from customers about how they're using the product, what successes they've seen, and also the feedback and like, what can we do to make your lives easier? You know, IT headaches and cybersecurity headaches are universal, so anything we can do to make those easier.
JO: And it's unfortunately rare to find security companies that customers like or love, that they don't hate. We have a long history in the security industry of building companies and products and relationships that have just resulted in a very negative culture and negative experience. So it's great to see companies like DNSFilter trying to turn that around.
SR: I know you touched on this a little bit in answering the first question, but I was curious, are there any similarities that you see between DNSFilter and Duo Security and when you were building that?
JO: Yeah, well, our mission at Duo was democratizing security by making it easy and effective. And maybe that seems a little cliche, like every startup is trying to democratize whatever they're doing, but we were pretty serious about it. And what we meant by democratizing security was bringing security controls and technology to organizations of all shapes and sizes. That's anywhere from a down market mom and pop coffee shop that has a security burden because they accept credit cards. To your global financials, your Fortune 100, your US federal customers—and everybody in between.
So that was how we started at Duo: How can we bring technology that applies to all these different organizations, which have wildly different requirements? But it makes sure that you focus on something that is baseline and fundamental in the security space, that every single one of those users, every one of those IT or security administrators, every single one of those organizations might have.
And the second part of that mission statement of being easy and effective also sounds cliche, but as we talked about, a lot of the security industry is full of products and experiences that are not easy to use, not easy to deploy, not easy to manage, and that don't actually solve the problem. There's a lot of snake oil in the security industry. So we wanted to focus on what are the controls that really move the needle for security teams out there. And you know, I see a lot of that mission in DNSFilter. When you have a product that can go as far down as VSB, that can sell through MSPs and MSSP's, that can sell direct to mid-size and enterprise organizations, this very wide breadth of market and wide applicability to security teams across those organizations is exciting. That not only creates a lot of interesting challenges to solve in the business, like how do we build a one-to-one customer success program for enterprise customers, and how do we build a one-to-many program for all of our down market customers?
But it also is just an incredibly inspiring company to work for. You have this enormous market to go after, which is good for the business. You can serve tens or hundreds of thousands of customers and, you know, millions of end users. What else is more motivating than to make an impact that large across so many companies and so many industries? So there's a lot of things that kind of hit on all of the things I really enjoyed about my experience with Duo. All the things that DNSFilter is doing and how they built their business and how they went to market. That’s kind of my soft spot for what I like to work on.
SR: I love that. That's awesome. And you'd mentioned security controls a few times. What are a few fundamental security controls that you think CISOs and IT teams should be focusing on right now in 2023?
JO: I think I could be both a pessimist and optimist when it comes to security, maybe a bit more on the pessimist side. We've been dealing with a lot of the same problems for decades. And I think as an industry and from a customer perspective, there's been a lack of focus on fundamentals, as you highlight. And for customers, fundamentals are the basics of security. They might be the basics, but they're not necessarily easy. So we need products that help make those problems more solvable or tractable, especially for those organizations that just don't have the budgets or skill sets or talent to solve them.
On the optimistic side, I think we are making meaningful progress in security holistically. It's a lot more challenging and expensive for bad guys to go after organizations in the modern day. And I think it is not necessarily through developing new and fancy technological capabilities, but I think it is more of the focus on ease of use and a user-centric view of the world when it comes to security. You think about employees or end users in their daily work environment: They go into work at their organizations, they're trying to be productive, they're trying to do well in their job and do well as a business and some of the common security guidance is “don't click that link” or “don't go to that website,” “don't open that email,” “don't open that attachment.” Like that's what users do with their computers. That's how you use the internet. It's really hard to ask a user to be productive and do their job and yet walk some sort of tiny tightrope of security with these giant lions beneath them. And be cybersecurity experts when they're just trying to navigate the internet or navigate their inbox.
So that's where I appreciate products like DNSFilter where you're trying to protect against those user-centric attacks of phishing or ransomware or malware in a way that keeps the user safe, but then is mostly out of their way and allows them to be productive and do their job. And as I've just experienced over the years in the industry or with Duo, that ease of use turns out to be such a big deal and in some ways almost more important than the efficacy of the controls that you're deploying. Like how can you make it so that the end user is happy and productive and the administrators are happy and productive in their security outcomes as well? Keep those users safe but then get out of the way so quickly.
