This article is part of a series of posts produced by the Duo interns, highlighting their experiences and the projects they worked on this summer. And be sure to check out our open internship positions.

One of Duo Security’s core values is “Building for the future,” which can feel like a big goal to work towards. Because designing products in the security space is complex, the first (and ongoing) step I take to work towards this value is staying organized. There are several tools the Duo design team uses to organize ideas, meetings, and decisions.

As a product design intern at Duo, I mainly use three types of tools — document space, whiteboard, and calendar — to accomplish my tasks:

Tool #1: Document Space

Product design includes a lot of documentation, and tools that keep track of documents in one place help with keeping things in order. My app of choice is Notion, but other options (like Coda, Google Drive, Microsoft OneDrive, Dropbox, etc.) can work just as well.

My biggest consideration when choosing where to keep documents was how accessible the tool is for me and the people I work with. I went with Notion since most people on the Duo design team were already using it, and I was familiar with the tool and its capabilities. Each team uses Notion in the way that works best for them — here’s how I use it!

This is what my Notion space looks like!

The Duo Design Notion Workspace is divided into different teams. Under my design team, I created my own space. The space I use the most often within this Notion page is my own Kanban board. I use a Kanban board since it makes it easy to see all my documents and tasks in one page. I organize everything by the status of each task I have to complete.

A recreation of my Kanban board, included in the template.

If you’re looking for a starting point for your internship or project organization, you can duplicate this template and customize it to fit your own needs! Some pages that could be helpful to add:

• 1:1 notes with your manager

• Your internship goals and progress

• Research folder

• Personal notes

You can also easily edit it to fit a larger team’s needs by adding Assignments to assign people to tasks, and tags to help differentiate between different projects.

Tool #2: Digital Whiteboard

Designing for security means dealing with lots of complexity. Using Figjam (or any other whiteboarding tool, like Mural or Miro) is a great way to gather all your ideas before tidying them up.

The FigJam iPad app lets you sketch loose and quick wireframes at a low-fidelity level to help get your ideas out quickly. Sketching with pen and paper and inserting sketches into the file later works just as well. After sketching and ideating, dividing the file into sections helps with organizing the different ideas that came up.

The structure of my FigJam board.

One benefit of having a digital whiteboard is that it facilitates conversations between you and your collaborators. My mentor and I used FigJam to do a design jam session using the pen, sticky note, and timer capabilities, which helped us flush out and discuss ideas easily.

We worked directly in an existing file, but there are also pre-made templates that can help with brainstorming, user journey mapping, and any other purpose you might need.

Tool #3: Calendar

Your digital calendar can be a great tool to organize your time. I set a recurring, tentative “Focus time” event in my calendar at the beginning of my internship. This signals to collaborators to select other times to book meetings. This worked well for me — I booked out every Wednesday for focus time, which often gave me the entire day each week to do heads-down work!

At the beginning of the day, I sometimes schedule events within those blocks to work on specific tasks to help me stay on task and keep track of the time I allot to each project. Having the calendar open helps me mentally prepare for the things I am aiming to accomplish for the week.

Blocking off tentative focus times to work on projects.

I previously just used my digital calendar to keep track of meetings with other people, but adding my own personal “events” to work on specific tasks made those meetings more productive — It helped me to finish necessary items in time to prepare to discuss them with other people.

Moving Forward

When I first started my intern project, setting up my document space, digital whiteboards, and calendar helped me gather all the things I needed to do my best during my product design internship. I hope that using or remixing some of these tools and templates helps you too!  

Duo Security is honored to be a 2022 Top Rated by TrustRadius cybersecurity product in the Authentication, Cloud Computing Security and Single Sign-On categories. With an outstanding user interface and experience, a wide range of use cases and extensive scope of deployment, Duo’s multi-factor authentication (MFA) cybersecurity product suite is beloved by its users and by the thousands of companies it protects, from the retail industry to the financial services sector – even academia and K-12.

What is a TrustRadius Award?

Since 2020, Cisco Secure Access by Duo has earned impressive marks from TrustRadius’ buyer intent software platform, which distributes its awards with the intention of helping organizations compare and verify the quality of software products.

What makes earning a TrustRadius accolade impressive for Duo?

Unlike some awards that rely solely on the breadth of public relations (PR) campaigns and media pitches, Top Rated by TrustRadius awards are determined exclusively by verified consumer reviews. The organization states that “there is no paid placement or analyst opinion.”

For Cisco Secure Access by Duo, this means that our customers have had outstanding things to say about Duo as an authentication MFA and two-factor authentication (2FA) provider. They’ve also praised its cloud computing capabilities and ease-of-use as a single sign-on (SSO) vendor.

Duo Security is named Best of Authentication in 2022

One of the most trusted sources for business to business (B2B) software insights, TrustRadius has also collected additional data on the Duo authentication app’s customer experience. Our impressive scores have subsequently earned us three additional Best of Authentication 2022 awards including Best of Feature Set, Best of Relationship and Best Value for Price.

TrustRadius’ “Best of” awards, much like the Top Rated awards, are based entirely on verified client reviews. There are three specific categories, all of which are areas of recognition for Duo this year:

Best of Feature Set 2022

With scores based on the product’s comprehensiveness, Best Of Feature Set awards are given to products with extensive and autonomous suites of features. A customer will give high scores to a product with a wide range of features and applicable use cases for said features.

“Cisco Secure Access stacks up well with competitors like PingID; the user interface is simple and easy to use. This solution is very scalable and could be utilized by organizations of any size.” - Dustin Howey, Digital Marketing Consultant at DH Marketing in a TrustRadius review of Cisco Secure Access by Duo

Best Value for Price 2022

Best Value for Price awards are given to companies that rank high in consumer scoring of a product’s initial investment price, deployment and training costs and, of course, return on investment (ROI).

"We will have a smaller attack surface which will provide us the ability to better spend our budget on directed improvements instead of having to cast a wide net." - Sean Muller, IT Security Manager at Paraco Gas Corporation in a TrustRadius Review of Cisco Secure Access by Duo

Best of Relationship 2022

Best of Relationship is an award for products that maintain excellent consumer ratings in “Would Buy Again,” “Implementation Expectations,” and “Sales and Marketing Promises,” which speaks to both the integrity of the brand and its ability to deliver on its promises, as well as its self-service capabilities.

"Duo Security helps me sleep better as I worry less about an external attacker gaining unauthorized access to my network." - Jeff Robinson, Chief Technology Officer/Director of IS at Hattiesburg Clinic in a TrustRadius Review of Cisco Secure Access by Duo

Duo Security Wins at TrustRadius

TrustRadius awards speak volumes about both customer satisfaction and the overall quality of a product. Duo Security is honored to have earned Top Rated, Best of Feature Set, Best Value for Price and Best of Relationship in 2022 and seeks to continually achieve these ratings in years to come.

Discover Duo’s numerical scores, real customer reviews and satisfaction ratings on TrustRadius

This article is part of a series of posts produced by the Duo interns, highlighting their experiences and the projects they worked on this summer. And be sure to check out our open internship positions.

The “Work-from-Home" era began in March of 2020, but where was I when everything shut down? I was a mere Junior in High School. The main worries of prior graduating classes were the SAT and college applications. However, most of them never had to think about when they would be allowed to go back to school. What was initially advertised as a “2-week vacation,” turned into a 2-year(plus) social desert.

I would like to think that is the reason I was afraid to start this job as an intern at tech company Duo Security, along with a hint of imposter syndrome from being young. Do not get me wrong, there were some perks to being remote – like being able to talk to college recruiters thousands of miles away, but there was also a fair share of challenges that required a heavy amount of adjustment.

This “new normal” for everyone else was in fact my only normal. So, there was only one option – adapt or get left behind.

That’s what brought me to Duo in the first place, what sustained me during the mostly remote interview process, and what empowered me while working mostly from home. It’s also what allowed me to develop my skills as a Helpdesk intern, helping to keep our remote employees at their most productive regardless of where they’re located.

My Endpoint journey

In my first year of high school, I started programming the basics like HTML and JavaScript. Before I took that mandatory class, I was so intimidated because I could barely navigate my own computer back then, let alone start programming on one. Much to my surprise, I instantly clicked with everything programming. My middle school self would not believe that I could now solve the computer problems of others when I could not solve my own basic issues before.

I decided in high school that I wanted to major in Computer Science. When I got to college, I was a bit lost. I continued my Computer Science curriculum, but all I could think of was “I do not want to be sitting at a desk coding and debugging all day.” I thought I would lose my mind. (By the way, that is not what I do now, and my faith has since been restored).

But, during that short, but necessary, period, I started exploring my options. So here I am – with a Double Major in Computer Science and Anthropology. Two fascinating subjects that have absolutely no correlation whatsoever.

The moral of that story is I learned a lot more about myself along the way. I was always such a straight path person, “I need this done by the time I am 25, and this has to be completed by the time I turn 42.” I thought what I wanted in life would guide me, but in my case, it was what I did not want that led to true self-realization. There was always one goal to get to, but I never really knew what it was. Now, I realize the goal is not actually the goal, it is how much I learn and gain from my journey to the Endpoint.

How I became an intern for a tech company

Towards the end of my first year of college, I knew I needed a summer job. I was planning to become a barista, my dream job as a coffee and coffee shop lover. Clearly, that did not happen.

I got an unexpected email from a program called the Michigan Future Founders Fund, which has an internship program for minorities. They partner with tech start-ups to provide qualified interns for the companies, determined to help both the interns and companies grow at a rapid pace.

To be honest, I did not think I would get anywhere with it. Before I became a finalist, I saw all the other choices these companies had: Juniors and Seniors with much more experience and relevancy. I still applied with the mindset of “what is the worst that could happen?” since I did not want to get my hopes up. I had just been declined for an internship at my school's (University of Michigan) IT department and accepted that as an internship after my first year just might not happen. Even when I became a Finalist, and Duo requested an interview with me, I retained little hope.

After the interview, I felt more at ease. My current mentor – IT Project Manager, Jenna – is the one that interviewed me first, and it was very reassuring. Prior to my interview, I heard about horrid technical interviews, and everything being so serious. In my experience at Duo, though, we just had a pleasant conversation talking about the company and my background.

I was offered a second interview, much to my surprise, with my current manager, which seemed even more intimidating at the time. Once again, my worries faded away after the meeting. The tech world is often portrayed to be a scary place, filled with serious people with no social skills. Yet, at Duo, I have seen nothing but the opposite. I have visited the office a few times and even weaseled my way into some friendly office war shenanigans once or twice.

About a month passed after the interview, and I lost all hope. As a first-generation student, I did not know what the timeline of a new job in my field looked like. There was no one I knew, especially in my family, that could give me sound advice. But on my last day on Campus, I received the offer email.

Manning the help desk

The day I was onboarded was the first day I met other members of my team. I currently have the formal title of “IT Support Analyst Intern.” and the Helpdesk team is definitely the best. I can absolutely say that with no personal bias at all.

My most prominent daily contribution goes towards the #helpme channel in Slack, where people send their IT issues and questions instead of filing tickets. As necessary, more intensive issues can lead to ticket creation. Some can be completed with a simple answer, but others can take a few hours of back-and-forth conversation.

Identifying the problem can be the trickiest part at times. I never feel stuck because I can always ask my team questions, which I ask a lot of. The most rewarding part of my job is knowing that I made someone’s day a little easier or solved a problem for them – especially by unblocking them and allowing them to get back to work and be their most productive. As an estimate, I help around 6-7 people a day through the channel.

When requests are more difficult or contain confidential information, a ticket can be filed. We use a software called Zendesk, where tickets are assigned to a Helpdesk Agent and the requester and agent can communicate about the issue. Tickets can be filed for many things, big or small, all the way from simple tasks like additional access and password resets to more daunting ones like device management and laptop refreshes.

Provisioning laptop refreshes have also been a significant part of my internship. I work on sending out, filing, and setting up more powerful laptops for engineers in need of an upgrade.

Why my fears were washed away

The best parts of my internship include the amount of knowledge I continue to gain and the interactions I have with my team, which are directly correlated. I thought an internship would be like those you see in movies, where interns do errands and run around to get coffee, likely modified due to Covid.

I was extremely mistaken, once again. My team welcomed me with open arms. Almost every one of them taught me something new, whatever seemed to be their “specialty,” even though all members can do it all. Being taught that way helped me form bonds with my team that I am very thankful for.

One of the first things that was said to me when I started was “Please ask questions.” I took that as a challenge apparently. Even now, towards the end of my internship, I constantly ask questions every day and not once have I felt deterred to ask them.

The hands-on approach I was able to take from the very beginning could never be replaced by lectures, textbooks, or watching others. However, I did learn a lot from watching, especially at the beginning when I had no idea what I was doing. I continue to learn every day, and I am certain that will happen until the end of my time here.

As an intern, I was surprised when I received the same access as other members of the Helpdesk team, after a lot of training, of course. I did not realize how essential it was to have all of it until I started helping. Helpdesk problems can be all over the board, and being able to solve problems on my own, with support if needed, was a huge advantage for my learning process.

The most challenging part of the internship was the training at the beginning, which took most of my time for a week or two. The IT training was interesting and relevant for day-to-day use. Then there was a lot of more general company training required for all employees. My manager wanted me to “hit the ground running,” which I feel like I did after the IT training. There were more difficult and prominent problems to handle for other members of my team when I joined, so I was able to jump right into helping people, in an attempt to relieve them from some of the load.

Of course, I still asked a lot of questions, even ones just for clarification. That time played a prominent role in the comfortability I have with solving issues now. For many questions, I was able to search for similar problems and their solutions from the past, which allowed me to gain a game plan for the unfamiliar problems I face every day.

Lessons from the Helpdesk

Walking into a big internship like this was an eye-opening experience after one year of college. It has cemented my interests in computer science, while giving me peace of mind for my future. I am forever grateful to my department for designing this internship to be so interactive and growth focused.

This experience has been nothing but refreshing and meaningful to me. I would intern at Duo a thousand more times if I could, and there would still be more to learn and gain from it.

This article is part of a series of posts produced by the Duo interns, highlighting their experiences and the projects they worked on this summer. And be sure to check out our open internship positions.

You’re doing amazing. Thanks, you too.

It shouldn’t be that hard to accept a compliment. But it’s always been easier for me to deflect the attention back to the person complimenting me. Rather than appreciating my accomplishments, I quickly move on wondering “what’s next?”

I struggle with the feeling of inadequacy, not doing enough, or the need to do even more. And after reaching out to others, I learn that this feeling of imposter syndrome is all too prevalent in the lives of others working in tech.

From their stories, I learned that there are many ways one can experience imposter syndrome. And just as everyone has different experiences, their approaches toward imposter syndrome are equally as personal and unique.

In this blog, I’d like to share with you two different approaches I have learned through the stories of Nick Zolfo and Subha Madaka. In the first account, Nick's introspective approach. And in the second, Subha's collective approach.

The first step in combatting imposter syndrome? Acknowledgement

“It’s a self-love thing. My inability to self-love bled into me not acknowledging the great things I was doing and own them… that they came from me,” Nick Zolfo, design thinking coach at Cisco Secure, explains.

For Nick, his struggles are rooted in his core life experiences. It’s an issue which he believes to be deeply grounded in who he is and will always be there. To combat this, Nick makes the commitment towards bettering himself.

“To know what you want and to go after that, is the greatest thing that I have done for myself and can offer up to other people. That is the crucial point I had to say for myself. I spent too long not doing something but was aware. I was upset that nothing was changing. Recognize, you are the one that needs to take control.”

Nick brought up a key point; I have to care enough about myself to advocate for what I want. This is the baseline. You must care about your own wellbeing for any change. Care about yourself and take action.

“It’s always worth exploring what imposter syndrome means to you. Identify what is tactile. Identify what are the inputs.”

It’s always worth exploring what imposter syndrome means to you. Identify what is tactile. Identify what are the inputs.

For Nick, meditation helped him explore his space. Taking a moment to pause and reflect to identify the cause before tackling the problem is one strategy in identifying where to begin. But maybe you need a little more help in navigating those complex thoughts and feelings.

Remember, we are in this together

First, I must make a correction, and I encourage you to do the same. Instead of saying “imposter syndrome,” let’s call it an imposter phenomenon.

Subha Madaka’s story began when she first started her career as a software engineer.

“When I was growing up in India, the traditional path for girls was always to get a certain level of education and either get married or find a job. I had wanted to come to the United States to do a master’s.”

Subha Madaka is grateful for her loving family and supportive parents. But her bold decision to move into a new country and begin an untraditional path on her own was a daunting life decision leading her to question herself.

“There are days when I ask myself ‘am I where I need to be today’ or ‘do I deserve to be here?’ But I look back to the decision that I made and believe in the people who trusted in me. I believe in them enough to say ‘yes.’”

But working in America wasn’t always so easy. Coming from a traditional background, Subha was shy and introverted. The imposter phenomenon became more of an occurrence in her life as she went from an engineer to a manager. Lacking the experience and mentoring network, Subha would often question her management abilities.

“At Duo, I work with a really great group of people. It’s like everywhere you turn you meet somebody who you are going to look at and be in awe. And you wonder, ‘how can I be like that,’” she says. “It’s a good problem to have but many times it brings up thoughts like, ‘oh my gosh, there’s so much I need to learn. Do I really belong here?’” 

It’s a common sentiment I hear in tech, and one I strongly felt when I started my internship as well.

“What can we do about this?” I ask.

“Invest time in building relationships at the beginning of your time here at Duo as those relationships will serve as the foundation,” Subha responds. “It’s not one of those things where you can find a great way to overcome. Instead, it’s about finding the tools to prop each other up and acknowledging its existence.”

It's not one of those things where you can find a great way to overcome. Instead, it’s about finding the tools to prop each other up and acknowledging its existence.

That’s one thing I came to love about working here at Duo. In short, Duo encourages an authentic and collaborative culture where you know you can be supported. We are a community that values psychological safety. We are a community you can rely on when you have challenges. Product designer Sierre Wolfkostin writes about this when she explores Duo’s recipe for great culture.

We are all in this together so let’s ask ourselves, “how can we build each other up?”

Your own story

While Nick and Subha’s experiences are different from my own, it was relieving to hear that there were people I can reach out to and can have this sensitive conversation with. And for me, having those conversations help tremendously in embracing my imposter phenomenon.

As my internship comes to an end, I can say more confidently than before that this is the place for me. Duo Security was my first tech job and corporate experience. I had felt that there was so much I did not know and, likewise, so much I needed to learn to be on par with everyone. I was afraid of making mistakes because I wanted to prove that I wasn’t a hiring mistake.

But I took Nick Zolfo’s advice. I began with acknowledging that yes, I am going through an imposter phenomenon. And because I care enough about myself, I wanted to make a change starting with recognizing that I am deserving of good things.

I also took Subha Madaka’s advice. I wanted to build personal connections with others and have the conversation to better understand the imposter phenomenon within the team.

Due to a word count, I am unable to share their stories, but I’d like to thank Milly Yeh, Chisulo Mukabe, Camille Kapoor, Alice Shih, and everyone who have opened up to me with their stories of what imposter phenomenon is to them. By opening up to my team, I not only received the support I never knew I needed, but also grew more confident in my work.

There’s a lot to talk about and learn from. And for the time being, I will commit to bettering myself – reminding myself and others in awkward times of compliments to think...

Yes, I can be amazing. Thank you.

This article is part of a series of posts produced by the Duo interns, highlighting their experiences and the projects they worked on this summer. And be sure to check out our open internship positions.

It still feels like yesterday when I opened a package on a summer afternoon. It was a hand-written welcome card and a bag of swag from Emily – a Program Manager at Cisco Secure – to welcome me to Duo Security’s internship program. Looking at a sticker that says “Kinder than necessary,” I wondered what makes this company so heart-warming and unique. I was looking forward to what this journey would bring up. All this made me both nervous and excited.

English is my second language. Honestly, I don’t have the same level of confidence in English communication as I do in my mother tongue, Chinese, especially when I talk with people who speak fast. Though I took several design storytelling classes at school and presented many works to other designers, I still see the difference between myself and those TED speakers who can crack a joke while telling wondrous stories. I must admit that I doubted myself when it comes to communication.

That is why I got pretty anxious when I discovered my intern project would work closely with cross-functional team members. The timid person inside me kept murmuring, “Can you do this?”, but there was also a brave voice encouraging me to accept the challenge!

Meeting our cross-functional team

To help me get familiarized with everyone on the engineering team, my mentor Chinmay – a Product Designer – invited me to the engineering daily standup meeting.

I still remember the first day I entered the Duo Network Gateway (DNG) standup meeting. There were about ten unfamiliar faces who were on the engineering team. I remember I was so nervous that when they asked me to introduce myself, I didn’t even mention where I was based.

After that meeting, I realized my anxiety comes from all the unknowns. So, the next thing I did was to go to the standup meetings minutes earlier than they started so that I could have casual conversations with the engineering team members. The more I talked to them, the more I got to know each person in this lovely team.

During our second 1:1 meeting, my mentor Chinmay asked me about what I enjoyed the previous week. I told him I enjoyed learning new knowledge about how DNG works, the wonderful people I encountered, and the friendly company culture.

“What about the things you disliked?” he asked. I paused. I wasn’t sure if expressing my worries about communication skills would be a good idea because I was afraid that would show my incompetence. But the sincerity in his eyes encouraged me, and I decided to open up about my weakness.

To be honest, I was not sure who and when I should ask for help when I encounter engineering-related problems, as I assumed everyone was busy. Sometimes, I was hesitant to share the things I was working on in the standup meeting. I wished I could speak up and be more assertive when communicating my ideas.

While I told him my thoughts, I thought this could bring disappointment to my mentor. To my surprise, Chinmay not only showed empathy by telling me about how he had improved his presentation skills during his internship but also encouraged me to step out of my comfort zone.

He said: “Shuyun, from now on, you will represent the face of us and share the design progress with the engineering team at every standup meeting.” My fearful little person rose up again, but I know this would be a great challenge where I could practice my communication skills. The trust and empathy my mentor showed gave me a lot of strength.