SR: Yes, we're not here to obstruct productivity at all.
JO: A CIO who talked about the evolution of security from the Department of NO to the Department of Secure Enablement. And I think that's a good progressive way that a lot of security teams operate in the modern day. But we also need vendors and security products that make that easier, that enable that philosophy.
SR: I absolutely love that, especially in a time where the number of tools of things that we use on the day to day, just to work, sometimes there are so many links out there that I need to suddenly trust. So to have something that can both guard against it, but also not stand in my way if I'm going to access it.
JO: Everyone out there has sat through a security awareness training program where it's like, double and triple check the hyperlinks that you click on to make sure they're legitimate websites. What? No, we can't expect users to analyze; Is that a lookalike domain? Is there typo squatting on that one? Is this a phishing site? The login prompt looks a little different. Maybe that's a phishing one and that one's not. That's just an unreasonable burden to put on end users to make them secure.
SR: Exactly. And also that can create a lot of paranoia where everything they're flagging to IT and just saying I don't know, should I trust it? Which is inefficient for the IT team and cybersecurity team.
JO: Yeah. It's a tough business we're in, you know? Most end users' interactions with security technology are always negative. You're clicking on the bad links or you're opening the bad attachment. And it's great to have an interaction with end users that's actually positive versus a negative experience. Like, hey, you're actually doing a good job, end user. Keep it up.
SR: Absolutely. So what do you think the future holds for DNSFilter?
JO: Yeah, so I've been on the board for a few months now. And as I mentioned, this is the most exciting phase of the company. The things I've learned about the organization both before coming on board, and now a few months in, is there's an incredible foundation to build on. There's a great product that's already in the market that we can continue to broaden its reach. There's a ton of growth opportunities ahead, a lot of different levers to pull to grow and sustain the search trajectory of the company. I like to say it's early innings for DNSFilter.
I'd say on the other hand, it's not all roses. In the macroeconomic sense, there's rocky conditions ahead for the economy, which impacts all our customers and the organization itself. Security is always a hyper competitive market, so we need to stay ahead with the efficacy, the performance, the usability legs up that we have on our competitors. And there's always a lot of hard work to do, inside and outside the organization. So you don't want to take that success that we've had so far for granted. But I see all those as positive, interesting challenges to work through and I'm excited to help where I can to build DNSFilter into an enduring company.
SR: Awesome. One last question for you. Is there anything that you want to see from DNSFilter that you haven't seen yet?
JO: In my experience at Duo, this is maybe the sort of greatest weakness question, but we were always a bit under the radar at Duo and we didn't talk about ourselves a lot. And I think a little bit was maybe a Midwest, sort of blue collar work ethic, and focused on just building a really quality business and let the score take care of itself. But we had an internal model of “get big before we get loud.” And I think there's some similarities with DNSFilter. DNSFilter is loved by its customers, but is otherwise a bit under the radar. It's this really high quality product, high quality team, high quality organization. And I appreciate that, the humility, but I also think we've earned the right to be a little bit louder about the success of our customers and the success of the business and the market that we're in.
SR: I completely agree with that. We'll definitely be getting a little bit louder in 2023 and into 2024. We have some cool releases coming up. So it'll be really exciting to share those with our customers and get into conversations about what those feature additions mean for them.
JO: I know it's a very glass half full softball answer to that, but yeah, I think it's well deserved.
SR: No, we appreciate that. Thanks again, Jon for joining me and very excited to have you on the board.
JO: No problem, thank you, Serena.
Watch the full interview between Serena Raymond and Jon Oberheide on our YouTube channel here.
When researchers talk about DNS security, they often refer to anything that protects DNS infrastructure. Although protective DNS and DNS security fall under the cybersecurity umbrella, protective DNS takes a different approach to cybersecurity than standard DNS security. Both security strategies are important for the stability of your business, but protective DNS reduces risks from your weakest link–human error. Protective DNS is critical for you...
The impending Cisco Umbrella RC End-of-Life has many Umbrella users concerned about their next steps and questioning which protective DNS solution might be able to fill the gap for their organization.
Industry State of the Art
This month there was a high level of focus on compliance issues spanning several focus areas from governments and oversight agencies around the world. And while there were actions taken with regard to specific vulnerabilities, a larger spotlight was placed on bigger picture security considerations in a more general context.