Taking charge of communications

After that meeting, I began the journey of stepping out of my comfort zone. In our standup meetings, I:

• Began to share progress on our design and asked for help whenever we encountered problems

• Initiated meetings with engineers and product manager to understand the current problems

• Frequently asked for feedback from the engineering team to make sure the design was aligned with the technical capabilities

• Proactively approached researchers and research ops to improve our research plan

As an intern, I was exposed to the end-to-end design process. All these opportunities allowed me to practice my communication skills. Even if I made a few mistakes in the beginning, the feedback from my mentor and the encouragement from my lovely collaborators helped me to grow my confidence day by day.

On the day of first design share-out – a meeting that enables design alignment – I realized I could confidently present the problems and our design approach. After that presentation, I received many compliments from both sides. I told Chinmay that I can’t believe I did it! All these efforts had transformed into my confidence in cross-functional communication. I was not sweating, and I managed to have pauses when presenting important findings.

The takeaway

Now when I look back on my weekly reflection, I am so glad to see my growth. What would have happened if I chose not to open up to my mentor about my weakness or if I received a different response from him? I think my summer might have been a different story.

If you ask me to share something I learned from my Duo internship, I would say to be honest about your feelings and proactively seek advice from others. While remote working could bring a sense of disconnectedness, creating a support system becomes so important. I find that when we communicate not just the positive experience but also our challenges and struggles, we are more willing to support and help each other.

Lastly, I want to shout out to my mentor Chinmay who gave me a safe space to make mistakes and keep growing from them!

When the time came for furniture manufacturer and distributor La-Z-Boy to implement a multi-factor authentication (MFA) solution, they turned to Duo Security. We shine a light on this partnership in our latest La-Z-Boy case study, examining the features that set Duo apart from other cybersecurity solutions.

La-Z-Boy is a producer of reclining chairs and a manufacturer/distributor of residential furniture in the United States. Founded in 1927, La-Z-Boy employs over 10,000 people and has 900 retail locations, including La-Z-Boy Furniture Galleries and Comfort Studios.

La-Z-Boy wanted to protect corporate, manufacturing and retail employees against breaches and onboard MFA through a zero-trust framework while making it easy for workers to use it.

This was prompted, in part, by an increase in hacking activity after the organization moved to Office 365. La-Z-Boy wanted to secure their environment with a product that would scale as they scale, that was simple to install and that offered the maximum security. They chose Duo.

“It was very quick and easy to see where Duo fit into our retail environment quite well, and worked with any application or legacy app, while deploying quickly. Duo was an easy choice for us.” — Craig Vincent, Director of IT Infrastructure and Operations at La-Z-Boy

Learn about the benefits La-Z-Boy has experienced with Duo:

• Duo helps protect shared devices both managed and unmanaged

• Duo’s Device Health functionality ensures only healthy devices connect to the network

• Duo helps La-Z-Boy meet compliance regulations

Want to learn more?

Read all the ways Duo helps protect La-Z-Boy's retail and manufacturing employees in our La-Z-Boy case study.

And if you'd like to learn more about how Duo Security can help you on your MFA journey, sign up for a free trial today!

This article is part of a series of posts produced by the Duo interns, highlighting their experiences and the projects they worked on this summer. And be sure to check out our open internship positions.

Hey! Duo summer intern here - it’s been almost two months since I started interning at Duo and it has been one wild ride. It was thrilling getting into it, and still is, but I surprisingly never felt as if I were missing a beat or felt overwhelmed.

The way everyone kept such close communication with each other in this fast-paced workstyle surprised me. Yes, there were a lot of meetings, but no one missed a detail or was left wondering what other teams at Duo had finished working on. Even me, the intern who had to get taught everything from scratch, was never left out of the loop. It made me wonder what my Duo team was doing that was working so well.

I had been a part of other teams at previous jobs, medical offices, database teams, but they hadn’t gotten the mix of people and teams to work just as seamlessly yet.  After some pondering and debating, I can now present three things that my team does that makes them work efficiently, effectively, and, essentially, like a Duo team.

1. Conversations between conversations

If you’ve worked in an office with a group of people before, you know how that there are usually five different conversations consistently happening. Updates on people’s personal lives, weekend plans, or just casual chats about new restaurants people have tried. It usually felt like a way to interrupt the silence of the room or to ensure people felt comfortable as they walked in.

Those conversations are definitely key to keeping the team close and reminding everyone to feel comfortable enough to ask whatever they want. But it somehow still felt stiff at my previous jobs as I constantly felt the need to prepare to ask something or to find just the right time to ask it.

Flash forward to my time at Duo, there really isn’t any feeling of stiffness with the team. I always had my manager catch up with me and ask how I’ve been feeling and if any concerns or questions have arose. But it wasn’t just him, any coworker I talked with would always ask me similar questions.

You could probably imagine it getting repetitive after hearing it every day. That wasn’t really the case though. Our work here is never dull or repetitive, it’s the most fast-paced work environment I have experienced because of all the updates and changes happening in our team and outside of it. The repeated questions were necessary and everyone knew that because they had all experienced coming to Duo and spending their first few months overwhelmed.

So there were a lot of engaging work conversations, but in between those conversations were our own personal conversations. We got to relate to one another on a personal level and everyone was interested and excited about what you had to say.

There’s a phrase I hear around here a lot, and that’s being “Kinder Than Necessary.” People showed that phrase more than they said it, everyone actually cared about someone’s obsession for antiques or their recent trip to Toronto. Sure, work conversations are a constant. But so are conversations about each other’s dogs or hobbies – the kinds of conversations that build human connections.

A Duo team member's dog (and popular topic of conversation)

2. The manager doesn’t do his job solo

When you imagine a traditional manager, it’s usually a grumpy old man who tries to get people to finish tasks on time. In my mind it was also the person who was in charge of helping to me to get through my first tasks as an intern. At Duo however, it’s really not one person per job.

We do have our teams divided for specific parts of the company and different job titles for everyone, but it never felt black and white. Everyone’s jobs overlapped and I found myself being taken care of by the whole team, not just my manager. Everyone checked up on me, invited me to ask them questions, and looked over the different tasks I was doing.

No one’s forced to get involved in other people’s tasks or other teams tasks, but we do. In fact, everyone is genuinely interested in what’s going on with other people’s work. It helps everyone have a better idea about how the company is working as a whole and not just how your own tasks are working.

My coworkers and I go on a team-building event

There are a lot of ways we stay connected, like sharing what we accomplished in our own teams every few days and we analyze it even more every sprint (which is every two weeks). There are also presentations done with multiple teams where we can hear the new things other teams have accomplished.

Now, many people probably sigh at the thought of dozens of meetings. That’s where people’s interest in learning comes in, ‘cause it’s not just about sitting through presentations but about talking to different people and teams and asking questions to keep everyone on the same page. It’s refreshing to see people care about everyone’s work and being involved in the company's work as a whole on top of their own work. We all want to progress forward, and to progress with each other. 

3. Days for me, for you, for us

As important as meeting up with coworkers and catching up on work stuff is, it can turn out to be a lot. With so many meetings scheduled every day, even I found it hard sometimes to find time to just finish my own work. Cisco had set up focus days they do every first Wednesday of the month where no meetings are planned for that day in order for people to get time to just focus and catch up on all their work.

Duo took it one step further and created weekly focus days every Wednesday, and it is the one of the greatest ideas any team I’ve been on has had. It works so well because there already is so many conversations going on during the entire week, every day. We are always striving to keep each other up to date, so when Wednesday comes along, we work without interruption on our tasks we may have had to set aside, and then we reconvene the next day and get to share what we’ve gotten done.

It helps keep my productivity levels as high as my conversational levels are. Of course, if need be, there’s no law against having meet ups that day if you want it. It is your focus day, to focus on the things you know you want to get done.

On top of that, Cisco has ‘Days For Me’ where the entire company gets periodic dates off of work. Where instead of getting focus days for work, you get focus days for your life outside of work; for your friends, family, pets, or whatever you want to do with that day. I know this isn’t something most people can personally just choose to put in place, but if a team had the opportunity to give these ‘Days For Me’, I'd say go for it.

One of my teammates takes in the sights on a day off

Being able to have your personal life in balance allows you to be ready to balance the hustle and bustle of work. It’s just for a day and that can seem like almost nothing to some people, but instead of thinking it as a time to completely reset, I look at is as your day to focus and catch up on all of your personal things. After all, taking time off for tropical vacations is when the real resetting happens.

But, how do we make these three happen?

How do you shape an entire team to truly care and get interested in other people and their work? It could be the leaders always repeating to be kind and open to learning, or our different goals/slogans posted everywhere.

My best answer to it is to lead by example. If the people I’m working with start doing something different, chances are I’ll follow along, especially if I feel like it helps us all out. And when you are really careful with who you choose to hire (like Duo is, I’ll just say my internship process was stuffed with a lot of different interviews), you find that everyone in your team actually wants what's best for everyone and will put in the effort to accomplish your team, and your company’s, goals.

This article is part of a series of posts produced by the Duo interns, highlighting their experiences and the projects they worked on this summer. And be sure to check out our open internship positions.

For every native speaker of English in the world, there are twice as many non-native speakers, meaning English is their second, third, or even fourth language! As an avid learner and lover of culture and language, I was intrigued when I learned this fact. The world continues to expand and connect more every day, and with that expansion comes the spread of many different languages and cultures.

Consequently, a common misconception for many people is that everyone has a basic understanding of English and feels completely comfortable using it. However, this simply is not the case; everyone has a different comfort level, and some may not feel comfortable using English at all. As a result, the importance of localization and translation has never been clearer.

My intern project last summer was to localize and prepare the Duo Device Health Application (DHA) for translation. The intention was to create a better experience for non-US/non-English speaking users. As part of my project, I learned a great deal about cross-cultural design, internationalization, and localization. Throughout the process of learning more about these topics, I also gained a better understanding and a deeper appreciation of Duo’s culture. I’d like to share more about what is involved in localization, as well as my journey in connecting with Duo’s culture!

What is cross-cultural design?

Since its popularization in the mid 1990s, the web has globalized, meaning that more people and more devices are coming online around the world. Of course, the influx of people from around the world has also brought about various cultural and linguistic expectations.

Unfortunately, designers and developers often assume that users are from WEIRD (westernized, educated, industrialized, rich, developed) nations and speak English. While this may be a natural assumption initially, it’s important to recognize that users come from all over the world and speak many different languages other than English.

Cross-cultural design is a framework that addresses this idea of an ever-evolving global audience. It’s a way to navigate product design with empathy and respect for our incredibly diverse web. This framework can be broken down into several guiding principles, some of which include consideration for internationalization and localization, cultural aesthetics, and cultural dimensions such as individualism vs. collectivism.

When thinking about cultural aesthetics, consider this example: research has shown that Japanese web pages that are densely packed with information are considered aesthetically pleasing. However, English web pages are considered more aesthetically pleasing when information is spaced out.

The news section of the Japanese version of the Cisco website features very little space between articles and minimal padding within each article box.

The news section of the English version of the Cisco website features more space between articles, and extra padding within each article box.

Furthermore, when thinking about individualism vs. collectivism, consider this example: results from a research study reveal that Turkish users often prefer phone contacts to be structured by in-group connections. In other words, Turkish users prefer to see their contacts grouped by family members, friends, schoolmates, and others. Contrastingly, Turkish users did not prefer a list of individual contacts, as members of an individualistic society may.

In both cases, effective cross-cultural design involves crafting solutions that put the needs and preferences of people first. 

What is the Device Health Application and how does it fit into cross-cultural design?

As an intern on the Endpoint Health team last summer, my project was to begin localization of the DHA. For those unfamiliar, the DHA is a desktop application that performs health checks on a device during authentication. It checks if your operating system is up to date, if you have a system password set, and if you have disk encryption and a firewall turned on.

Previously, the DHA was only available in English due to hard-coded strings throughout the codebase. My project involved extracting those static strings and formatting them so that they could be easily translated into other languages. For macOS, I compiled all the static strings in a separate file and formatted the strings using the NSLocalizedString function. This function allows you to add a comment to explain the context of the string, which is helpful for translation. A similar approach was taken for the Windows application.

After I completed my project, the DHA had no more hard-coded strings, and was ready for translation into all the Priority 1 languages.

The main intent behind this project was to create a better experience for non-US/non-English speaking users. After all, one of Duo’s main goals is to democratize security for all, not just one type of user! This project was just one way of being intentional about creating a better experience for end users, which sets Duo apart.

How learning about cross-cultural design and my localization project helped me feel more connected to Duo’s culture

While learning about cross-cultural design and working through the DHA localization project, I came to understand and feel more connected to Duo’s culture. Duo’s culture is remarkably well-defined and engrained into our identities as Duonauts, and I believe our culture is an incredible asset.

For example, the principle of learning together is something I certainly experienced last summer. As a new intern, I knew very little about the Swift programming language that is used for macOS application development. However, my mentor, Dave Gross, worked closely with me to teach me fundamental concepts in Swift. Additionally, we were able to learn about macOS application localization together!

Furthermore, I also experienced the principle of being kinder than necessary. For example, my manager, Lauren Pully, facilitated open and honest communication and feedback to help me grow.

Overall, engineering the business, learning together, being kinder than necessary, and building for the future are building blocks of Duo’s culture that are very special to me, and learning about cross-cultural design helped bring that into focus.

Final reflection

As the web continues to diversify and the world continues to grow, I highly encourage you to consider how you can incorporate principles of cross-cultural design into your product.

To learn more about Duo’s internationalization and localization efforts, check out this article on how new data centers support data localization.

The Payment Card Industry Data Security Standard (PCI DSS) recently updated their standards from PCI DSS 3.2.1 to PCI DSS 4.0. It is the first major revision in some time. There is more flexibility built into 4.0 for companies to implement security that works with their security framework. There were 60 changes made, with new rules around multi-factor (MFA) being one of the most significant.

The changes to MFA now more closely align with NIST SP 800-63B Digital Identity Guidelines. PCI DSS 4.0 focuses on developing stronger authentication requirements around NIST Zero Trust Architecture guidelines. PCI DSS 4.0 now mandates that MFA must be used for all accounts that have access to the cardholder data, not just administrators accessing the cardholder data environment (CDE).

What Is PCI DSS?

The Payment Card Industry Security Standards Council (PCI SSC) regulates the PCI DSS standards and is composed of the five major credit card companies: Mastercard, Visa, American Express, Discover, and JBC. The Payment Card Industry Data Security Standard is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment. These standards are meant to protect a consumer transactions by credit, debit or cash cards from misuse of their personally identifiable Information (PII) with safeguards that make stealing identities difficult.

How Does MFA Fit Into the Updated PCI DSS 4.0 Standards?

There are three accepted multi-authentication methods including a) something you know (like a password), b) something you have (like a mobile phone) and c) something you are (like a biometric). A minimum of two of the three factors is required for authentication.

Previously, if you worked from home and connected to the CDE through a VPN that required MFA that one challenge was enough, now MFA is required for all access into the CDE as outlined in 8.4.2. MFA will be required every time there is an attempt to access the CDE.

If an individual first connects to the entity’s network via remote access, and then later initiates a connection into the CDE from within the network, per this requirement the individual would authenticate using MFA twice, once when connecting via remote access to the entity’s network and once when connecting via non-console administrative access from the entity’s network into the CDE. (PCI DSS 4.0)

The new requirement is best practice until March 31, 2025, after which it will be required and must be fully considered during a PCI DSS assessment. While the requirement is about three years out, the industry as a whole is quickly moving towards Zero Trust. It is worth looking at an improved solution prior to an incident or a compliance requirement.

8.4.2 indicates MFA will need to be in place for all kinds of system components including:

• Endpoints

• Servers

• Cloud environments

• Hosted systems

• On-prem applications

• Network security devices

• Workstations

In 8.4.1 Administrative access to the CDE cannot be obtained by the use of a single authentication factor and if a user has been idle for more than 15 minutes the user is required to re-authenticate and to re-activate the terminal or session as outlined in 8.2.8.

DarkReading reports PCI DSS 4.0 considers:

• Multi-factor authentication (MFA) usage for all accounts that have access to the cardholder data, not just administrators accessing the cardholder data environment.

• Passwords for accounts used by applications and systems must be changed at least every 12 months and upon suspicion of compromise.

• Use of strong passwords for accounts used by applications and systems, which must contain at least 15 characters, including numeric and alphabetic characters. PCI DSS requires that the prospective passwords be compared against the list of known bad passwords.

• Access privileges must be reviewed at least once every six months.

• Vendor or third-party accounts may be enabled only as needed and monitored when in use.

Compromised passwords are still the top threat from bad actors and MFA is considered the best tool for preventing authorized attacks. Soon every entry point will require MFA protection. MFA is the first step toward a zero trust framework. Companies will have until 2025 to implement the changes.

Want to learn more about Duo's MFA and Trusted Access platform?

Download our guide to evaluating two-factor authentication today!

This article kicks off a series of posts produced by the Duo interns, highlighting their experiences and the projects they worked on this summer. And be sure to check out our open internship positions.

It is not every day you find a Master of Fine Arts (MFA) in Creative Writing student majoring in poetry, interning at Duo – the most loved brand in security. In fact, finding tech companies that embrace diversity in employee backgrounds and skillsets is still uncommon. As an international student, being at Duo is even more special – one of my wildest dreams come true. I have only been here for over a month as a user experience (UX) writing intern on the Design Enablement team (the best team!) and while I have so many good things to say about my experience so far, I must gush about the culture, which is my favorite thing yet. But first, the big question...

How did I get here?

My journey to Duo and UX writing has been nothing short of magical, with several detours. I have always loved reading and writing, so I started out writing poetry, then fiction and non-fiction. By chance, I discovered UX writing on social media and thought it was the perfect fit for my passions: writing, technology, and making people feel seen. So, I took a bunch of courses online ranging from digital marketing to writing for the web.

With those courses and my work experience, I was on my way to find a UX writing internship. When I had my interview to intern with Duo, an opportunity I got because of an article I wrote about my journey into UX writing, I did not feel pressure to be anything but myself. In fact, the Duo team saw the value of diversity of experience in tech. My experience as a poetry major was viewed as a plus for the similarities between poetry and UX writing, like working with limitations. As a poet, I am no stranger to working with stanzas and line breaks while working to establish and communicate meaning. As a UX writer, you will need to communicate ideas in the simplest possible language and in as few words as possible. In a complex field like internet security, this is an essential skill.

Duo from within

While learning more about Duo during my interview, I asked one of my interviewers, "what kind of people thrive here?” Among several values such as a commitment to learning, and being kind, they also mentioned diversity. Now, more than ever, diversity is a word that is constantly thrown about, but with Duo, it’s different. They mean it. How did I know? Because my interviewer spoke about diversity, not only in terms of gender or race, as we often hear, but also in terms of thought and experience. This is not to diminish the importance of gender and race diversity. As someone whose favorite book is Chimamanda Ngozi Adichie’s Purple Hibiscus because it is one of the first places I saw a quiet and shy Nigerian teenager character Kambili like me, I understand how important representation is.

Including thought and personal experience as an example of diversity shows the thought tech companies Duo and Cisco put into growing a culture that makes everyone feel welcome and know that they have something to contribute. I cannot tell you how much this meant to me. At the time of my interview, I had just “celebrated” my one-year anniversary of arriving in America. Still struggling with finding my place in the country and in my career, I felt affirmed, safe even.

Experiencing diversity in a tech company

After all the paperwork was done and I started work, I became more grateful to be here. Everyone was and still is so kind, and it wasn’t hard to see why. One of Duo’s values is to “be kinder than necessary.” This is interesting for an internet security company. But it is a reminder not just to people who work at Duo, but everyone who interacts with its mission that EVERY place and time is the place and time to be kinder than necessary. It is a call for consistent empathy.

Also, my internship project is to work on mobile guidelines for our design system alongside Prithvi Murahari, the design engineering intern on our team. The project requires that I interact with designers, leaders, engineers, and writers within and outside my core team. They have all been noteworthy examples of Duo and Cisco’s diversity-centered and empathetic culture. With every conversation, I have met people from diverse backgrounds culturally and career-wise who have honestly shared their mostly unconventional journeys to big tech. There are people who have come from academia, medicine, and those who started out as interns. The one thing most of us have in common? Often, this is the company that gave them their first big tech experience. They affirm something I have heard several leaders here say, “We are not looking for people to fit our culture. We are looking for people that contribute and enrich our culture.”

As I write this, I have been at Duo for 50 days (about one-and-a-half months). While there have been good and hard days, I wake up daily with a sense of purpose and firm belief that if I ever need clarity on something, I can always ask. Considering my background, I had been anxious about not knowing enough. More so because the project I am working on is an unfamiliar territory. But for every bout of anxiety, there is an almost daily reminder that we (interns) should feel free to ask questions. For every time I have reached out, I have learned, laughed, and grown more confident. I am learning so much from everyone I have encountered, particularly my manager, Matt Weston, who found me on LinkedIn and suggested I apply for the position. We have weekly one-on-one sessions geared towards my work at Duo and career growth.

They are why, for the most part, I don’t hit snooze on my alarm. In fact, I look forward to those conversations. I look forward to showing up as myself and to being valued for the diversity of my culture and experience knowing that it is an asset.

I write all these words to say this to you who is unsure about whether you belong here or not. The answer is you do.

You matter at Duo; everyone does.

Part three in a three-part series on design thinking at Duo. Previously: Design Thinking in Action.

Feeling inspired by design thinking? One of the benefits of this methodology is how simple it can be to get started — you don’t need to invest in expensive technology or other supplies to put the principles into practice. Here are some design thinking tools and exercises that will help you gather and analyze data, and ideate, prioritize, visualize and validate your solutions.

Design thinking lab

Picture showing the design thinking lab, featuring white-board walls and four tables with sticky notes and sharpies

Get out of your everyday space to encourage thinking outside of the box. For example, the Cisco campus in San Jose hosts an official design thinking lab, offering magnetic/whiteboard walls, large format labeling, movable furniture, ideation stations, integrated remote collaboration capabilities, and artwork to inspire creative thinking — but you can transform virtually any conference room to a design thinking space of your own. Dedicate different areas to different phases in the framework, grab some sticky notes and permanent markers, gather your teammates and get started.

Brainstorming better

As important as brainstorming can be to problem-solving, it can sometimes feel aimless and frustrating. However, adding creative constraints can boost your brainstorming impact:

• Start with “How Might We” (HMW) questions — By definition, this format admits we don’t currently know the answer to the problem and allows for exploration of multiple possible solutions. Consider a HMW question narrow enough to provide focus but broad enough to give space for participants to see where their ideas take them. If you’re not sure where to start, work from the model of, “How might we (intended experience) for (user) so that (desired effect)?”

• Use prompts and boundaries to help guide ideation and scope limits — “Your solution must use voice,” or “Your solution is for a user with disabilities.”

• Time limits — Use three to five minutes per prompt, starting with people brainstorming individually on sticky notes.

Do two to four rounds of ideation, sharing in between so participants can inspire each other. Map your ideas on a wall and vote to identify the best ones.

Interviews

A great starting point for new projects, interviews help you gain a better understanding of your users’ needs, pain points and opportunities. Let users guide the conversation to whatever they care about by keeping questions neutral and open-ended, and be an active listener. From a product perspective, this could look like:

• Tell me about your role and responsibilities.

• How does [product] support your work?

• What other systems do you use that relate to [product]?

• What are the top three tasks you perform using [product]?

• How do you accomplish [task] with [product]?

• What are the biggest challenges you face using [product]?

• What improvements to the [product] would make your life easier?

Affinity diagrams

Image showing four individuals working on a design thinking project, using sticky notes to categorize ideas on a wall

To make sense out of user insights, feature ideas and other data points, get your team together to identify larger themes. Start by selecting a topic and having each participant provide their ideas on sticky notes. Organize the sticky notes on a whiteboard, placing notes with identical ideas on top of each other. Together, reorganize the sticky notes into groups that have something in common, talking through what should go where. Discuss the key findings for the problem you want to solve and identify which themes to move forward with.

Design thinking resources

• Cisco Design Thinking

• Cisco Champions Podcast: Design Thinking for Innovative Solutions

• Duo Webinar: Design Thinking for Securing DevOps

Visibility is a key element to success in many professions. Just ask a pilot, a top athlete, or a security operations (SecOps) analyst. Another is simplicity. Having the tools and information you need at your fingertips uncomplicates the decision process and helps you make smart choices. Poor visibility, on the other hand, often leads to mistakes based on a lack of insight. And having disparate or overly-complex systems to deal with can be frustrating and time-consuming. These are some of the challenges we’re addressing with our announcement that telemetry from Duo’s Trust Monitor and Device Insight features has been integrated into SecureX, Cisco’s cloud-native security platform that connects the breadth of Cisco's integrated security portfolio and the customer's infrastructure for a consistent experience.

Enhanced Security Visibility and Threat Intelligence

When Duo launched Trust Monitor in November 2020, the idea was to highlight suspicious login activity and help SecOps investigate potentially compromised accounts. Trust Monitor does this by ingesting and then analyzing authentication data (telemetry) in real time to build user profiles which it then compares to future login attempts. For example, Scott typically logs in each morning around 7:30 am from California on his Mac running macOS Monterey and he accesses Microsoft Office. If Scott’s credentials are suddenly used to log in from a Windows 10 PC somewhere in Asia to access a finance application at 2:00 am, Trust Monitor identifies the login attempt as potentially suspicious because it deviates from his normal login behavior and could mean his account has been compromised. Surfacing this information provides SecOps analysts with greater security visibility into potential threats.

While Trust Monitor highlights anomalous logins, Device Insight inventories endpoints to provide data on device status. For example, how many network endpoints are running the latest OS? Is the browser up to date? What about Flash and Java plug-ins? Duo Beyond edition customers can filter by trusted and non-trusted endpoint. For more granular information, the Mobile Devices page provides details on OS versions by device, which smartphones and tablets have been tampered with, and whether security features such as screen lock, disk encryption, and biometrics are being used. There’s also a Laptops & Desktops page which shows the operating system and browser versions of the devices used to access the network over the previous seven days.

In 2022, we’ve taken things a step further. Cisco Secure customers with a Duo Access or Beyond subscription can now access Trust Monitor and Device Insight telemetry directly from their SecureX dashboard. As part of the SecureX ecosystem, Trust Monitor and Device Insight join other Cisco Secure products to provide SecOps analysts with enhanced threat intelligence. Using that information, analysts gain a deeper understanding of their existing security posture and policies and can take actions to step up (or down) access requirements as needed.

Benefits of the SecureX Ecosystem

The integration of Trust Monitor and Device Insight telemetry into SecureX offers benefits beyond providing high-level visibility into security events and endpoint posture. Organizations that combine Duo with other Cisco Secure products achieve their security goals faster and more efficiently through an integrated security ecosystem approach. The integration also enables SecOps teams to:

• Extend and enhance threat detection and cybersecurity visibility by consolidating Duo authentication log data with user endpoint insights to verify user and device trust 

• Streamline security operations by accessing security event data across the network environment through a single platform 

• Aggregate and correlate global threat intelligence, providing a holistic view of the threat landscape from one location 

• Reduce time spent on manual tasks by eliminating the need to log into the Duo administrator dashboard separately

• Speed time to remediation by surfacing actionable security events across multiple Cisco Secure products 

If you’re in security operations, you’ve got to continually monitor log data to identify anomalous security events that could be threats to your organization. Managing multiple disparate security solutions and the log data each generates to do that is time-intensive and frankly not all that fun. With SecureX, the integration of Trust Monitor and Device Insight will save you time by highlighting suspicious authentication attempts while providing the number, type, and security posture of endpoints on your network directly from your SecureX dashboard, helping to improve your organization’s overall security strength.

Looking for more information?

• Take the Duo Level Up course, Introduction to Duo Trust Monitor

• Watch our webinar, Trust Monitor Anomaly Detection Webinar

• Read the 2021 Duo Trusted Access Report

• See SecureX in action in this demo video

Part two in a three-part series on design thinking at Duo. Previously: An Introduction to Design Thinking at Duo

Design thinking virtual crash course

Previously offered in person, the Design Transformation team at Cisco Secure hosts a four-hour virtual crash course in which participants learn how to apply Cisco design thinking fundamentals while solving a real and common challenge.

“We really wanted to build a program that would not just expose people to the methodology, but it would also teach them the skills and also provide the tools so that they can go back and apply them,” Valeria said. Activities include empathy research, reframing problems, dynamic ideation, prototyping and practice concept pitching.

In addition to formal trainings, Valeria and her team provide customized working sessions, facilitation and coaching to bring design thinking principles into customer and team experiences. “We do a lot of coaching and mentoring,” Valeria said. “Anyone interested in design thinking can always come to us and we’ll dedicate as much time as we need to help them figure out the right tools for their specific context for their specific work for their specific project or team.”

The Duo Blog caught up with some Duo team members to learn why they got involved with design thinking and how it’s impacted them.

Cisco Secure Web Marketing opportunity workshop

In spring 2021, the Cisco Secure Brand team needed to evaluate the state of Cisco’s security marketing portfolio on the web and make recommendations to bring together these disparate website properties to foster a more cohesive experience. Over the course of three months, the project team held many stakeholder interviews and researched everything from the back end to the look and feel of each brand’s website, starting to consider how to optimize the experience.

That’s when Emily Gordy, a creative project manager with the Cisco Secure Brand team, tapped design thinking: “We had so much information and so many thoughts and feelings, but we didn’t really know how to distill it. We didn’t know how to translate our pages and pages and hours and hours of notes into actionable next steps.”

Ahead of the workshop, the participants organized their data into categories. Next, during a two and a half-day workshop, they transformed this initial research into a prioritized action plan. By the end of the session, the team arrived at six top ideas, with each participant making a workflow suggestion for how to execute the ideas, and they created a combined roadmap that balanced their new work alongside their existing work.

“I think if we’d just continued down the path that we were going, we could have meetings and discuss ad nauseum, just taking notes and things like that. But we did some really off-the-wall things in the design thinking session that were wonderful in helping us generate more creative ideas,” Emily said.

One of her favorites was an exercise called Art Museum, in which participants were given individual break-out time to visualize what they wanted for the future state of Cisco Secure on the web and explain the thought process behind their images and what they represent, and then share via an online whiteboard tool. “It was a really cool way to approach the idea, especially for a team of creatives, and maybe a language that’s more comfortable for some of us to speak. It really generated some unique ideas and helped us identify areas of commonalities between people from all different capabilities.”

Reflecting on the experience, Emily shared that not only did the ideas generated help form the foundation of the work that the Brand team’s web designers and developers have been doing, but it also changed the way she approaches her role. “Project management can so often just be by the book and looking at bandwidth, workload, timing and all of that. It was a nice reminder that not everything has to be so prescriptive and quantitative. It illustrated the importance of keeping your team engaged — as opposed to just getting everybody in the room and saying, ‘Hey, let’s go around in a circle and share our thoughts.’ If you’re leading with activities and being really intentional about how you’re generating ideas, I think the quality of the ideas that come out is really improved upon.”

If you're leading with activities and being really intentional about how you're generating ideas, I think the quality of the ideas that come out is really improved upon.

Team Leap and Team Norms working session

Manager of Employee Programs Anndrea Boris runs a team responsible for onboarding, internships and community engagement. As this is a new team that formed in late 2021, Elayna Spratley — who previously led design thinking at Duo and is now Design Thinking Program Lead of the Cisco Workforce Experience team — recommended the Team Leap and Team Norms working session to build connections, get to know each other’s working styles and uncover the similarities and differences that make a team strong.

While most of these personalized design thinking sessions seek to solve a specific problem, Team Leap and Team Norms are about shaping the way team members interact. Anndrea described her goals for the session as, “Today we will leave feeling closer to our teammates, aligned on team norms, and smiling.”

The half-day session prompted participants to discuss four areas: working style, strengths, developmental goals and pet peeves. “We were able to build empathy and find moments where teammates can have these deeper connections on more of a personal level, and then collaborate on how we’d like to work together as a team.”

“Recognizing the way we communicate, the way that we have our teamwork, how we’re organized, what our best skill set is, I think that all ties into how you solve problems,” Anndrea added. “A lot of the problems that come up in our programs are connected to other departments or teams, so we have to have these strong relationships with other team members. I’ve noticed when a problem pops up, we solve it together. And if it pops up again, our team knows how to solve that problem.”

Anndrea highly recommends Team Leap and Team Norms, especially if you’re a newer manager or a manager who’s newly forming a team: “It led to a really great team conversation of how we can understand each other and our strengths. I got a lot of value out of it, and I know my team really enjoyed it as well. I’m just very grateful that we had this session because I think it did kick start our team off on a really great note having this as our foundation to build off of.”

Design thinking resources

• Cisco Design Thinking

• Cisco Champions Podcast: Design Thinking for Innovative Solutions

• Duo Webinar: Design Thinking for Securing DevOps

Part one in a three-part series on design thinking at Duo.

At Duo Security, customers love us because our zero-trust security platform is easy, effective and user-focused. While our culture of belonging helps us prioritize these values in our work, broader Cisco reaffirms and amplifies them through its design thinking program.

The Duo Blog chatted with Valeria Kanziuba, design thinking lead at Cisco Secure, to learn about design thinking basics, how Cisco adapts design thinking best practices and applies them to everyday business problems, and why we offer design thinking training and resources to everyone at Cisco Secure, which includes Duo.

What is design thinking?

Design thinking is a collection of processes, practices and mindsets for solving problems by placing people’s needs as the top priority. Rather than making assumptions about how people might engage with a product or service, design thinking draws insights from how people actually engage with them. Where traditional problem-solving follows a linear approach of identifying challenges and then brainstorming solutions, design thinking is an iterative process in which practitioners continue refining their solution to improve the user experience. It was first taught in the 1980s at Stanford University, and a decade later the design consulting firm IDEO adapted it for business purposes.

Valeria describes the building blocks of design thinking as empathy, creativity, collaboration and innovation. “These concepts might freak people out sometimes, like, ‘I’m not a creative person,’” she said. “But what I love about design thinking is that it gives such a simple, structured, pretty easy way to apply tools that help you to be innovative, creative, collaborative and empathetic.”

The five stages of design thinking

• Empathize: Research your users’ needs

• Define: State your users’ needs and problems

• Ideate: Challenge assumptions and brainstorm ideas about the problem

• Prototype: Start creating solutions

• Test: Try out your solutions

Design thinking core principles

• Empathy: Understand your users’ needs and motivations

• Go wide: Explore many possibilities and approaches

• Experimentation: Iterate and test your prototypes with real users

• Diversity: Include various viewpoints during your exploration and experimentation

Valeria’s journey to design thinking and Cisco

Before getting into the specifics of how we do design thinking at Cisco Secure, let’s take a moment to get to know Valeria. Whether you’re looking at Cisco Secure as a whole, or more specifically at Duo, you’ll find team members who come from all sorts of backgrounds, including nontraditional roles outside of tech or cybersecurity. Valeria is a great example of someone without prior industry experience now thriving at Cisco Secure.

“If anyone would have told me 10 years ago that I would be working at a tech company, I would’ve said, ‘Don’t talk to me anymore!’,” Valeria jokes. In fact, she studied linguistics and English language and literature in college in Ukraine. “I didn’t have a clue what design thinking was at all. I’d never worked in any formal design organization before, and I also never worked in the corporate environment. So my whole experience before was completely different.”

Before joining Cisco in 2017, Valeria and her husband ran a computer graphics and video games production company, where she focused on business administration, operations and development. She got her start at Cisco as program manager for the central design thinking program where, along with four teammates, she formalized and built the program across the whole company.

“When I joined the team, I just got super curious and really intrigued by what this methodology can do. Every time we had a workshop, one thing we constantly heard from people was, ‘That was so good! We were able to talk together and to hear each other. We had the space and the structure that allowed us to exchange so much information and do things together collaboratively.”

A year and a half later, Valeria transitioned into the role of program manager for design thinking specifically within the Design Transformation team of Cisco Secure, ultimately becoming design thinking lead.

What is the Cisco design thinking framework?

Cisco’s approach to design thinking centers on three phases: Discover, define, explore. Valeria, who helped formalize and build the design thinking program across all of Cisco, has unique insight on what led to this approach: “What we saw when we were building the design thinking program is that we are very good at coming up with ideas and building solutions, but we don’t take enough time, effort and attention to properly articulate the problem that we’re solving for.”

Discover

The discover phase is about deeply understanding your users and their needs. “That’s where you figure out your business opportunity,” Valeria explains. “That’s where the empathy leads. That’s where you get into the shoes of the user and are trying to understand what the user is going through.”

Define

The define phase is about identifying and prioritizing which of your users’ challenges you want to explore. “Once you understand where the opportunity is, now you start distilling the problems.”

Explore

The explore phase is about developing creative possibilities to address the problems to be solved “You’re exploring solutions, building prototypes, testing and all of that.”

The Cisco framework also takes two tenets of design thinking, Validate with Users and Make Things, and treats them as guardrails for the three phases. “No matter which phase you’re in, you can constantly — and you should constantly — be having that conversation with your user. And you should constantly be making something very simple that you can put in front of your users, so that you can keep in touch and you can check in if you’re on the right track.”

What kind of problems can design thinking help solve?

Design thinking originated with designers, but virtually any type of business can benefit from bringing the principles into its work. If you want to uncover users’ pain points, surface solutions for complex problems, or drive deeper innovation, design thinking helps to achieve that.

Valeria also emphasizes that design thinking isn’t limited to the business world — these principles also translate to personal life. “Start from something that’s near and dear to your heart. What’s one thing you’d want to work on to make it better?” For example, perhaps you’re planning a family gathering. “Literally break it down into a very simple problem, try to understand who the main stakeholders and users are, and apply empathy to solving that problem. Are you making a decision on your own, or are you talking to everyone who’s gonna be involved? Do they want to go out or prefer you to come to their house? You’ll see that when you start listening to other people and taking their situations and considerations into account, how much it can change.’”

How do design thinking principles uniquely benefit information security?

Valeria emphasizes the importance of understanding that we’re making products for real people experiencing real challenges. “We need to kind of shift our mind from this concept of, ‘I’m just building the product’ to the concept of, ‘I’m solving the problem for the human being.’” Design thinking helps ensure you’re solving for your users’ specific needs, not just making decisions based on personal experience or professional expertise.

We need to kind of shift our mid from this concept of, "I'm just building the product' to the concept of, "I'm solving the problem for the human being."

She also points out that in information security, people interact with technology and are impacted by incidents at many different levels. “It's complex, and it becomes more and more complex. Things change quickly, and there are new attacks and malicious actions appearing all the time. Like, how do you stay on top of that? You need to be a great designer to be able to figure out how we interact with all of that and take it into account. There’s no way that one person can solve for that, which is why collaboration and creativity is so important.”

Want to learn more about design thinking at Cisco?

• Cisco Design Thinking

• Cisco Champions Podcast: Design Thinking for Innovative Solutions

• Duo Webinar: Design Thinking for Securing DevOps

Higher Education is facing many challenges: pressure to reduce costs for students; increased regulatory oversight from federal agencies; faculty and staff attrition; hybrid working and teaching; and changing demographics of students, to name but a few.

In this mix, we now have an increasing level of cybersecurity attacks, which not only put personal data at risk, but also threaten to stop the operations of an institution altogether.

At the same time, the Federal Government, the traditional source of most Higher Education funding, has been undergoing its own cultural change. The Executive Order 14028 instructs federal agencies to modernize technology, adopt a zero trust security philosophy, and improve public/private partnerships. The effects of this will trickle down to every higher education institution in the United States.

The state of the industry

To address the industry challenges mentioned above, schools of all sizes must quickly implement security controls to address their greatest threats and do this as efficiently as possible.

According to the 2022 Verizon Data Breach Investigations Report (DBIR), the top attack types for the Education Services Sector are largely unchanged over the last 5 years. Furthermore, the top combination of “use of stolen credentials” and “ransomware” is a problem getting the attention of boards and leadership.

How can a school with limited budgets and limited security expertise protect against these kinds of attacks? The solution is to look for measures that will help mitigate the majority of threats, while still supporting the activities of the institution.

Where to begin?

Using multi-factor authentication (MFA) to prevent or mitigate the impact of Education Services threats is a common control in all but two scenarios.

Ease of use

Implementing MFA for an entire faculty, staff and student population can seem overwhelming – there are so many different types of devices being used, skill levels of users, and tolerances for change. Consider these factors when implementing MFA. Look for an MFA solution that will work with the widest variety of technologies and skill levels. This isn’t just about integrating with your identity management solution, or your single sign on portal – it’s also about giving users the widest possible choice of authentication factors. Not everyone has a smart phone or will want to use a work application on their personal device – choice is important.

Ease of implementation

If your institution is limited in how many IT or security staff are available to implement an MFA solution, prioritize finding a solution that can be easily managed. Deploying and operating the MFA solution should be as simple as possible without compromising on basic security functionality. Consider investing in additional support services from your provider, at least for the first year. This will help your program be successful right from the start.

Communication plan

Particularly in Higher Education, a successful technology implementation requires an intentional communication strategy. Help your community understand that MFA isn’t a new thing (they already use it at the gas pumps, or online banking, etc.) and that use of MFA not only makes the institution safer, but it also protects them personally. Give them plenty of time to ask questions and raise concerns.

Deployment priorities

Institutions don’t have to roll out MFA to everyone at once. Consider your highest risk users (typically IT professionals, or staff/faculty with access to multiple records) and roll out to them first. Put MFA in front of your highest risk systems (student information systems, employee records, alumni databases). Consider where regulations require MFA and start there.

Finding resources

There is the cost to procure the solution, then there is the cost of maintaining it. Consider:

• Government Grants - Particularly at the Federal level, there are several grants made available as part of recent legislations for infrastructure improvements and covid response. The 2021 Infrastructure Investment and Jobs Act is one example. State governments are also investing in cybersecurity initiatives, so check in with your state house.

• Higher Education Cybersecurity Community - Work with Educause or Internet2 to engage with peers who are using similar solutions. Many institutions are beginning their zero trust journey by implementing MFA as a first step – there will be plenty of knowledge sharing, and some purchasing consortiums, in which to participate.

• Cybersecurity Insurance Providers - To get cyber insurance, institutions will need to have MFA. This is a strong element for a business case, but it’s also an opportunity to partner with a vendor who can assist in selecting and deploying the solution. Having MFA may reduce your premiums, so consider this in your business case.

Where to go next

We all know that cybersecurity is never “done”. Instead, it’s an ongoing maturity program. MFA is a foundational security control, which will help mitigate many threats to our institutions. Once it’s in place, it can be used as a building block supporting a zero-trust philosophy across the institution. Having this in place will satisfy regulations, funding partners and privacy advocates.

This is not a journey to take alone. Use the community of resources and peers to help you on your way.

Want to learn more about how Duo Security helps customers on their MFA journey? Sign up for a free trial today!

World-renowned DJ Graffiti’s longstanding relationship with Duo Security has been a conduit for cultivating a remote work culture through intentionality, inclusivity and authenticity. DJ Graffiti, aka Martin Smith, has been a key part of Duo’s family since the beginning. His deep care for team members and alignment with Duo’s eclectic, kinder than necessary culture has grown despite the world’s rapid transition to remote work. DJ Graffiti shares his journey, and team members reflect on what makes DJ Graffiti such an important part of what makes Duo, Duo.

DJ + Marketing = DJ Graffiti

DJ Graffiti has always had an entrepreneurial spirit and love of music. He studied marketing and computer and information systems at the University of Michigan (U of M). Sophomore year, his passion for music and friendships with other emerging DJs led him to build his own crate of records and equipment. By graduation, he was DJing parties and bars and clubs downtown, crafting his identity as a DJ and marketer.

After studying entertainment law at U of M Law School, Smith’s interests in DJing and marketing dovetailed. Companies wanted to reach the people attending his events, which led him to sponsorships and brand launches. In his first ten years as a DJ, Smith opened for legendary artists including Beyoncé, Jay-Z and Snoop Dogg.

However, Smith realized that the travel of DJ life wasn’t for him, a self-described, “calm, kind of Midwestern lifestyle person.” Instead of DJing multiple nights a week, he leaned into his other love of marketing — social media — which was blowing up at the time, especially for musicians. “Everybody from a business perspective was saying, ‘How do we do what these music artists are doing?’” To answer that question, Smith started a marketing and music management company with some partners. Smith took over sole ownership of the marketing arm and rebranded as Overflow, the agency he’s run since 2014.

Right place, right time, right vibes

As fate would have it, Smith’s company’s first office was the birthplace of Duo Security: the Northern Brewery Building. To get a desk, Duo co-founder Dug Song was the person to talk to, “Dug Song’s a very welcoming person, always very kind, and loves community and just talking to people.”

A hallmark of the shared space were Beer:30 gatherings on Fridays, where Smith watched Duo grow from five to 500 people, soon needing a DJ: “I had been around the whole time. Both Dug and co-founder Jono were big hip hop heads; I was a hip hop DJ. We all connected and bonded over that.” Global Events Manager Emily Boring was a main collaborator with Smith, and together they brainstormed how to plan memorable, meaningful events.

Greetings, Duo! Meet me on the dance floor

Boring remembers the first event she and Smith worked on. A holiday party in 2016 at Necto in Ann Arbor, it was “a smashing success, especially thanks to Martin. People danced all night! The fun never stopped.”

The partnership continued for all Ann Arbor events, including family picnics which Smith made fun for adults and children alike. Photographer Doug Coombe was a major partner in capturing those memories and took all the photographs included in this post.

For Ann Arbor’s 2017 holiday party, a stage was built over Revel & Roll’s bowling lanes and featured otherworldly visitors. Smith production managed the event and DJed for a few hours before Duo’s resident DJ and employee, Selina Style, took the stage.

Then, an alien voice blared over the speaker, inviting everyone to the dancefloor. “Ten-foot robots came out and danced with the employees with huge saber lights,” Boring shared. DJ Selina Style announced one more surprise: “that’s when Redman came running out to the stage and played an entire show. Everyone literally freaked out. It was one of the best nights of our lives, and I could not have pulled it off without Martin by my side,” said Boring.

DJ Graffiti has supported Duo through many changes like when Duo was acquired by Cisco. The night before the acquisition celebration, the venue lost power. The all-day 100+ person event held in July’s Michigan humidity ran on back-up generators. Storms started in the middle of DJ Graffiti’s outdoor set but he continued inside by candlelight. “It was one of the craziest days of my life, and I could not have gotten through it without Martin. He kept reassuring me that everything was going to be alright — and it was, even in the most unforeseen circumstances,” Boring remembered.

It all goes back to culture

What keeps Smith coming back to co-create innovative Duo events? “Duo has some really cool, eclectic people who have diverse taste in music. Duo has always been a company where culture was important.”

The way DJ Graffiti resonates with and contributes to Duo’s culture is deeply felt. “DJ Graffiti is tailor-made for every Duo event — he embodies one of the most important core Duo values, which is inclusion for everyone. His sets are perfect, as they are full of feel-good music from every genre and culture,” shares IT Support Manager Frank Erve.

Sr. Product Manager Deidre Ellis puts it this way: “DJ Graffiti is a treasure, and he really embodies what Duo culture is all about — taking care of each other, taking care of yourself, finding the fun in life, and ultimately being kinder than necessary. He really makes us feel #TogetherAtHome.”

Tapping into Duo’s remote company culture

While running Overflow, Smith considered DJing “a really well-paying hobby” which he did once or twice a week at most. Then COVID-19 hit.

Smith “was determined not to fight against the change, but to go with the flow of it and look for opportunities within it.” Duo was the very first company he DJed with virtually. Since then, he’s done many virtual events, “One constant throughout that whole process is being able to tap back in with my Duo family. It's like coming home.”

As a new, fully remote employee, Ellis wasn’t sure what to expect when DJ Graffiti emceed her very first virtual Duo Lightning talk (monthly teamwide Duo meeting). “Not only did DJ Graffiti speak from the heart, but he made sure to lift up everyone in the room while he did it. It really gave me a taste of what Duo culture was going to be like, and Duo has lived up to it!”

Smith explains, “A lot of companies say, ‘We’re like a family,’ but then hard times come and you see them do things that don’t feel like what family would do to family. And so, the way everybody would treat each other, the diversity of people who I would see at Duo, all of those things fit really well with my own personal values and what I enjoy being around.”

See the video at the blog post.

When fostering remote work culture becomes a mission

Smith recalled a transformational Duo event early on in the pandemic with DJ Jazzy Jeff: “It shaped how I view a lot of what I'm doing right now, and the value of what I’m bringing to the table.

The scheduled event ended up being within a month of George Floyd’s passing. Employees questioned the timing of a virtual celebration but due to DJ Graffiti and DJ Jazzy Jeff’s emphasis on the healing power of music, the event was one of the most meaningful yet.

It went on in a very healing way and has shaped what I’m doing right now. We don’t ignore what’s going on. For a company like Duo Security that prides itself on being kinder than necessary, everybody needs to be able to fill themselves up because you can't pour from an empty cup.

Boring recalled the event’s impact this way: “DJ Graffiti has always been such an authentic artist. He always speaks his truth. We were able to learn together, grow together and have a safe space to heal together. DJ Graffiti reminded us that despite all the hardships, it was still important to celebrate our wins together — to fill up our cups so that we can be strong and continue to protect those who need us most.”

How to build remote company culture

While challenging at first, Boring has ensured virtual events maintain key Duo elements. There is always an ASL Interpreter, closed captions and recordings available for those who can’t join live. “I also strive to make sure most events are kid-friendly since there are some that could be watching from home.”

DJ Graffiti advises engaging people during virtual events by having them be part of the process, which for him includes taking live song requests via chat. Boring shares that this has “contributed to an overall sense of togetherness. Martin has a way of recognizing everyone in the room and making sure every single person is having a good time.”

Executive In Residence Ash Devata affirms, “DJ Graffiti's energy is contagious. What I personally appreciate is his preparation and attention to detail about small things that are specific to our people at Duo. Whether it’s the talk track he has before and between songs or the animated backgrounds he selects, it always felt personal and joyful. His hosting not only brought the Duo people together, but it also invited family members of our employees to take part in our celebration. It’s very cool and inclusive.”

Smith describes his mission as “Spreading joy, spreading love and doing that through sessions that involve music. Duo means so much to me, because I know for a fact that I wouldn't be in this career as it stands right now, if it weren't for Duo Security opening that door. So, I’m so grateful, and so thankful, and always excited to participate.”

Join us

If you want to be part of a vibrant remote work culture where inclusivity, passion and community are valued, check out Duo’s open roles.

In the fall of 2021, the Federal Trade Commission (FTC) announced a change. The Safeguards Rule, designed to protect customer financial data, would be expanded to include non-financial institutions that engage in financial transactions. This includes auto dealerships, which have historically only been subject to a patchwork collection of regional legislation dictating cybersecurity measures.

So, what does this expansion of the FTC’s Safeguards Rule mean for auto dealerships? Most importantly, it means they must be in compliance with several new rules to protect consumer information by December 2022. And one of the few security technologies that is specifically called out by the FTC is multi-factor authentication (MFA).

What is the FTC’s Safeguards Rule?

In 1999, Congress passed the Gramm-Leach-Bliley Act (GBLA) that established the 2002 Safeguards Rule. The Safeguards Rule enhanced the regulatory power of the FTC and led to new requirements for financial institutions, including the development, implementation, and maintenance of an information security program to prevent unauthorized access to sensitive customer information.

In the past, the Safeguards Rule has been vague and offered flexibility in compliance. However, after public comment and further research, the FTC released the updated Safeguard Rule with amendments in order to keep up with technological change, respond to current cybersecurity threats, and establish more concrete guidelines.

What do these changes mean for the auto industry?

More than 90% of Americans live in a household with a car, and many families rely on a car as their key mode of transportation. That means purchasing a car is a big decision for most and can involve a lot of research and investment. From a practical, and emotional perspective, a trip to an auto dealership is often a big moment in our lives.

When a customer puts their trust in a dealership, they expect the company to not only help them find the best car that fits their lifestyle and needs, but also protect their personal information. In fact, according to a 2021 CDK Global Survey, 84% of consumers said they would not go back to a dealership and buy another vehicle if their data had been compromised.

Similarly, auto dealerships are focused on protecting financial data. In the same survey of 135 dealerships, 85% of dealers claimed that cybersecurity is important compared to other operational areas. However, one challenge in the industry has been the lack of clear security and privacy requirements that all dealerships must follow across the country.

The FTC’s amendments to the Safeguards Act changes all of that. Previous legislation – including the New York State Department of Financial Services cybersecurity regulations in 2017 and California Consumer Privacy Act in 2018 – established guidelines for protecting consumer information that could only be enforced on a regional level. But the Safeguards Act sets a national standard, outlining what a reasonable information security program looks like.

And according to the FTC, a key component of these programs is MFA.

How does MFA fit into an information security program?

Multi-factor authentication helps security teams control access to sensitive data. When an MFA solution is deployed, in addition to a username and password, employees with access to sensitive data will need another means of verification to make sure they are who they say they are. For example, after a Duo Security user logs into their account, Duo push pops up on their phone confirming that the right person is accessing the right account.

For companies that are new to this technology, it can seem intimidating. Duo understands this and keeps users in mind by focusing on ease of use through multiple authentication methods.

Compliance made simple

Auto dealerships have a lot on their plate, with cars being sold before they even hit the lot. When other priorities emerge, security can take a backseat. Duo recognizes that new and complex compliance regulations can lead to additional burdens and wants to make it easier for dealerships to focus on what they do best - sell and service vehicles. Duo is easy to use, integrates with diverse and complex IT systems, and can be deployed in minutes. With the deadline for compliance with the FTC’s Safeguards Act fast approaching, Duo is here to help.

To learn more, read our Two-Factor Authentication Evaluation Guide or start your free trial today.

Employees deserve safe and easy access to on-premises applications so they can stay productive, no matter where they are working from – an office, a dentist office, coffee shop, home, or any other place with a reliable Internet connection. Cyber threats can come from anywhere – they don’t just originate from “outside” corporate perimeters. Insiders can also pose a threat, unknowingly or purposefully. Adopting zero-trust security principles for network access is imperative to reduce risk of data exposure and breaches.

Many organizations are familiar with virtual private networks (VPNs), particularly during the COVID-19 pandemic when they had to rapidly enable remote access at scale. However, there are some challenges with exclusive reliance on VPNs.

The alternative to VPNs – a remote access proxy that mediates the connection between the client and application – is less common. Nevertheless, VPN-less solutions are gaining momentum due to their benefits over traditional VPNs. These benefits include reducing complexity by not requiring network segmentation, providing a fast and consistent user experience when accessing applications, easing onboarding of both the direct workforce and third-party users by not requiring a VPN setup, and employing strong zero-trust security principles for application access.

However, adoption of a VPN-less secure remote access solution varies by industry, an organization’s knowledge, skills, and comfort level with configuring and managing the solution, and cultural factors including executive buy-in. Organizations moving to this model might even take an iterative approach that considers such factors as account refresh schedules, major business projects, early adopter groups, and business criticality. Certain organizations will implement a VPN-less model for certain applications to start with. They might test and adopt VPN-less access for certain applications and in certain business groups within their organization.

Realistically, VPNs will continue to be used for certain use cases, like when users are required to be on managed devices or if they are authorized to access the entire network. For use cases where there is a need to enforce application-specific access and to enable contractors and other temporary workers on unmanaged devices to access private applications, VPN-less access will likely be used.

This blog post serves as a high-level guide for what to look for in a secure remote access solution that doesn’t require a VPN.

What to look for in a VPN-less secure remote access solution

While specifics will vary by an organization’s needs, the following list contains some key criteria to look for in a VPN-less secure remote access solution.

An ideal solution should:

• Be based on an inherently closed, zero-trust based security model, and enforce user and device checks before granting access to private applications and resources

• Easily scale as additional employees are either onboarded or offboarded and need flexibility to work either onsite or remotely in a typical work week

• Support unmanaged devices, whether for direct or third-party employees. Consider this: Per a report by Verizon, almost half (49%) of enterprise devices are being used without any managed update policy. According to the same report, about 40% of organizations surveyed said they had experienced a mobile-related compromise. 

• Be purpose-built for hybrid infrastructures – cloud and on-premises

• Allow for flexible deployment (either hosted by the vendor or self-managed)

• Enable secure access to web applications, secure shell (SSH) services and TCP services such as remote desktop protocol (RDP), all of which are commonly used by remote employees but also vulnerable to cyberattacks.

Comparing VPN and VPN-less approaches for secure remote access

There is a difference between a VPN and a VPN-less based zero-trust architecture with regards to the type of access granted to end users. Inherently, a VPN-based approach is open for access to a subset of the network, whereas a zero-trust architecture is inherently closed, with access granted to one individual application at the time of access.

Traditional remote access with a VPN-based approach

As illustrated in the diagram above, traditional remote access with a VPN works as follows. The requesting user on a particular device will need to authenticate to the VPN client with their credentials. If approved, the VPN tunnel allows the user to access any application on the network. In the example above, the user has access to all protected company resources through the VPN, including the company’s Customer Relationship Management (CRM), the Human Resources (HR) site and employee directory. VPNs are based upon an inherently open security model that doesn’t by default grant access to only a specific application on the internal corporate network.

Modern remote access with a VPN-less approach

As illustrated in the diagram above, modern remote access without a VPN, such as with adoption of Duo Network Gateway, works as follows. The requesting user on a particular device will need to authenticate to Duo, where we check the user and device health. If that user passes both of those policy checks, the Duo Network Gateway will only allow direct access to the specific application the user is authorized for – in this case the employee directory that was requested. This VPN-less remote proxy solution is based on an inherently closed security model – one that is centered on zero-trust security principles.

In summary, moving to a new modern remote access approach doesn’t mean you would replace VPNs everywhere, but rather that you can gradually and purposefully transition towards moving away from VPNs when and where it makes sense for your business. Understanding the differences between these approaches will empower you as you plan your organization’s security strategy for secure remote work.

Ready to try out a VPN-less approach to network security?

To learn how Duo helps organizations secure remote access with or without VPNs, visit the Duo Remote Access page.

Want to try Duo free for 30 days? Just sign up for a trial.

Raphael Kappos is not afraid to tell you his secret weapon is laziness.

Not the ordinary kind, but the kind that makes the senior technical support engineer a top performer on his team at Duo Security — the kind that breathes life into the old cliché of working smarter, not harder.

“The work efficiencies Raphael has created help him close more support cases than pretty much anyone else,” said Kevin Chan, Kappos’ supervisor at Duo, which is part of Cisco Secure.

Kappos’ job is to help customers solve technical problems, and his approach to hacking his workload has both technological and philosophical components.

“When you’re washing clothes,” he said, “you don’t wash one T-shirt, then dry it, then fold it, then put it away, then start on the trousers. You do a whole load all at once. I try to take this approach with support cases as much as possible.”

This often means reading through an entire queue of cases, then methodically knocking out the straightforward ones while letting his subconscious percolate on the more complex issues.

On the technical side, Kappos is a superuser of a browser plug-in that lets one create two- and three-letter shortcuts for frequently used phrases and explanations.

For example, typing “lmk” drops the following into an email: “Please let me know if this helps. Have a great day! Kind regards,”

Chan points out just how quickly such small efficiencies can add up:

The shortcuts — which can draw on a library of snippets for greetings, links to support articles, answers to frequently asked questions and closings — might save a technical support engineer as much as five minutes per email.

“If they handle 10 cases a day, that’s 50 minutes,” Chan said. “If that allows each TSE to do one extra case a day, that’s like adding one or two additional full-time staff.”

Yet while most support engineers who use the plug-in typically draw on a dozen or two of these shortcuts day-to-day, Kappos has created a custom library of some 700.

But since most of these timesavers are mapped to the mental catalog of cases he’s worked, they’re highly personalized and would be hard for anyone else to simply adopt: A question gets asked. Neurons fire. A previous answer is recalled. A shortcut springs to mind.

“What it really helps with is support fatigue,” Kappos said.

That is, answering the same question over and over and over can wear on engineers. And with every repetition, the replies tend to become almost robotic, infused with less energy and less detail, he adds.

“This way, my response is as good as it was the first time,” Kappos said. “And if I learn something new, the snippets can be updated.”

Duo technical support engineer Raphael Kappos in front of the Sydney Opera House

Many little problems to solve

Kappos, who was born in South Africa and came to Duo’s Sydney, Australia-based support team by way of Greece and the U.K., knew he wanted to work for the company after helping to set up the multi-factor authentication solution for customers at a previous job.

“I was amazed by Duo’s documentation,” he said. “It was very detailed and easy to read. And it wasn’t behind a paywall!”

Kappos describes himself as “technical, but not super-duper technical.”

“I kind of have the reverse of the Dunning-Kruger effect — I know how much I don’t know,” he said. “So, with my limited expertise, I was impressed how easy Duo was to set up and how accessible the documentation was.”

As for that laziness, it was hard-earned, Kappos noted.

“Making laziness work for me involved critical lessons before it was effective and valuable laziness,” he said.

At previous jobs, he would visit a customer, fix whatever was wrong and then leave.

“I often got called back to fix the same thing again for free, as I had neglected to show the customer that it was fixed, how it was fixed and have them replicate it with me there so they could see it was fixed,” Kappos said. “I quickly learned that taking a lazy shortcut without doing things properly is not effective laziness. It just means you need to do things again and this is more work than doing something, once, properly.”

This feedback loop of ensuring customers know that an issue has been resolved and how it has been resolved, is something he has carried forward into his current role.

“What I like about support is that we have many little problems to solve,” he said. “You have many little challenges and rewards each day, which I personally find very motivating. This also minimizes the emotional impact of the occasional failures, and prepares the mind better to learn from them and turn them into future successes.”

Come learn with us

Does the idea of collaborating with a creative team on a daily basis sound exciting to you? Check out Duo’s current open roles.

As an advisory CISO and part of Cisco’s strategy group, an essential part of my role is talking to CISOs from every kind of organization. From these conversations, it is clear cyber liability insurance is steadily rising to the top of the agenda, due to the sheer amount and scale of cyber-attacks hitting firms.

As well as talking to CISOs, I also believe it is crucial to get perspectives from all sides. So, on a recent webinar, I sat down with Darren Thomson, Head of Cyber Intelligence Services at CyberCube, a firm that provides data-driven cyber risk analytics for the insurance industry. The conversation gave me plenty of food for thought and provided fresh perspectives that feed into my goal of making CISOs more successful. Here are my key takeaways.

Hard market woes

Unsurprisingly, insurance has become a ‘hard market’ over the past three or four years, meaning that premiums have increased (by 96% in Q3 2021 in the US as reported by the World Economic Forum) while capacity has decreased across the board. Some organizations have found it nigh-on impossible to get policies to cover their businesses, and those that manage to get coverage have found it to be not only a more complicated process than it was before, but a more expensive one as well.

So, what is the chief contributor to this hard market from a cybersecurity and threat landscape perspective? As we discussed on the webinar, it's undoubtedly our common adversary, ransomware. To quote Darren:

Five or six years ago, ransomware attacks were demanding an average of $500 and going after consumers, rather than enterprises. Now that demand can be millions of dollars, even tens of millions of dollars in some cases. The general sophistication, the tactics, techniques and procedures utilized by the criminal gangs, all of that has driven insurers to harden the market and to be in a situation where they really want to understand what the risk of ransomware is to their potential client before they underwrite a policy.

So how do insurers get hold of that kind of insight?

Signalling opportunities

Because cyber liability insurance is still one of the newer kids on the block, originating from the post dot-com bubble, there is a distinct dearth of information for insurers and reinsurers to draw from when devising an underwriting strategy for a cyber liability insurance policy. This is compared to, say, catastrophe insurance which can use data from 200+ years' worth of earthquakes.

To overcome this, many insurers, including Lloyd's of London, rely on ‘signals’ - enormous amounts of raw data that are smashed together and served to underwriters to inform their decision making. These signals will tell them two things about a firm. The first is the level of their maturity when it comes to security, and the second is how exposed they are/how likely they are to experience a breach. Because of this, it is crucial firms take their cyber hygiene seriously.

As well as assisting underwriters to create policies, signals can also provide a goldmine of information for a CISO, alerting them to information they don’t know about their firm; things that could be heeded in order to implement the right controls to bring security maturity levels up and make an organization more resilient. Which brings us to the next point…

The right controls

Luckily, there is no ‘secret recipe’ that insurers have invented when deciding on what kind of controls they look for. Firms offering cyber liability insurance are taking heed of well-known practices that have been formed over the past 10-20 years, such as the Cyber Essentials, NIST, ISO 27001, and the Mitre ATT&CK frameworks.

And as is the case with all these best practice guidelines, it all comes down to being able to demonstrate a structured security programme and making sure that you're addressing issues like ransomware very clearly with a cyber hygiene plan in place. This kind of plan should cover the following:

• What your company expects an attack might do

• How your company can respond to it

• Knowledge of the defences that have been put in place to show visibility and control (particularly around network ports like RDP and FTP – huge red flags to insurers)

• The extent to which you understand your hardware estate:

  • How many devices you have

  • What their current state is

  • How you run your patching programme to reduce or limit the risk

  • How you manage to map those against some of the aforementioned basic standards (NIST, Cyber Essentials, etc.)

This all sounds logical… but one or two of these could prove to be sticking points for many firms, as demonstrated in some of our recent research.

The value of visibility

Our latest Security Outcomes Study, where we explore some of the concerns that CISOs have and what they think would help them best, showed that nearly 40% of over 5,100 IT professionals in 27 countries thought they had outdated technology in their organization. When it comes to trying to get cyber liability cover, that kind of scenario is going to be incredibly difficult to defend to an insurer.

The same study also showed that the probability of maintaining business resilience doesn’t improve until business continuity and disaster recovery capabilities cover at least 80% of critical systems. Anything less and it starts to become very difficult to prove a firm has an adequate level of visibility and control. Having this information at hand will go far in any discussion with an insurer. It shows that a firm is actually aware of the risks, mitigating them wherever possible, and that they are making sure that they can defend their organization.

Ultimately, having the tools in place to demonstrate a firm has seriously considered its security posture will go a long way to ensuring they get optimal cover at a reasonable rate. As Darren excellently summarized on our webinar - those who approach cyber liability insurance without comprehensive visibility and control is like someone driving a Fiat 500 and having the broker determine that they need a policy worth half a million dollars to cover it. You don’t want to be in that boat…or car!

Want to see how Duo can help improve visibility and control?

To experience the difference that Duo can make when it comes to security and visibility in your organization, sign up for a 30-day trial today.

Or, check out some additional resources we’ve compiled, like:

• Cyber Liability Insurance: What You Need to Know, a helpful guide for organizations considering cyber insurance

• An overview of Duo’s device visibility features

• Documentation for the Duo Device Health Application